Common use of Data Privacy and Cybersecurity Clause in Contracts

Data Privacy and Cybersecurity. (a) (i) The Company and its Subsidiaries are and, since the Lookback Date, have been in material compliance with all applicable Privacy Laws, applicable binding industry standards (including PCI DSS) and the Company’s and its Subsidiaries’ publicly posted privacy policies and material contractual commitments relating to the Processing of Personal Information (collectively, together with such Privacy Laws, “Privacy Requirements”); and (ii) the Company and its Subsidiaries have posted a privacy policy for each online site and mobile application operated by or controlled by the Company or any such Subsidiary, in each case, that complies with all applicable Privacy Laws and accurately reflects their practices concerning the Processing of Personal Information in all material respects. (b) As of the date hereof and since the Lookback Date, there have been no claims, whether from a Governmental Authority or any other Person, received by, nor Proceedings or investigations pending or, to the Knowledge of the Company, threatened by any Governmental Authority or any other Person against, the Company or its Subsidiaries, in each case, with respect to the Processing of Personal Information (other than individual data subject requests received in the ordinary course of business) that is material to the Company and its Subsidiaries, taken as a whole. (c) The Company and its Subsidiaries since the Lookback Date, have (i) taken commercially reasonable measures to protect the integrity, physical and electronic security and continuous operation of the IT Assets owned or Controlled by the Company and its Subsidiaries and to protect the data (including Personal Information and Trade Secrets) stored thereon or Processed thereby against unauthorized access, theft, disclosure, misuse or loss (including implementing and maintaining organizational, physical and technical measures materially compliant with all applicable Privacy Requirements) and (ii) implemented and maintained commercially reasonable disaster recovery plans, procedures, backup equipment and facilities of a scope consistent with customary industry practice and materially compliant with all applicable Privacy Requirements, except as would not reasonably be expected, individually or in the aggregate, to be material to the Company or its Subsidiaries. (i) The IT Assets (A) are in good working order and condition and are sufficient for the operation of the business of the Company and its Subsidiaries as currently conducted, (B) are free of any “back door,” “time bomb,” “Trojan horse,” “worm,” “drop dead device,” “virus” or other software routines or hardware components that permit unauthorized access, disablement or erasure or otherwise adversely affect the functionality of the IT Assets and (C) have since the Lookback Date, not materially malfunctioned or failed, (ii) there has since the Lookback Date, been no misuse, intrusion or breach of the IT Assets or any loss, theft, or unauthorized or unlawful corruption, access to or Processing, or the rendering unavailable or inaccessible (including through a ransomware attack) of data (including Personal Information or Trade Secrets) Processed by or on behalf of the Company or its Subsidiaries (collectively, “Security Incidents”), (iii) since the Lookback Date, the Company and its Subsidiaries have addressed all “critical”, “high” and any other material risks, threats and deficiencies identified in any cybersecurity or information security risk audit or penetration testing carried out by or on behalf of the Company or its Subsidiaries and (iv) no disclosure of any Security Incidents since the Lookback Date, has been or was legally required to have been made by the Company or its Subsidiaries under any applicable Privacy Requirements to any Person, except in the case of (i), (ii), (iii) and (iv) as would not reasonably be expected, individually or in the aggregate, to be material to the Company or its Subsidiaries.

