Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developedand their respective officers and employees, implemented and maintained a written data protectionand, data privacy and cybersecurity program (to the “Data Protection Program”) that is Knowledge of the Company, any processors acting on their behalf are in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times 2019 complied in all material respects with all applicable Privacy Requirements with respect to the Processing of Personally Identifiable Laws. All Personal Information is and other data. The Company and its Subsidiaries are not and has since January 1, 20182019 been collected, have not been subject to a Governmental Order ofprocessed, or have received a notice fromtransferred, a Governmental Authority regarding actual or alleged non-compliance disclosed, shared, stored, protected and used by the Company in accordance with or violation of any Privacy Requirement. Laws in all material respects. (b) The Company has in place policies and its Subsidiaries have taken commercially reasonable steps to ensure procedures for the reliability proper collection, processing, transfer, disclosure, sharing, storing, security and use of their employees, representatives, consultants, contractors and agents Personal Information that have access to Company PII, to train such individuals on comply in all material respects with applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIILaws. (c) To The Company has, since January 1, 2019, in accordance in all material respects with applicable Privacy Laws: (i) provided individuals with relevant information as required by applicable Privacy Laws; (ii) obtained, where required by applicable Privacy Laws, individuals’ valid consent in relation to the knowledge collection, processing, transfer, disclosure, sharing, use and sale of their Personal Information; (iii) implemented and complied in all material respects with its audit, training and, where required, data protection impact assessment procedures; (iv) where the CompanyCompany has instructed another party to process Personal Information, there have been no unauthorized or illegal Processing, entered into data processing agreements or other breachcontracts which materially comply with the requirements of applicable Privacy Laws; (v) where the Company acts as a processor, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party entered into data suppliers, vendors processing agreements or other partners that Process any Company PII or other Personally Identifiable contracts which materially comply with the requirements of applicable Privacy Laws and complied in all material respects with all applicable contractual obligations; and (vi) made commercially reasonable efforts to store Personal Information on behalf of for no longer than is reasonably necessary for the Company or its Subsidiaries. No circumstances have arisen in purposes for which the Personal Information is processed pursuant to requirements under applicable Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentLaws. (d) The consummation Company has implemented commercially reasonable technical, physical, and organizational measures and security systems and technologies in material compliance with all data security requirements under applicable Privacy Laws and the Payment Card Industry Data Security Standards to protect the integrity and security of transactions contemplated such Personal Information and all Company data and to prevent any destruction, loss, alteration, corruption or misuse of or unauthorized disclosure or access thereto in material compliance with applicable Privacy Laws. (e) To the Knowledge of the Company, since January 1, 2019, the Company has not experienced any material incident in which Personal Information was or may have been stolen, lost, unavailable, destroyed, altered or improperly accessed, disclosed or used without authorization, and the Company is not aware of any facts suggesting the likelihood of the foregoing, including any material “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws. To the Knowledge of the Company, no circumstance has arisen in which applicable Privacy Laws would require the Company to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws. (f) To the Knowledge of the Company, since January 1, 2019, the Company has not been and is not currently: (a) under audit or investigation by any authority regarding the Company’s compliance with applicable Privacy Laws, including regarding the Company’s collection, processing, transfer, disclosure, sharing, storing, protection and use of Personal Information, or (b) subject to any third party notification, claim, demand, audit or action in relation to the Company’s processing of Personal Information, including a notification, a claim, a demand, or an action alleging that the Company has collected, processed, transferred, disclosed, shared, stored or used Personal Information in violation of applicable Privacy Laws. (g) The performance of this Agreement will not breach violate (i) any Privacy RequirementLaws, or (ii) any other privacy or data security requirements or obligations imposed under any contracts on the Company. Upon execution of this Agreement, the Company shall continue to have the right to use and process any Personal Information collected, processed, or used by it before the signature date of this Agreement in order to be able to conduct the ordinary course of its business.

Data Privacy and Security. (ai) The Company and each of its Subsidiaries complies, and during the past three years has complied, in all material respects, with all Privacy and Information Security Requirements. Neither the Company nor any of its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is been notified in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has broughtwriting of, or threatened in writing to bringis the subject of, any Action against complaint or proceeding or to the Company’s knowledge, any, regulatory investigation related to Processing of Personal Data by any Governmental Entity or payment card association, regarding any actual or possible violations of any Privacy and Information Security Requirement by or with respect to the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy RequirementSubsidiaries. (bii) Since January 1, 2018, the The Company and each of its Subsidiaries have at all times complied employs commercially reasonable organizational, administrative, physical and technical safeguards that comply in all material respects with all Privacy and Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under contract with respect to the Processing of Personally Identifiable Information and other dataCompany that Process Company Data on its behalf. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation each of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to ensure notification to Governmental Entities), necessary for the reliability Processing (including international and onward transfer) of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents Personal Data in connection with the right to access such Company PII are under written obligations conduct of confidentiality the business as currently conducted and in connection with respect to such Company PIIthe consummation of the transactions contemplated hereunder. (ciii) To the knowledge of the Company, neither the Company nor any of its Subsidiaries has suffered a security breach with respect to any of the Company Data and to the Company’s knowledge, there have has been no unauthorized or illegal Processinguse of or access to any Company Data. Neither the Company nor any of its Subsidiaries has notified, or been required to notify, any Person of any information security breach involving Personal Data. To the Company’s knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses”, “worms”, “time bombs” or “back doors”) that have not been removed or fully remedied. Neither the Company nor any of its Subsidiaries have experienced within the past three years any material disruption to, or material interruption in, the conduct of its business that affected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other breach, violation failure or default (or event that, with or without deficiency on the giving of notice or lapse of time, would constitute a breach, violation or default) part of any Privacy Requirements by any third-party data suppliers, vendors computer software or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentSystems. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developedhave, in all material respects, implemented and maintained a written maintain commercially reasonable data protectionbackup, data privacy system redundancy, and cybersecurity program disaster avoidance and recovery plans and procedures, as well as commercially reasonable information security plans, procedures and arrangements designed to protect and preserve the availability, integrity, security, confidentiality and operation of the IT Systems (the “Data Protection Program”including all information stored or contained therein or transmitted thereby) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced against any material Security Incidentunauthorized use, access, interruption, modification or corruption. Since January 1, 20182019, there have been no Person has broughtdata breaches or security incidents with respect to the IT Systems that resulted in any unauthorized access to or use, disclosure, modification or corruption of any information stored or contained therein, or threatened resulted in writing the exertion of third-party control over any of the IT Systems, except those that (i) have been remedied without any material cost or material liability to bring, any Action against the Company or any of its Subsidiaries in relation or the duty to notify any actual other Person, and (ii) did not cause a material disruption to the IT Systems or alleged Security Incident otherwise have a material impact on the operation of the business of the Company or violation or breach of any Privacy Requirementits Subsidiaries. (b) Since January 1, 20182019, the Company and its Subsidiaries (i) have at posted a privacy policy on the Company’s website regarding the collection, use, disclosure, disposal, maintenance and transmission of any Personal Information of visitors to the website, (ii) have and, to the Knowledge of the Company, all times affiliates, vendors, or processors, with respect to their processing of Personal Information on behalf of the Company and its Subsidiaries, been in compliance in all material respects with all applicable Laws and Orders concerning data protection or information privacy and security and (iii) have complied in all material respects with all Privacy Requirements with respect their posted privacy policies, and contractual requirements pertaining to the Processing of Personally Identifiable Information data protection or information privacy and other datasecurity. The Company and its Subsidiaries are not and since Since January 1, 20182019, have not to the Knowledge of the Company, neither the Company nor any of its Subsidiaries (i) has been subject required to a Governmental Order of, or have received a notice from, notify a Governmental Authority regarding actual or alleged non-compliance with any other Person in relation to a security incident or any applicable Law or Order relating to data protection or information privacy and security, (ii) has received any written notice from any Governmental Authority alleging a violation of any Privacy Requirement. The Company applicable Laws or Orders concerning data protection or information privacy and its Subsidiaries have taken commercially reasonable steps security and (iii) to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge Knowledge of the Company, there have been is no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements pending investigation by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf Governmental Authority of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or any of its Subsidiaries relating to notify any Governmental Authority of any Security Incidentsuch Laws or Orders. