Common use of Data Privacy and Cybersecurity Clause in Contracts

Data Privacy and Cybersecurity. (a) The Company and its Subsidiaries have implemented, and use commercially reasonable efforts to require all third parties who hold or Process Sensitive Data for or on the behalf of the Company or its Subsidiary to implement, policies reasonably designed to, and taken commercially reasonable steps to, ensure the confidentiality, integrity, availability, and security of the Sensitive Data Processed by or on behalf of the Company and its Subsidiaries, and the integrity and availability of the IT Systems used by or on behalf of the Company and its Subsidiaries, including against any unauthorized use, access, interruption, modification or corruption. The Company and its Subsidiaries have implemented and maintain information security, backup and data recovery, disaster recovery, and business continuity plans and procedures that are commercially reasonable for its business and that comply in all material respects with all applicable Information Privacy and Security Laws and Information Privacy and Security Obligations. The material information technology and software applications of the Company and its Subsidiaries do not contain any material “time bombs,” “Trojan horses,” “back doors,” “trap doors,” worms, viruses, spyware, keylogger software or other vulnerability, faults or malicious code or damaging devices designed or reasonably expected to adversely impact the functionality of or permit unauthorized access or to disable or otherwise harm any such information technology or software applications. (b) Since January 1, 2022, (i) the Company and its Subsidiaries are and have been in compliance in all material respects with Information Privacy and Security Laws, as well as all other Information Privacy and Security Obligations, (ii) the Company and its Subsidiaries have not experienced any Security Breach or been required by Information Privacy and Security Laws, Governmental Entity or Information Privacy and Security Obligations to notify in writing any Person, of any Security Breach, and (iii) the Company and its Subsidiaries have not received any notice of any Legal Proceeding alleging violation of any Information Privacy and Security Laws, Information Privacy and Security Obligations or a Security Breach.

Data Privacy and Cybersecurity. Except as set forth in Section 3.20 of the Disclosure (a) The Company and its Subsidiaries have implementedis, and use commercially reasonable efforts since January 1, 2020 has been, in compliance in all material respects with: (i) applicable Privacy Laws; (ii) Company policies, statements, and contractual obligations relating to require the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disposal, destruction, disclosure, or transfer of Personal Information; and (iii) all third parties who hold or Process Sensitive applicable industry standards including, without limitation, the Payment Card Industry Data for or on the behalf Security Standard and all other applicable requirements of the payment card brands (clauses (i) through (iii), collectively, the “Privacy Requirements”). The Company displays a privacy policy on each publicly-accessible website and mobile application owned, controlled or its Subsidiary to implement, policies reasonably designed tooperated by the Company, and each such privacy policy incorporates all disclosures to data subjects required by the Privacy Laws. None of the disclosures made or contained in any such privacy policy has been materially inaccurate, misleading or deceptive, or in violation of the Privacy Laws (including containing any material omission). The Company has not supplied or provided access to Personal Information processed by it to a third party for remuneration or other consideration. (b) The Company has taken commercially all reasonable steps toorganizational, ensure physical, administrative, and technical measures required by Privacy Requirements and consistent with reasonable standards in the confidentiality, industry in which the Company operates to protect (i) the integrity, availabilitysecurity, and operations of all Company IT Assets and (ii) all Personal Information and other data owned, controlled, or stored by the Company from and against data security incidents or other misuse. The Company has implemented reasonable procedures, satisfying the requirements of the Sensitive Data Processed applicable Privacy Requirements, to detect data security incidents and to protect Personal Information against loss and against unauthorized access, use, modification, disclosure, or other misuse. In connection with each third-party servicing, outsourcing, processing, or otherwise using Personal Information collected, held, or processed by or on behalf of the Company, the Company and its Subsidiarieshas in accordance with Privacy Laws entered into agreements with any such third party obligating the third party to safeguard Personal Information. (c) To the Company’s Knowledge, and there have been no material: (i) data security incidents, personal data breaches, ransomware incidents, or other adverse events or incidents related to any Company IT Assets, Personal Information, or Company data in the integrity and availability custody or control of the IT Systems used by or Company or, the Company’s Knowledge, any service provider acting on behalf of the Company Company; and its Subsidiaries, including against any unauthorized use, access, interruption, modification or corruption. The Company and its Subsidiaries have implemented and maintain information security, backup and data recovery, disaster recovery, and business continuity plans and procedures that are commercially reasonable for its business and that comply in all material respects with all applicable Information Privacy and Security Laws and Information Privacy and Security Obligations. The material information technology and software applications of the Company and its Subsidiaries do not contain any material “time bombs,” “Trojan horses,” “back doors,” “trap doors,” worms, viruses, spyware, keylogger software or other vulnerability, faults or malicious code or damaging devices designed or reasonably expected to adversely impact the functionality of or permit unauthorized access or to disable or otherwise harm any such information technology or software applications. (b) Since January 1, 2022, (i) the Company and its Subsidiaries are and have been in compliance in all material respects with Information Privacy and Security Laws, as well as all other Information Privacy and Security Obligations, (ii) breach or violation of the security of any Company and its Subsidiaries IT Assets. There have not experienced been any Security Breach claims or been required by Information Privacy and Security Lawsproceedings related to any data security incidents, Governmental Entity ransomware incidents, or Information Privacy and Security Obligations to notify in writing any Person, violations of any Security BreachPrivacy Requirements, and (iii) there are no facts or circumstances which could reasonably serve as the Company and its Subsidiaries have not received basis for any notice of any Legal Proceeding alleging violation of any Information Privacy and Security Laws, Information Privacy and Security Obligations such allegations or a Security Breachclaims.