Data Privacy and Cybersecurity. (a) (i) The Company Corporation and its Subsidiaries are andare, since the Lookback Date, and have been at all applicable times, in compliance in all material compliance respects with all Corporation Privacy Commitments, Corporation Data Agreements and applicable Privacy Laws, . Corporation and its Subsidiaries have at all applicable binding industry standards times: (A) had the legal basis (including PCI DSSwhere applicable providing adequate notice and obtaining any necessary consents from individuals) and the Company’s and its Subsidiaries’ publicly posted privacy policies and material contractual commitments relating to required for the Processing of Personal Information Data as conducted by or for Corporation or its Subsidiaries, and (B) abided by any privacy choices (including opt-out preferences) of individuals relating to Personal Data (such obligations along with those contained in Corporation Privacy Policies, collectively, together with such “Corporation Privacy Laws, “Privacy RequirementsCommitments”); and (ii) the Company and its Subsidiaries have posted a privacy policy for each online site and mobile application operated by or controlled by the Company or any such Subsidiary, in each case, that complies with all applicable Privacy Laws and accurately reflects their practices concerning the Processing of Personal Information in all material respects. (b) As Copies of all current and prior Corporation Privacy Policies have been made available to Purchaser and such copies are true, correct and complete. (c) Corporation and its Subsidiaries have provided materially accurate and complete disclosures with respect to their privacy and data practices in applicable Corporation Privacy Policies in material compliance with Privacy Laws, as applicable. Such disclosures have not contained any material omissions under any applicable Privacy Laws. (d) Neither Corporation nor its Subsidiaries have received or experienced, and to the knowledge of Corporation or any of its Subsidiaries, there is no circumstance (including any circumstance arising as a result of an audit or inspection carried out by any Governmental Entity) that would reasonably be expected to give rise to, any material legal proceeding, order, notice, communication, warrant, regulatory opinion, audit result or allegation from a Governmental Entity, Government Official, or any other Person (including an end user): (A) alleging or confirming non-compliance with a relevant requirement of Privacy Laws or Corporation Privacy Commitments, (B) requiring or requesting Corporation amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Corporation Data, (C) permitting or mandating relevant Governmental Entities to investigate, requisition information from, or enter the premises of, Corporation or (D) claiming compensation from Corporation. Corporation has not been involved in any Legal Proceedings involving non-compliance or alleged non-compliance with Privacy Laws or Corporation Privacy Commitments. (e) Corporation and its Subsidiaries have implemented and maintain commercially appropriate organizational, physical, administrative and technical measures that in all material respects complies with (i) Privacy Laws, (ii) Corporation Data Agreements, (iii) Corporation Privacy Commitments, and (iv) all written policies adopted by Corporation and its Subsidiaries, that are designed to protect the integrity, security and operations of the date hereof information technology systems, transactions executed thereby, Corporation Data, including by protecting against loss, accidental or unlawful Processing, destruction, damage, unauthorized or unlawful access or use, modification, disclosure or other misuse of Personal Data owned or controlled by Corporation or its Subsidiaries. Corporation and since its Subsidiaries have implemented commercially reasonable policies and procedures materially satisfying the Lookback requirements of Privacy Laws and applicable industry standards designed to detect and respond to unauthorized access or unauthorized use of Personal Data. Corporation and its Subsidiaries have taken commercially reasonable steps to (1) ensure the reliability of its employees and contractors who have access to Corporation Data, (2) to train such employees on all applicable aspects of Privacy Laws, Corporation Privacy Commitments and obligations under Corporation Data Agreements, and (3) to ensure that all employees with the authority and/or ability to access such data are under written obligations of confidentiality with respect to such data and have committed their respective data processors that Process Personal Data to fulfill the foregoing obligations in (1)-(3) of this paragraph. (f) The execution, delivery and performance of this Agreement, the taking over by Purchaser of all of the Corporation Databases, Corporation Data and other information relating to Corporation and its Subsidiaries’ end users, employees, vendors or clients or any other category of individuals will not cause, constitute, or result in a breach or violation of any Privacy Laws, Corporation Privacy Commitments, Corporation Data Agreements or standard terms of service entered into by Corporation with individuals the Personal Data of whom is Processed by Corporation and its respective data processors. (g) After the Effective Date, Purchaser will continue to have the right to use Personal Information on substantially the same terms and conditions as Corporation and its Subsidiaries enjoyed immediately prior to the Effective Date, and will not cause, constitute, or result in a breach or violation of any Privacy Laws, Corporation Privacy Commitments, Corporation Data Agreements or standard terms of service entered into by Corporation with individuals the Personal Data of whom is Processed by Corporation and its respective data processors. (h) To the knowledge of the Corporation and its Subsidiaries, there has been no loss, damage, security incident, violation of any data security policy, breach, or unauthorized access, disclosure, transfer or use of any Personal Data, or Unsecured Protected Health Information (as such terms are defined at 45 C.F.R. § 164.402), Corporation Databases, confidential information, trade secret, or otherwise protected business information (including in the possession, custody, or control of Corporation or any of its Subsidiaries), or, to the knowledge of Corporation, maintained or Processed on any of their behalf, and there has