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all applicable Privacy Requirements. The To the knowledge of the Company, since January 1, 2019, the Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 20182019, no Person has brought, or or, to the knowledge of the Company, threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any applicable Privacy Requirement. (b) Since January 1, 2018, the The Company and its Subsidiaries have at all times have, since January 1, 2019, complied in all material respects with all applicable Privacy Requirements with respect to the Processing of Personally Identifiable Information and other dataCompany PII. The Company and its Subsidiaries are not and and, since January 1, 20182019, have not been subject to a Governmental Order of, or have received a written notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any applicable Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII on behalf of the Company or its Subsidiaries are in compliance in all material respects with applicable Privacy Requirements and there have has been no material unauthorized or illegal Processing, or other material breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a material breach, violation or default) of any Privacy Requirements by any third-party data supplierssuch supplier, vendors vendor or other partners that Process any partner in connection with the Processing of Company PII or other Personally Identifiable Information on behalf PII. To the knowledge of the Company or its Subsidiaries. No Company, no circumstances have arisen in which the applicable Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority or affected individual of any Security Incident. (d) The consummation of transactions contemplated by this Agreement the Transactions will not materially breach any applicable Privacy Requirement.

Data Privacy and Security. (a) The Company Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respects, and since the Lookback Date, have developedcomplied in all material respects, implemented with applicable Privacy Laws, contractual obligations and maintained a written data protectionindustry standards (including PCI DSS) relating to the collection, data privacy use and other Processing of Personal Data, information security or cybersecurity program and each of the Privacy Policies (collectively, the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company ”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Data. (b) Except as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have not experienced received any material Security Incident. Since January 1complaints, 2018claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Person has broughtAction, enforcement or threatened investigation notices or audit requests have been served on Parent or any Subsidiary thereof in writing to bringrespect of information security, any Action against cybersecurity or the Company Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries in relation have been subject to any actual Order or alleged Security Incident Arbitration Decision, nor is any Order or violation or breach Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all applicable Privacy Requirements with in respect to of information security, cybersecurity or the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents Personal Data in connection with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIIBusiness. (c) To The execution, delivery or performance of this Agreement and the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy RequirementRequirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Company and each of its Subsidiaries are, and since January 1, 2019, have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is been in material compliance with all Privacy and Data Security Requirements. The Company To the Knowledge of the Company, all Subprocessors are, and its Subsidiaries have not experienced any material Security Incident. Since since January 1, 20182019 have been in, no Person has broughtmaterial compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or threatened in writing control of the Company or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to bring, any Action against the Company or any of its Subsidiaries by a third party, in relation to material violation of any actual Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or alleged Security Incident control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy Requirementand Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (bd) Since January 1, 2018, the The Company and each of its Subsidiaries have at all times complied in all material respects posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy Requirements with respect and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personally Identifiable Personal Information as required by Privacy and other dataData Security Requirements. The Company and each of its Subsidiaries are not have, in material compliance with all Privacy and since January 1Data Security Requirements, 2018implemented all valid and lawful requests pertaining to access, have not been subject to a Governmental Order ofnotice, rectification, portability, deletion, restriction, automated decision making, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation objection of any Privacy Requirement. The Person made to the Company and or any of its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized regarding Personal Information Processed by or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. No circumstances Neither the Company nor any of its Subsidiaries have arisen in which the Privacy Requirements would require directly or recommend indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries to notify have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security IncidentRequirement. (dg) The consummation Company and each of transactions contemplated its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by this Agreement will not breach a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy Requirementand Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Company and its Subsidiaries have developedat all times for the past two (2) years complied in all material respects with, implemented and maintained a written data protectionare currently in compliance in all material respects with, data privacy all applicable Privacy Laws, Privacy and cybersecurity program Data Security Policies (as defined below) and contractual commitments relating to the Processing of Personal Data (collectively, the “Data Protection Program”) that is in material compliance with all Privacy Requirements”). The Company and its Subsidiaries have not experienced any material implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Incident. Since January 1Policies”). (b) There is no pending, 2018, no Person nor has brought, or threatened in writing to bringthere been for the past two (2) years, any Action Proceeding against the Company or any of its Subsidiaries in relation to initiated by (i) any actual Person, (ii)the United States Federal Trade Commission, any state attorney general or alleged Security Incident similar state official, (iii) any other Governmental Entity, foreign or domestic, or (iv) any regulatory or self-regulatory entity, alleging that any violation or breach of any Privacy RequirementRequirement by the Company or its Subsidiaries with respect to any Processing of Personal Data by or on behalf of the Company or any of its Subsidiaries. (bc) Since January 1There has been no breach of security resulting in unauthorized access, 2018use or disclosure of Personal Data in the possession or control of the Company or any of its Subsidiaries or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or any of its Subsidiaries, or any unauthorized intrusions, breaches of security or other data security incidents with respect to the Company IT Systems. (d) The Company and its Subsidiaries own or have license to use the Company IT Systems as necessary to operate the Business as currently conducted and the Company IT Systems operate and perform in a manner that permits the Company and its Subsidiaries have at all times complied in all material respects to conduct the Business as currently conducted. To the Company’s knowledge, none of the Company IT Systems contain any worm, bomb, backdoor, clock, timer or other disabling device, code, design or routine that causes the Software of any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with all Privacy Requirements with respect to the Processing passage of Personally Identifiable Information and other data. time or upon command by any unauthorized person. (e) The Company has taken commercially reasonable organizational, physical, administrative and its Subsidiaries are not technical measures required by Privacy Requirements, and since January 1consistent with standards prudent in the industry in which the Company operates, 2018designed to protect the integrity, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation security and operations of any Privacy Requirementthe Company IT Systems. The Company and its Subsidiaries have taken implemented commercially reasonable steps to ensure procedures, including implementing data backup, disaster avoidance, recovery and business continuity procedures, and have satisfied the reliability requirements of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements Laws in all material respects, designed to detect data security incidents and to ensure that all such employeesprotect Personal Data against loss and against unauthorized access, representativesuse, consultantsmodification, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIIdisclosure or other misuse. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (df) The consummation of any of the transactions contemplated by this Agreement hereby or pursuant to any Ancillary Document will not breach violate any applicable Privacy Requirements. (g) There have not been any Proceedings related to any unauthorized intrusions, breaches of security or other data security incidents, or any violations of any Privacy RequirementRequirements, that have been asserted against the Company or any of its Subsidiaries and, to the Company’s knowledge, neither the Company nor any of its Subsidiaries has received any information relating to, or notice of any Proceedings with respect to, any alleged violations by the Company or any of its Subsidiaries of any Privacy Requirements.