been no unauthorized Processing of the foregoing. With respect to the ICT Infrastructure, there have been no claimsmaterial outages, whether from a Governmental Authority breaches, security incidences, (including but not limited to malware, ransomware, virus, compromise of credentials, denial-of-service attack), or unauthorized intrusions of any kind, and none of the foregoing has been threatened. There are no bugs, defects, backdoors, or malicious code in, any software, information technology assets, product, or service owned, sold or licensed by Corporation or any other Person, received by, nor Proceedings or investigations pending or, to the Knowledge of the Company, threatened by any Governmental Authority or any other Person against, the Company or its Subsidiaries, in each case, with respect to . To the Processing knowledge of Personal Information (other than individual data subject requests received in the ordinary course of business) that is material to the Company Corporation and its Subsidiaries, taken as a whole. no circumstance has arisen in which: (cA) The Company and applicable Laws (including Privacy Laws) would require Corporation or its Subsidiaries since the Lookback Date, have to notify a Governmental Entity or Government Official of a data security breach or security incident; or (iB) taken commercially reasonable measures to protect the integrity, physical and electronic security and continuous operation of the IT Assets owned applicable guidance or Controlled by the Company and its Subsidiaries and to protect the data codes or practice promulgated under applicable Laws (including Personal Information and Trade SecretsPrivacy Laws) stored thereon would recommend Corporation to notify a Governmental Entity or Processed thereby against unauthorized access, theft, disclosure, misuse or loss (including implementing and maintaining organizational, physical and technical measures materially compliant with all applicable Privacy Requirements) and (ii) implemented and maintained commercially reasonable disaster recovery plans, procedures, backup equipment and facilities Government Official of a scope consistent with customary industry practice and materially compliant with all applicable Privacy Requirements, except as would not reasonably be expected, individually data security breach or in the aggregate, to be material to the Company or its Subsidiariessecurity incident. (i) The IT Assets (ASection 30(j) are in good working order and condition and are sufficient for the operation of the business Schedule C contains the complete list of the Company notifications and registrations made by Corporation and its Subsidiaries as currently conductedunder Privacy Laws with relevant Governmental Entities in connection with Corporation and its Subsidiaries’ Processing of Personal Data. All such notifications and registrations are valid, (B) are free accurate, complete and fully paid up and, to the knowledge of any “back door,” “time bomb,” “Trojan horse,” “worm,” “drop dead device,” “virus” or other software routines or hardware components that permit unauthorized accessCorporation, disablement or erasure or otherwise adversely affect the functionality consummation of the IT Assets Agreement will not invalidate such notification or registration or require such notification or registration to be amended. Other than the notifications and (registrations set forth on Section 30(j) of Schedule C) have since , no other registrations or notifications are required in connection with the Lookback Date, not materially malfunctioned or failed, (ii) there has since the Lookback Date, been no misuse, intrusion or breach Processing of the IT Assets Personal Data by Corporation or any loss, theft, or unauthorized or unlawful corruption, access to or Processing, or the rendering unavailable or inaccessible (including through a ransomware attack) of data (including Personal Information or Trade Secrets) Processed by or on behalf of the Company or its Subsidiaries (collectively, “Security Incidents”), (iii) since the Lookback Date, the Company Subsidiaries. Corporation and its Subsidiaries have addressed not and do not Process the Personal Data of any natural Person under the age of 13. (j) Where Corporation or its Subsidiaries use a third party data processor to Process Personal Data, the processor has provided guarantees, warranties or covenants in relation to Processing or Personal Data, confidentiality, security measures and agreed to compliance with those obligations that are sufficient for Corporation and its Subsidiaries’ compliance with Privacy Laws, Corporation Data Agreements and Corporation Privacy Commitments, and there is in existence a written Contract between Corporation or any of its Subsidiaries and each such data processor that complies with the requirements of all “critical”Privacy Laws, “high” Corporation Data Agreements and Corporation Privacy Commitments. Corporation and its Subsidiaries have made available to Purchaser true, correct and complete copies of all such Contracts. To the knowledge of Corporation and its Subsidiaries, such data processors have not materially breached any other material risks, threats and deficiencies identified in any cybersecurity or information security risk audit or penetration testing carried out such Contracts pertaining to Personal Data Processed by or such Persons on behalf of the Company or its Subsidiaries and (iv) no disclosure of any Security Incidents since the Lookback Date, has been or was legally required to have been made by the Company or its Subsidiaries under any applicable Privacy Requirements to any Person, except in the case of (i), (ii), (iii) and (iv) as would not reasonably be expected, individually or in the aggregate, to be material to the Company Corporation or its Subsidiaries, and in particular, any breaches with respect to the unauthorized use or disclosure of Personal Data. (k) Corporation and its Subsidiaries are, and have been at all times, in compliance with the consent requirements under CASL to send commercial electronic messages to each electronic address in its marketing and advertising database, including customers, prior customers, prospective customers and other third party contacts in all material respects. Corporation and its Subsidiaries have maintained records sufficient to demonstrate its compliance with CASL, including records of each consent to send commercial electronic messages as well as records of unsubscribe requests.