Data Privacy and Security. (a) Since the Lookback Date, (i) the IT Systems have not suffered any material failures or malfunctions, (ii) the Company and its Subsidiaries have implemented commercially reasonable administrative, physical, and technical safeguards designed to protect the integrity, security and confidentiality of Personal Information, Company Data, and the IT Systems, as well as commercially reasonable actions to protect the continuous operation, redundancy, backup, and availability of the IT Systems, and (iii) to the Knowledge of the Company, the IT Systems operate and perform as required by the Company and its Subsidiaries in connection with the conduct of their respective businesses and (iv) to the Knowledge of the Company, are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware”, “ransomware” or other malicious software. Since the Lookback Date, there have been no material unauthorized intrusions or breaches of the security of the IT Systems, and no material theft, loss, or unauthorized access or acquisition of Personal Information or material Company Data. The Company and its Subsidiaries maintain a documented information security program that meets Data Protection Requirements in all material respects. (b) The Company and its Subsidiaries are, and since the Lookback Date have developedbeen, implemented and maintained a written data protection, data privacy and cybersecurity program (the “in compliance with applicable Data Protection Program”) Requirements, except for any noncompliance that is in would not reasonably be expected to be material compliance with all Privacy Requirementsto the Company or its Subsidiaries. The Company and its Subsidiaries have not experienced provided adequate notice and obtained any material Security Incident. Since January 1, 2018, no Person has broughtnecessary consents, or threatened in writing to bring, any Action against contractually required vendors or service providers of the Company or any of its Subsidiaries to provide adequate notice and obtain any necessary consents, from persons required for the processing of Personal Information, in relation each case to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1the extent required by Data Protection Requirements, 2018, except where the failure to do so would not reasonably be expected to be material to the Company and or its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy RequirementSubsidiaries. The Company and its Subsidiaries have taken commercially reasonable steps in place, and since the Lookback Date have complied with, written and externally published policies and procedures concerning the privacy and security of Personal Information and Company Data, except for any noncompliance that would not reasonably be expected to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access be material to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances Since the Lookback Date, there have arisen in which been no breaches, violations, outages or unauthorized uses of or accesses to Personal Information or Company Data maintained by the Privacy Requirements Company or its Subsidiaries, except as would require not reasonably be expected to be material to the Company or recommend its Subsidiaries. Since the Lookback Date until the date hereof, neither the Company nor its Subsidiaries have received any written communication or claim from any Governmental Authority or Person that alleges that the Company or its Subsidiaries are not in compliance with any Data Protection Requirements, except as would not reasonably be expected to notify any Governmental Authority be material to the Company, and no such claim is pending. The Transaction and the execution, delivery, and performance of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not cause, constitute, or result in a breach or violation of any Privacy Requirementapplicable Data Protection Requirements, except as would not reasonably be expected to be material to the Company or its Subsidiaries. The Company is not a “covered entity” or “business associate” as those terms are defined in 45 C.F.R. § 160.103.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, Company’s data privacy and cybersecurity program (the “security practices and processing of Personal Data Protection Program”) that is in material compliance comply, and at all times have complied, with all of the Company Privacy RequirementsCommitments, Privacy Laws and Company Data Agreements. The Company has at all times required by Privacy Laws and its Subsidiaries have Company Data Agreements: (A) had a valid legal basis (including providing adequate notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Company, (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as allowed under Applicable Law, and (C) abided by any privacy rights and choices (including privacy by default obligations under Applicable Law and data-subject opt-out preferences) of individuals relating to Personal Data (such obligations along with all statements and obligations contained in Company Privacy Policies, collectively, “Company Privacy Commitments”). The Company has not experienced granted any material Security Incidentoptions, rights of first refusal or negotiation or other similar rights, licenses or agreements of any kind relating to any Company Data, and the Company is not bound by or a party to any option, rights of first refusal or negotiation or other similar rights, license or agreement of any kind with respect to any of the Company Data. Since January 1Neither the execution, 2018delivery and performance of this Agreement nor the taking over by Acquirer of all of the Company Data and other information relating to the Company’s end users, no Person has broughtemployees, vendors or clients, or threatened any other category of individuals, will cause, constitute or result in writing to bringa breach or violation of any Privacy Laws or Company Privacy Commitments, any Action against Company Data Agreements or any standard terms of service entered into by the Company with individuals the Personal Data of whom is Processed by the Company or any its Processors. Copies of its Subsidiaries in relation all current and prior Company Privacy Policies have been made available to any actual or alleged Security Incident or violation or breach of any Privacy RequirementAcquirer and such copies are true, correct and complete. (b) Since January 1The Company has established and maintain appropriate technical, 2018, the Company physical and its Subsidiaries have at all times complied organizational measures and security systems and technologies in all material respects compliance with all data security and other applicable requirements under Privacy Requirements with respect Laws and Company Privacy Commitments that are designed to protect Company Data against: (i) accidental or unlawful Processing or disclosure; (ii) breaches of confidentiality; (iii) unavailability of Company Data; or (iv) other events which affect the integrity of Company Data, in each case, in a manner appropriate to the risks represented by the Processing of Personally Identifiable Information such data by the Company, their data processors and any other datathird party with whom the Company has shared such Company Data (such processors and foregoing third parties, collectively, “Processors”). The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have has taken commercially reasonable steps to ensure the reliability compliance of their employees, representatives, consultants, respective employees and contractors and agents that who have access to Company PIIData, to train such individuals employees on all applicable aspects of any Privacy Requirements Law and Company Privacy Commitments and to ensure that all such employees, representatives, consultants, contractors and agents employees with the right authority and/or ability to access such Company PII data are under written obligations of confidentiality with respect to such data. The Company PIIhas a process in place for identifying Personal Data in the materials they offer to their users on their websites and takes appropriate steps to ensure they are able legally to use such Personal Data as part of its commercial offering. (c) The Company has not received or experienced and there is no circumstance (including any circumstance arising as a result of an audit or inspection carried out by any Governmental Entity) that would reasonably be expected to give rise to, any Legal Proceeding, Order, notice, communication, warrant, regulatory opinion, audit result or allegation from a Governmental Entity or any other Person (including an end user): (A) alleging or confirming non-compliance with a relevant requirement of Privacy Laws or Company Privacy Commitments, (B) requiring or requesting the Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data, (C) permitting or mandating relevant Governmental Entities to investigate, requisition information from, or enter the premises of, the Company or (D) claiming compensation from the Company. There are no unsatisfied requests from individuals or other third parties to the Company seeking to exercise any data protection or privacy rights (such as rights to access, rectify, or delete Personal Data, to restrict or object to processing of Personal Data, or relating to data portability). The Company has not been involved in any Legal Proceedings involving non-compliance or alleged non-compliance with Privacy Laws or Company Privacy Commitments. (d) Schedule ‎2.11(d) of the Company Disclosure Letter contains the complete list of notifications and registrations made by the Company under Privacy Laws with relevant Governmental Entities in connection with the Company’s Processing of Personal Data. All such notifications and registrations are valid, accurate, complete and fully paid up and, to the knowledge of the Company, the consummation of the Transactions will not invalidate such notification or registration or require such notification or registration to be amended. To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without than the giving of notice or lapse of time, would constitute a breach, violation or defaultnotifications and registrations set forth on Schedule ‎2.11(d) of the Company Disclosure Letter, no other registrations or notifications are required in connection with the Processing of Personal Data by the Company. The Company does not Process the Personal Data of any Privacy Requirements natural person who is under the age of 13 or is otherwise considered a child under Applicable Law. (e) The Company has made available to Acquirer true, correct and complete copies of all Contracts permitting a Processor to Process Personal Data and such Processors have not breached any such Contracts pertaining to Personal Data Processed by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information such Persons on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentCompany. (df) The consummation Company maintains complete, accurate and up to date records of transactions contemplated (i) all Processing activities of Personal Data and their lawful bases and (ii) all data protection impact assessments, in each case as required by this Agreement will not breach any the applicable Privacy RequirementLaws.

Data Privacy and Security. (ai) The Company and each of its Subsidiaries complies, and during the past two years has complied, in all material respects, with all Privacy and Information Security Requirements. Neither the Company nor any of its Subsidiaries have developedbeen notified in writing of, implemented and maintained a written data protectionor is the subject of, data privacy and cybersecurity program (the “any complaint, regulatory investigation or proceeding related to Processing of Personal Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced by any third party, Governmental Entity or payment card association, regarding any material violations of any Privacy and Information Security Incident. Since January 1, 2018, no Person has brought, Requirement by or threatened in writing with respect to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement.Subsidiaries; (bii) Since January 1, 2018, the The Company and each of its Subsidiaries have at all times complied employs commercially reasonable safeguards that comply in all material respects with all applicable Privacy and Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under contract with respect to the Processing of Personally Identifiable Information and other dataCompany that Process Company Data on its behalf. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation each of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to ensure notification to applicable Governmental Entities), necessary for the reliability Processing (including international and onward transfer) of their employees, representatives, consultants, contractors all Personal Data in connection with the conduct of the business as currently conducted and agents that have access to in connection with the consummation of the transactions contemplated hereunder; and (iii) Neither the Company PIInor any of its Subsidiaries, to train such individuals on all applicable Privacy Requirements and to ensure that all such employeesthe Company’s knowledge, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality has suffered a security breach with respect to such Company PII. (c) To the knowledge any of the Company Data and, to the Company’s knowledge, there have has been no unauthorized or illegal Processinguse of, access or disclosure to, or unavailability of any Company Data. Neither the Company nor any of its Subsidiaries has notified, or been required to notify, any Person of any information security breach or other incident involving Personal Data. To the Company’s knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. Neither it nor any of its Subsidiaries, have experienced any disruption to, or interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other breach, violation failure or default (or event that, with or without deficiency on the giving of notice or lapse of time, would constitute a breach, violation or default) part of any Privacy Requirements by any third-party data suppliers, vendors computer software or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentSystems. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any each of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. complies, and during the past twelve (b12) Since January 1, 2018, the Company and its Subsidiaries have at all times months has complied in all material respects with all Privacy Requirements and Information Security Requirements. Neither the Company nor any of its Subsidiaries have been notified in writing of, or is the subject of, any complaint, regulatory investigation or proceeding related to Processing of Personal Data by any Governmental Entity or payment card association, regarding any violations of any Privacy and Information Security Requirement by or with respect to the Processing Company or any of Personally Identifiable its Subsidiaries. (b) The Company and each of its Subsidiaries employs commercially reasonable organizational, administrative, physical and technical safeguards that comply with all Privacy and Information Security Requirements to protect Personal Data within its custody or control and other datarequires the same of all vendors under contract with the Company that Process Personal Data on its behalf. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation each of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps provided all requisite notices and obtained all required consents or otherwise identified legal basis for Personal Data, and satisfied all other requirements (including but not limited to ensure notification to Governmental Entities), necessary for the reliability Processing (including international and onward transfer) of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents Personal Data in connection with the right conduct of the Company Business as currently conducted and in connection with the consummation of the transactions contemplated hereunder, except in each case, as would not be reasonably expected to access such Company PII are under written obligations of confidentiality have a Material Adverse Effect with respect to such Company PIIthe Company. (c) To Neither the knowledge Company nor any of its Subsidiaries, to the Company’s knowledge, has suffered a security breach with respect to any of the Personal Data and, to the Company’s knowledge, there have has been no unauthorized or illegal Processinguse of or access to any Personal Data. Neither the Company nor any of its Subsidiaries has notified, or been required to notify, any Person of any information security breach involving Personal Data. To the Company’s knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. To the Company’s knowledge, neither it nor any of its Subsidiaries, have experienced within the past twelve (12) months any material disruption to, or material interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, ransomware event, unauthorized access, introduction of a virus or other malicious programming, or other breach, violation failure or default (or event that, with or without deficiency on the giving of notice or lapse of time, would constitute a breach, violation or default) part of any Privacy Requirements by any third-party data suppliers, vendors computer Software or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentSystems. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries and, to the Knowledge of the Company, its Data Partners, comply and, within the last five years, have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements Laws, Company Privacy Policies and Contracts relating to the processing, privacy and security of Personal Information (collectively, the “Company Privacy Commitments”), including compliance with respect to (i) Personal Information of Company’s website visitors, customers or representatives of Company customers, the Processing of Personally Identifiable Information and other data. The Company and Company’s or its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order ofSubsidiaries’ own employees, or have received a notice fromany other individual whose Personal Information is processed by the Company or its Subsidiaries; and (ii) the sending of solicited or unsolicited electronic or telephonic communications, a Governmental Authority regarding actual including via email, text message or alleged non-compliance with or violation of any Privacy Requirementphone call. The Company and its Subsidiaries have taken commercially reasonable steps to ensure implemented and maintained processes for identifying and redacting any Personal Information contained in the reliability of their employees, representatives, consultants, contractors and agents that have access to Spaces created by the Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIIPlatform. (cb) To Neither the knowledge execution, delivery and performance of this Agreement by the Company nor the consummation by the Company of the Company, there have been no unauthorized transactions contemplated hereby will (i) trigger or illegal Processing, require any notices to or consents from any Person; (ii) violate any Company Privacy Commitments; or (iii) give rise to any right of termination or other breach, violation right to impair or default (limit the Company’s or event that, with its Subsidiaries’ right to own and process any Personal Information used in or without necessary for the giving operation of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf the business of the Company or its Subsidiaries. No circumstances Since July 21, 2021, the Company and its Subsidiaries (A) have, in all material respects, implemented and maintain complete, accurate and up to date records of responses to requests from individuals requesting access, rectification or deletion of Personal Information or other exercise of rights under Company Privacy Commitments and (B) have arisen responded to all requests from individuals requesting access, rectification, deletion or other exercise of rights under Privacy Laws, in which the time period and in accordance in all material respects with the other requirements of Company Privacy Requirements would require or recommend Commitments. (c) All Personal Information processed by the Company or its Subsidiaries has been collected fairly and lawfully (including through the provision of information notices and other disclosures (in the Company Privacy Policies or otherwise) and the collection of valid consent where required) and can be used legitimately in the manner used by the Company without breaching any Company Privacy Commitments. The Company and its Subsidiaries have, as of the date hereof and since July 21, 2021, posted and prominently made available on its websites, mobile applications and other mechanisms through which the Company or its Subsidiaries collects Personal Information, a Company Privacy Policy in conformance in all material respects with Privacy Laws. All Company Privacy Policies published by the Company are and, since July 21, 2021, have, in all material respects, been accurate, complete and consistent with the actual practices of the Company and its Subsidiaries with respect to notify the processing of Personal Information. As of the date hereof, no disclosure or representation made or contained in any Governmental Authority Company Privacy Policy published by the Company has been intentionally inaccurate, misleading, deceptive or in violation of any Security IncidentPrivacy Laws (including by containing any material omission). (d) The consummation Company and its Subsidiaries have in place written Contracts with all of their customers regarding the Company’s or its Subsidiaries’ processing of Personal Information on behalf of such customers. Such Contracts include written obligations that comply with the requirements of Privacy Laws in relation to the Company’s and its Subsidiaries’ processing and protection of Personal Information. When acting as a Data Processor on behalf of customers, the Company and its Subsidiaries do not process Personal Information for any purpose except on the instruction of the customer (unless required to do so by applicable Law). Neither the Company nor its Subsidiaries have transferred or permitted the transfer of Personal Information originating in the European Economic Area (“EEA”) or United Kingdom (“UK”) to outside the EEA or UK (as applicable), or otherwise across jurisdictional borders, except where such transfers have complied with the requirements of the Company Privacy Commitments and with reasonable safeguards in place for such transfer. (e) Where the Company or its Subsidiaries use a Data Partner to process Personal Information or otherwise share or disclose Personal Information with such Data Partner, there is in existence a Contract. Such Contract with the Data Partner includes written obligations in relation to the processing and protection of Personal Information and has agreed to comply with those obligations in a manner sufficient for the Company’s and its Subsidiaries’ compliance with Company Privacy Commitments, including where applicable, obligations for any party acting as a Data Processor (as defined under the Privacy Laws) to act only on the instructions of the Data Controller (as defined under the Privacy Laws) and such other terms as are required under Privacy Laws. To the Knowledge of the Company, no Data Partner has breached any such Contracts. (f) The Company and its Subsidiaries have, and have required all Data Partners to have, implemented administrative, physical and technical safeguards to protect and maintain the confidentiality, integrity, availability and security of Personal Information and any information technology systems owned by the Company or its Subsidiaries against any accidental, unlawful or unauthorized use, access, disclosure, modification, destruction, loss, or compromise or other processing (a “Security Incident”). The Company and its Subsidiaries use, and have at all times used, reliable methods designed to ensure the correct identity of the users of those with access to any information technology systems owned by the Company or its Subsidiaries, and have used reliable measures designed to protect the security and integrity of transactions contemplated by this Agreement will not breach executed through the IT Systems of the Company or its Subsidiaries. (g) In relation to any Security Incident and/or violation of Company Privacy RequirementCommitments, neither the Company, any Subsidiary, nor to the Knowledge of the Company, as of the date hereof, any Data Partner has: (i) notified in writing, or been required to notify in writing, any customer, consumer, employee, Governmental Authority or other Person or (ii) received any written notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Governmental Authority or other Person. To the Knowledge of the Company, as of the date hereof, there are no facts or circumstances that would give rise to the occurrence of (i) or (ii).