Data Privacy and Cybersecurity. (a) (i) The Company Corporation and its Subsidiaries are andare, since the Lookback Date, and have been at all applicable times, in compliance in all material compliance respects with all applicable Privacy Laws, applicable binding industry standards (including PCI DSS) and the Company’s and its Subsidiaries’ publicly posted privacy policies and material contractual commitments relating to the Processing of Personal Information (collectively, together with such Privacy Laws, “Privacy Requirements”); and (ii) the Company and its Subsidiaries have posted a privacy policy for each online site and mobile application operated by or controlled by the Company or any such Subsidiary, in each case, that complies with all applicable Privacy Laws and accurately reflects their practices concerning the Processing of Personal Information in all material respectswithout limitation GDPR. (b) As Neither Corporation, its Subsidiaries, nor to Corporation's knowledge, any subcontractor, has suffered any Breach of Unsecured Protected Health Information (as such terms are defined at 45 C.F.R. § 164.402) or unauthorized misappropriation, access, use or disclosure of Personal Data. (c) Corporation and its Subsidiaries have provided accurate and complete disclosures with respect to their privacy policies, and privacy and data practices, including providing all types of notice and obtaining all types of consent required by HIPAA, GDPR, and other Privacy Laws, as applicable. Such disclosures have not contained any material omissions related to the privacy policies and privacy and data practices of Corporation or any of its Subsidiaries. Each privacy policy and all materials distributed or marketed by Corporation and its Subsidiaries have at all times included all information and made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in all such privacy policies or in all such materials has been inaccurate, misleading or deceptive in violation of applicable Privacy Laws. (d) Neither Corporation nor its Subsidiaries have received any written communication from any Governmental Entity that alleges that Corporation or any of its Subsidiaries is not in compliance in any material respect with the applicable privacy, security, transaction standards, breach notification or other provisions and requirements of any Privacy Laws, including HIPAA and GDPR. (e) Corporation and its Subsidiaries have implemented commercially reasonable organizational, physical, administrative and technical measures required by (i) Privacy Laws; (ii) all existing contractual commitments; and (iii) all written policies adopted by Corporation and its Subsidiaries, in a manner designed to protect the integrity, security and operations of the date hereof information technology systems, transactions executed thereby, data owned by Corporation or its Subsidiaries and since Personal Data, including by protecting against loss, destruction, damage, unauthorized or unlawful access or use, modification, disclosure or other misuse of Personal Data owned or controlled by Corporation or its Subsidiaries. Corporation and its Subsidiaries have implemented commercially reasonable policies and procedures satisfying the Lookback Daterequirements of Privacy Laws designed to detect and respond to data security breaches and unauthorized access or unauthorized use of the information technology systems, Personal Data, and data owned by Corporation or its Subsidiaries. Corporation and its Subsidiaries have at all times required all third parties to which they provide Personal Data and/or access thereto to maintain the privacy and security of such Personal Data, including where required by applicable Privacy Laws (including HIPAA and GDPR), by contractually obliging such third parties to protect such Personal Data from unauthorized access by and/or disclosure to any unauthorized third parties. (f) The transfer of Personal Data in connection with the transactions contemplated by this Agreement has not, does not currently, and will not violate in any material respect any Privacy Laws or the privacy policies of Corporation or its Subsidiaries as they currently exist or as they existed at any time during which any of the Personal Data was collected or obtained. Corporation and its Subsidiaries are not subject to any contractual requirements or other applicable Privacy Laws that, following the Effective Time, would prohibit Corporation or any of its Subsidiaries from receiving or using Personal Data in the manner in which each entity receives and uses such Personal Data prior to the Effective Time. (g) Upon the Effective Time, Purchaser will continue to have the right to use personal information on substantially the same terms and conditions as Corporation and its Subsidiaries enjoyed immediately prior to the Effective Time. Since January 1, 2016, there has been no loss, damage, or unauthorized access, disclosure, transfer or use of any personal information, material trade secret, or otherwise protected material business information in the possession, custody, or control of Corporation or any of its Subsidiaries, or, to the knowledge of Corporation, maintained or processed on any of their behalf. Since January 1, 2016, there have been no material outages or breaches of, and to the knowledge of Corporation, as of the date of this Agreement, there are no bugs, defects, backdoors, or