Data Privacy and Security. (ai) The Company Purchaser and each of its Subsidiaries complies, and during the past two years has complied, in all material respects, with all Privacy and Information Security Requirements. Neither the Purchaser nor any of its Subsidiaries have developedbeen notified in writing of, implemented and maintained a written data protectionor is the subject of, data privacy and cybersecurity program (the “any complaint, regulatory investigation or proceeding related to Processing of Personal Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced by any third party, Governmental Entity or payment card association, regarding any material violations of any Privacy and Information Security Incident. Since January 1, 2018, no Person has brought, Requirement by or threatened in writing with respect to bring, any Action against the Company Purchaser or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement.Subsidiaries; (bii) Since January 1, 2018, The Purchaser and each of its Subsidiaries employs commercially reasonable safeguards that comply in all respects with all applicable Privacy and Information Security Requirements to protect Purchaser Data within its custody or control and requires the Company same of all vendors under contract with the Purchaser that Process Purchaser Data on its behalf. The Purchaser and each of its Subsidiaries have at provided all times complied requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to notification to applicable Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in all material respects connection with all Privacy Requirements the conduct of the business as currently conducted and in connection with the consummation of the transactions contemplated hereunder, except to the extent that any failure to do so would not have, individually or in the aggregate, a Purchaser Material Adverse Effect; and (iii) Neither the Purchaser nor any of its Subsidiaries, to the Purchaser’s knowledge, has suffered a security breach with respect to any of the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PIIPurchaser Data and, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the CompanyPurchaser’s knowledge, there have has been no unauthorized or illegal Processinguse of, access or disclosure to, or unavailability of any Purchaser Data. Neither the Purchaser nor any of its Subsidiaries has notified, or been required to notify, any Person of any information security breach or other incident involving Personal Data. To the Purchaser’s knowledge, the Purchaser Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Purchaser Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. Neither it nor any of its Subsidiaries, have experienced any disruption to, or interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other breach, violation failure or default (or event that, with or without deficiency on the giving of notice or lapse of time, would constitute a breach, violation or default) part of any Privacy Requirements by any third-party data suppliers, vendors computer software or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentPurchaser Systems. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (ai) Each Acquired Company’s data, privacy and security practices conform, and at all times have conformed, to all of the Company Privacy Commitments, Privacy Laws and Company Data Agreements. Each Acquired Company has at all times (A) had the legal basis (including providing adequate notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Acquired Companies, (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as allowed under Applicable Law and (C) abided by any privacy choices (including opt-in and opt-out preferences, as required) of individuals relating to Personal Data (such obligations along with those contained in Company Privacy Policies, collectively, “Company Privacy Commitments”). Copies of all current and prior Company Privacy Policies have been Made Available to Parent and such copies are true, correct and complete. (ii) The Acquired Companies have established and maintained adequate technical, physical and organizational measures and security systems and technologies in compliance with data security requirements under Privacy Laws, Company Data Agreement and Company Privacy Commitments that are designed to protect Company Data against accidental or unlawful Processing, in a manner appropriate to the risks represented by the Processing of such data by each Acquired Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy RequirementsProcessors. The Company Acquired Companies and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries their Data Processors have taken commercially reasonable steps to ensure the reliability train vendors, employees and contractors who Process Company Data on applicable material aspects of their employees, representatives, consultants, contractors Privacy Law and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements Commitments and to ensure that all such employeesvendors, representatives, consultants, employees and contractors and agents with the right authority and/or ability to access such Process Company PII Data are under written obligations of confidentiality with respect to such Company PIIData. (ciii) No Acquired Company has received or experienced and there is no circumstance (including any circumstance arising as a result of an audit or inspection carried out by any Governmental Body) that would give rise to any Action, Order, notice, communication, warrant, regulatory opinion, audit result or allegation from a Governmental Body or any other Person (including an end user): (A) alleging or confirming non-compliance with a relevant requirement of Privacy Laws or Company Privacy Commitments, (B) requiring or requesting any Acquired Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data; (C) permitting or mandating relevant Governmental Bodies to investigate, requisition information from, or enter the premises or any Acquired Company; or (D) claiming compensation from any Acquired Company. Each Acquired Company has responded to, and continues to promptly respond to, requests from individuals or other third parties, and there are no unsatisfied requests from individuals or other third parties to the Acquired Companies seeking to exercise any data protection or privacy rights (such as rights to access, rectify, or delete Personal Data, to restrict or object to processing of Personal Data, or relating to data portability.) No Acquired Company has been involved in any Actions, involving non-compliance or alleged non-compliance with Privacy Laws or Company Privacy Commitments. (iv) Schedule 3.11(s)(iv) of the Disclosure Schedule contains the complete list of notifications and registrations made by each Acquired Company under Privacy Laws with relevant Governmental Bodies in connection with the Acquired Companies’ Processing of Personal Data. All such notifications and registrations are valid, accurate, complete and fully paid-up and, to the knowledge of the Company, the consummation of the Transactions will not invalidate such notification or registration or require such notification to be amended. Other than the notifications and registrations set forth on Schedule 3.11(s)(iv) of the Disclosure Schedule, no other registrations or notifications are required in connection with the Processing of Personal Data by the Acquired Companies. The Acquired Companies do not Process the Personal Data of any natural Person considered a child or minor under Applicable Law. The Acquired Companies do not target advertisements to any natural person considered a child or minor under Applicable Law. (v) Where any Acquired Company has used a Data Processor to Process Personal Data in the last three years, the processor has provided guarantees, warranties or covenants in relation to Processing of Personal Data, confidentiality, security measures and agreed to compliance with those obligations that are sufficient for such Acquired Company’s compliance with Privacy Laws and Company Privacy Commitments, and there is in existence a written Contract between such Acquired Company and each such Data Processor that complies with the requirements of all Privacy Laws and Company Privacy Commitments. The Company has Made Available to Parent true, correct and complete copies of all such Contracts. To the knowledge of the Company, there such Data Processors have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of not breached any Privacy Requirements such Contracts pertaining to Personal Data Processed by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information such Persons on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentAcquired Companies. (dvi) The consummation No Acquired Company has transferred or permitted the transfer of transactions contemplated by this Agreement will not breach any Personal Data originating in the EEA outside the EEA, except where such transfers have complied with the requirements of Privacy RequirementLaws and Company Privacy Commitments.

Data Privacy and Security. (ai) The Company and its Subsidiaries the Subsidiary comply, and at all times have developedcomplied with the Company Privacy Policies, Company Personal Data Agreements (except to the extent such non-compliance would not reasonably be expected to be material to the Company or the Business), and Privacy Laws (collectively, “Company Privacy Commitments”). Neither the execution, delivery and performance of this Agreement nor the assignment to Acquirer of all of the Company Data and other information relating to the Company’s and the Subsidiary’s end users, employees, vendors or clients, or any other category of individuals, will cause, constitute or result in a material breach or violation of any Company Privacy Commitments. For the avoidance of doubt, all Personal Data held or controlled by the Company is an asset that will be transferred as part of the Merger, as contemplated by section 1798.140(t)(2)(D) of the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. All current Company Privacy Policies published by the Company and/or the Subsidiary are, and all prior Company Privacy Policies have, when in effect, been, materially accurate and complete and have not misrepresented, in any manner (including by omission), the Company’s and/or the Subsidiary’s Personal Data Processing practices, including the privacy or security of Personal Data. (ii) The Company and the Subsidiary have implemented and maintained a written data protection, data privacy maintain an information security program that complies with industry standard practices and cybersecurity program materially complies with Company Privacy Commitments (the an “Data Protection Information Security Program”) that is and the Company and the Subsidiary act in material compliance therewith. The Company and the Subsidiary have required all vendors and other third Persons who Process Personal Data on behalf of the Company or the Subsidiary (“Processors”) to comply with the Information Security Program. To the knowledge of the Company, such Processors have not breached any Contracts pertaining to Personal Data Processed by such Persons on behalf of Company or the Subsidiary. The Company and the Subsidiary have acted in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material the Information Security Incident. Since January 1Program, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure confirm the reliability of their employees, representatives, consultants, respective employees and contractors and agents that who have access to Company PIIPersonal Data, to train such individuals employees and contractors on all applicable Privacy Requirements aspects of the Information Security Program, and to ensure that subject all such employees, representatives, consultants, employees and contractors and agents with the right authority and/or ability to access such Company PII are under written data to obligations of confidentiality with respect to such Company PIIdata. (ciii) To The Company and the knowledge Subsidiary have not received notice of and, to the Company’s knowledge, there have been is no unauthorized circumstance (including any circumstance arising as a result of an audit or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements inspection carried out by any thirdGovernmental Entity) that would reasonably be expected to give rise to, any Legal Proceeding, Order, notice, communication, warrant, regulatory opinion, audit result or allegation from a Governmental Entity or any other Person (including an end user): (A) alleging or confirming non-party compliance with a relevant requirement of Company Privacy Commitments, (B) other than data supplierssubject requests, vendors requiring or other partners that Process any Company PII or other Personally Identifiable Information on behalf of requesting the Company or its Subsidiariesthe Subsidiary to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Personal Data, (C) permitting or mandating relevant Governmental Entities to investigate, requisition information from, or enter the premises of, the Company or the Subsidiary or (D) claiming compensation or damages from the Company or the Subsidiary. Neither the Company nor the Subsidiary has been involved in any Legal Proceedings involving non-compliance or alleged non-compliance with Company Privacy Commitments. (iv) No security incident, including malware, ransomware, virus, compromise of credentials, denial-of-service attack, unauthorized intrusion, violation of any data security policy, breach, or unauthorized access in relation to Personal Data, involving the Company (a “Security Incident”) has occurred, nor has a Security Incident been threatened against the Company. No circumstances have circumstance has arisen in which the which: (A) Applicable Laws (including Privacy Requirements Laws) or Company Personal Data Agreements would require the Company or the Subsidiary to notify a Governmental Entity or any other Person of a Security Incident or (B) applicable guidance or codes or practice promulgated under Applicable Laws (including Privacy Laws) or Company Personal Data Agreements would recommend the Company or its Subsidiaries the Subsidiary to notify a Governmental Entity or any Governmental Authority other Person of any a Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (ai) The Each Acquired Company’s and the Foundation’s data, privacy and security practices conform, and at all times have conformed, to all of the Company Privacy Commitments, Privacy Laws and Company Data Agreements. Each Acquired Company and its Subsidiaries have developedthe Foundation has at all times: (A) had the legal basis (including providing adequate notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Acquired Companies or the Foundation, implemented (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as allowed under Applicable Law and maintained a written data protectionCompany Data Agreements, data (C) abided by any privacy choices, (including opt-in and cybersecurity program opt-out preferences, as required), of individuals relating to Personal Data and (D) had Privacy Laws compliant records in place (such obligations along with those contained in Company Privacy Policies, collectively, “Company Privacy Commitments”). Neither the “execution, delivery and performance of this Agreement nor the taking over by Parent of all of the Company Databases, Company Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1other information relating to each Acquired Company’s end users, 2018employees, no Person has broughtvendors or clients, or threatened any other category of individuals, will cause, constitute or result in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident a breach or violation or breach of any Privacy Requirement. (b) Since January 1Laws, 2018Company Privacy Commitments or Company Data Agreements or any standard terms of service entered into by any Acquired Company with individuals the Personal Data of whom is Processed by each of the Acquired Companies and the Foundation and their Data Processors. Copies of all current and prior Company Privacy Policies have been Made Available to Parent and such copies are true, the Company correct and its Subsidiaries have at all times complied complete. The Company’s privacy and security practices comply in all material respects with all Applicable Law. (ii) The Acquired Companies and, to the extent required by Applicable Law, the Foundation have established and maintain appropriate technical, physical and organizational measures and security systems and technologies in material compliance with applicable data security requirements under Privacy Requirements with respect Laws, Company Data Agreements and Company Privacy Commitments that are designed to protect Company Data against accidental or unlawful Processing in a manner appropriate to the risks represented by the Processing of Personally Identifiable Information such data by each Acquired Company and other datathe Foundation and their respective Data Processors. The Company Acquired Companies and its Subsidiaries are not the Foundation, and since January 1to the Company’s knowledge, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries the Company’s Data Processors have taken commercially reasonable steps to ensure the reliability of their respective employees, representatives, consultants, vendors and contractors and agents that who have access to Company PII, to train such individuals on all applicable Privacy Requirements Data and to ensure that all such employees, representatives, consultants, contractors and agents vendors with the right authority and/or ability to access such Company PII data are under written obligations of confidentiality (or are bound by an appropriate statutory obligation of confidentiality) and data processing with respect to such data in accordance with the Company PIIPrivacy Commitments. (ciii) To No Acquired Company nor the knowledge Foundation has received or experienced and, there is no circumstance (including any circumstance arising as a result of an audit or inspection carried out by any Governmental Body), that would give rise to, any Action, Order, notice, communication, requests from data subjects, warrant, regulatory opinion, audit result or allegation from a Governmental Body or any other Person (including an end user): (A) alleging or confirming non-compliance with a requirement of Privacy Laws, Company Data Agreements or Company Privacy Commitments, (B) requiring or requesting any Acquired Company or the Foundation to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data, (C) permitting or mandating Governmental Bodies to investigate, requisition information from, or enter the premises of, any Acquired Company or the Foundation or (D) claiming compensation from any Acquired Company or the Foundation. Each of the CompanyAcquired Companies and the Foundation has responded to, and continues to promptly respond to requests from individuals or other third parties on their behalf, and there have been are no unauthorized requests from individuals or illegal Processingother third parties to the Acquired Companies seeking to exercise any data protection or privacy rights (such as rights to access, rectify, or other breachdelete Personal Data, violation to restrict or default (object to processing of Personal Data, or event that, with relating to data portability) that have not been addressed or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiariesresponded to. No circumstances have arisen Acquired Company nor the Foundation has been involved in which the any Actions involving non-compliance or alleged non-compliance with Privacy Requirements would require Laws, Company Data Agreements or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentPrivacy Commitments. (div) The Schedule 3.11(u)(iv) of the Disclosure Schedule contains the complete list of notifications and registrations made by each Acquired Company and the Foundation under Privacy Laws with relevant Governmental Bodies in connection with the Acquired Companies’ and the Foundations’ Processing of Personal Data. All such notifications and registrations are valid, accurate, complete and fully paid up, and the consummation of transactions contemplated by this Agreement the Transactions will not breach invalidate such notification or registration or require such notification or registration to be amended. Other than the notifications and registrations set forth on Schedule 3.11(u)(iv) of the Disclosure Schedule, no other registrations or notifications are required in connection with the Processing of Personal Data by the Acquired Companies and the Foundation. The Acquired Companies and the Foundation do not Process the Personal Data of or target advertisements to any Privacy Requirementnatural Person considered a child or minor under Applicable Law. Except as set forth on Schedule 3.11(u)(iv) of the Disclosure Schedule, none of the Acquired Companies or the Foundation sells Personal Data or disclose Sensitive Data or Tracking Data to third parties.