malicious code in, any software, information technology assets, product, or service owned, sold or licensed by Corporation or any of its Subsidiaries. Since January 1, 2016, neither Corporation nor any of its Subsidiaries has notified in writing, or been required to notify in writing, any Person of any Personal Data or network security-related incident, nor has Corporation or any of its Subsidiaries received any written notice of any claims, whether from a Governmental Authority investigations, or any other Person, received by, nor Proceedings or investigations pending or, to the Knowledge alleged violations of the Company, threatened by any Governmental Authority or any other Person against, the Company or its Subsidiaries, in each case, Law with respect to the Processing of Personal Information (other than individual data subject requests received in the ordinary course of business) that is material to the Company and its Subsidiariessecurity, taken as a wholepersonal data rights or privacy. (c) The Company and its Subsidiaries since the Lookback Date, have (i) taken commercially reasonable measures to protect the integrity, physical and electronic security and continuous operation of the IT Assets owned or Controlled by the Company and its Subsidiaries and to protect the data (including Personal Information and Trade Secrets) stored thereon or Processed thereby against unauthorized access, theft, disclosure, misuse or loss (including implementing and maintaining organizational, physical and technical measures materially compliant with all applicable Privacy Requirements) and (ii) implemented and maintained commercially reasonable disaster recovery plans, procedures, backup equipment and facilities of a scope consistent with customary industry practice and materially compliant with all applicable Privacy Requirements, except as would not reasonably be expected, individually or in the aggregate, to be material to the Company or its Subsidiaries. (i) The IT Assets (A) are in good working order and condition and are sufficient for the operation of the business of the Company and its Subsidiaries as currently conducted, (B) are free of any “back door,” “time bomb,” “Trojan horse,” “worm,” “drop dead device,” “virus” or other software routines or hardware components that permit unauthorized access, disablement or erasure or otherwise adversely affect the functionality of the IT Assets and (C) have since the Lookback Date, not materially malfunctioned or failed, (ii) there has since the Lookback Date, been no misuse, intrusion or breach of the IT Assets or any loss, theft, or unauthorized or unlawful corruption, access to or Processing, or the rendering unavailable or inaccessible (including through a ransomware attack) of data (including Personal Information or Trade Secrets) Processed by or on behalf of the Company or its Subsidiaries (collectively, “Security Incidents”), (iii) since the Lookback Date, the Company and its Subsidiaries have addressed all “critical”, “high” and any other material risks, threats and deficiencies identified in any cybersecurity or information security risk audit or penetration testing carried out by or on behalf of the Company or its Subsidiaries and (iv) no disclosure of any Security Incidents since the Lookback Date, has been or was legally required to have been made by the Company or its Subsidiaries under any applicable Privacy Requirements to any Person, except in the case of (i), (ii), (iii) and (iv) as would not reasonably be expected, individually or in the aggregate, to be material to the Company or its Subsidiaries.

Data Privacy and Cybersecurity. (a) Except as would not, individually or in the aggregate, reasonably be expected to be material to the business of the Company and the Company Subsidiaries: (i) The the Company and its Subsidiaries are andthe Company Subsidiaries, since and the Lookback DateProcessing of Personal Data by or on behalf of the Company and the Company Subsidiaries, have been been, during the three (3) years prior to the date of this Agreement, in material compliance with all applicable Privacy LawsLaws and, applicable binding industry standards (including to the extent applicable, PCI DSS) , all applicable contractual obligations and all policies of the Company and the Company’s and its Subsidiaries’ publicly posted privacy policies and material contractual commitments Company Subsidiaries relating to privacy, data protection, and the Processing of Personal Information Data (collectively, together with such Privacy Laws, “Data Privacy Requirements”); and , (ii) following the consummation of the transactions contemplated hereby, Parent and its Affiliates and the Company and the Company Subsidiaries will have substantially the same right to process any Personal Data currently processed in connection with the businesses of the Company and the Company Subsidiaries that the Company and the Company Subsidiaries have immediately prior to the Closing, (iii) the Company and its the Company Subsidiaries have posted a privacy policy for each online site taken reasonable steps (including implementing, maintaining and mobile application operated by or controlled by the Company or any such Subsidiarymonitoring compliance with organizational, in each case, physical and technical measures with respect to information security that complies comply with all applicable Data Privacy Laws and accurately reflects their practices concerning the Processing of Personal Information in all material respects. (bRequirements) As of the date hereof and since the Lookback Date, there have been no claims, whether from a Governmental Authority or any other Person, received by, nor Proceedings or investigations pending or, to the Knowledge of the Company, threatened by any Governmental Authority or any other Person against, the Company or its Subsidiaries, in each case, with respect to the Processing of Personal Information (other than individual data subject requests received in the ordinary course of business) that is material to the Company and its Subsidiaries, taken as a whole. (c) The Company and its Subsidiaries since the Lookback Date, have (i) taken commercially reasonable measures to protect (A) the integrity, physical and electronic security and continuous operation of the IT Assets owned Systems that are owned, leased or Controlled licensed by the Company or any Company Subsidiary and its (B) all Personal Data and Trade Secrets stored on or Processed by such IT Systems against unauthorized access, acquisition, use, modification, alteration or disclosure, (iv) the Company and the Company Subsidiaries contractually require each service provider, independent contractor, or vendor that Processes Personal Data on behalf of the Company and the Company Subsidiaries to protect the data comply with all applicable Data Privacy Requirements, (v) there have been no breaches (including ransomware attacks), violations, outages, disruptions or unauthorized uses of, or accesses to, the IT Systems; nor any unauthorized access to or use, loss, rendering unavailable or acquisition of, Personal Information and Data or Trade Secrets) Secrets stored thereon or Processed thereby against unauthorized access(collectively, theft“Security Incidents”), disclosure(vi) no disclosure of any such Security Incidents has been made, misuse by the Company or loss the Company Subsidiaries under any applicable Data Privacy Requirements to any Governmental Entity or individual and (including implementing vii) there have been no written claims, complaints or warnings by a Person or enforcement notices or audit requests from a Governmental Entity, received by, nor Legal Proceedings pending or threatened in writing against, the Company and maintaining organizationalthe Company Subsidiaries, physical and technical measures materially compliant with all applicable alleging a violation of any Data Privacy Requirements. (b) and (ii) implemented and maintained commercially reasonable disaster recovery plans, procedures, backup equipment and facilities of a scope consistent with customary industry practice and materially compliant with all applicable Privacy Requirements, except Except as would not reasonably be expectednot, individually or in the aggregate, reasonably be expected to be material to the business of the Company and the Company Subsidiaries, all of the IT Systems owned, leased or its Subsidiaries. licensed by the Company and the Company Subsidiaries are (i) The IT Assets (A) are in good working order and condition and are sufficient for the operation of purposes for which they are used in the business businesses of the Company and its the Company Subsidiaries as currently conducted, and (Bii) are free of any “back door,” “time bomb,” “Trojan horse,” “worm,” “drop dead device,” “virus” or other software routines or hardware components that permit unauthorized access, disablement or erasure or otherwise adversely affect the functionality of the IT Assets Systems. The Company and (C) have since the Lookback Date, not materially malfunctioned or failed, (ii) there has since the Lookback Date, been no misuse, intrusion or breach of the IT Assets or any loss, theft, or unauthorized or unlawful corruption, access to or Processing, or the rendering unavailable or inaccessible (including through a ransomware attack) of data (including Personal Information or Trade Secrets) Processed by or on behalf each of the Company Subsidiaries has established and maintained appropriate disaster recovery plans, procedures and facilities consistent in all material respects with: (A) customary industry practice in the event of any disaster, emergency or its persistent equipment or telecommunications failure affecting the Company or any of the Company Subsidiaries and (collectivelyB) all applicable Data Privacy Requirements. The Company and each of the Company Subsidiaries carry out customary data security risk audits, “Security Incidents”)assessments and penetration testing, (iii) since the Lookback Date, and the Company and its the Company Subsidiaries have fully addressed and remediated all “critical”, ” and “high” and any other material risks, threats and deficiencies identified in any cybersecurity or information security risk audit audit, assessment or penetration testing carried out by or on behalf for the Company or any of the Company or its Subsidiaries and (iv) no disclosure of any Security Incidents since the Lookback Date, has been or was legally required to have been made by the Company or its Subsidiaries under any applicable Privacy Requirements to any Person, except in the case of (i), (ii), (iii) and (iv) as would not reasonably be expected, individually or in the aggregate, to be material to the Company or its Subsidiaries.