Data Privacy and Security. (a) The Company and each of its Subsidiaries has implemented commercially reasonable administrative and technical safeguards designed to protect the integrity, security and confidentiality of Personal Information stored in the IT Systems. Except as would not, individually or in the aggregate, reasonably be expected to have developeda Company Material Adverse Effect, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since since January 1, 20182022: (i) there have been no failures, no Person has brought, breakdowns or threatened in writing other adverse events materially affecting any such IT Systems that have caused a material disruption or interruption to bring, any Action against the conduct of the business of the Company or any of its Subsidiaries in relation to as presently conducted, and (ii) there have not been any actual incidents of unauthorized access or alleged Security Incident or violation or breach other security breaches of any Privacy Requirementthe IT Systems. (b) Since January 1, 2018, the The Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect each Subsidiary has implemented and maintained commercially reasonable and appropriate technical and organizational safeguards designed to the Processing of Personally Identifiable protect Personal Information and other data. The Company confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alteration, destruction or disclosure and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The the Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents require that have any third party with access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized Personal Information collected by or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiariesany Subsidiary has implemented and maintained the same. No circumstances have arisen in which To the Privacy Requirements would require or recommend Company’s Knowledge, any third party that has provided Personal Information to the Company or its Subsidiaries any Subsidiary has done so in compliance with applicable Data Protection Laws, including providing any notice and obtaining any consent required by applicable Data Protection Laws. (c) The Company and each Subsidiary is, and has been, in compliance with applicable Data Protection Requirements, except for any noncompliance that would not, individually or in the aggregate, reasonably be expected to notify have a Company Material Adverse Effect. Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, there have been no breaches, violations, outages, security incidents, unauthorized uses, transfer, destruction, disclosures, losses, thefts, ▇▇▇▇▇▇ demands, alterations of or access to Personal Information maintained by, to the Knowledge of the Company, or on behalf of the Company or any Subsidiary that would require notification of individuals, law enforcement or any Governmental Authority under any applicable Data Protection Law. Neither the Company nor any Subsidiary has received written notice of any Security Incidentclaim or investigation or any other written communication (including from any Governmental Authority) that alleges that the Company or any Subsidiary is not in compliance with any Data Protection Laws, except as would not reasonably be expected to be material to the Company, taken as a whole. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in compliance in all material compliance respects with all Privacy Requirements. The To the knowledge of the Company, the Company and its Subsidiaries have not experienced any Security Incident that (i) was material Security Incidentor (ii) otherwise in respect of which the Privacy Requirements would require or recommend the Company or its Subsidiaries notify any Person or Governmental Authority, except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. Since January 1, 2018, no Person has broughtclaimed any compensation or damages from the Company or any of its Subsidiaries, or has brought or, to the knowledge of the Company, threatened in writing to bring, bring any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation otherwise for or arising as a result of any actual or alleged violation, breach or other non-compliance with or of any Privacy RequirementRequirement in each instance that would reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. (b) Since January 1, 2018, the The Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data, including (i) providing adequate notice and obtaining any necessary consents from customers required for the Processing of the Company PII as conducted by or on behalf of the Company or any of its Subsidiaries and (ii) abiding by any privacy choices (including opt-outs, do-not-calls or similar choices) of end users relating to Personally Identifiable Information. The Company and its Subsidiaries are not not, and since January 1, 2018, have not been been, subject to a Governmental Order of, or have received a written notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII, in each case in all material respects. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries are in compliance in all material respects with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentRequirements. (d) The To the knowledge of the Company, the consummation of the transactions contemplated by this Agreement will not breach any Privacy RequirementRequirements in any material respect.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that 4.12.1 Each Seller is in material compliance, and since January 1, 2022, has at all times been in material compliance, with all applicable Privacy and Data Security Requirements. Sellers have at all times obtained all rights, consents and licenses necessary to Process Personal Data in the manner it has been Processed, is now Processed and as proposed to be Processed in the Business by any Person on their behalf. 4.12.2 Sellers have at all times maintained, and presently maintain, reasonable backup, security and disaster recovery plans, in each case, using commercially reasonable efforts no less than industry-standard and in compliance with all applicable Privacy Requirements. The Company and its Subsidiaries have not experienced any material Data Security IncidentRequirements for the Business-Utilized IT Systems. Since January 1, 20182022, to Sellers’ Knowledge, there have been (i) no Person unauthorized access to or unauthorized use of any Business-Utilized IT Systems and (ii) no unauthorized intrusions or breaches of security with respect to any Business-Utilized IT Systems. 4.12.3 Neither Seller has broughtreceived any subpoenas, demands, or threatened in writing to bringother written notices from any Governmental Body investigating, any Action against the Company inquiring into, or any of its Subsidiaries in relation otherwise relating to any actual or alleged Security Incident or potential violation or breach of any Privacy Requirement. and Data Security Requirements, and neither Seller is under investigation by any Governmental Body for any actual or potential violation of any Privacy and Data Security Requirements. No Person (bincluding any Governmental Body) has commenced any Action nor has any written notice or enforcement Action of any kind been served on, or initiated against, either Seller under any applicable Privacy and Data Security Requirements or with respect to loss, damage or unauthorized access, use or modification of any Personal Data by or on behalf of either Seller and, to Sellers’ Knowledge, there are no facts or circumstances that could form the basis for any such claim. Since January 1, 20182022, the Company there have been no, and its Subsidiaries have at all times complied there are currently no pending or, to Sellers’ Knowledge, threatened, fines or other penalties facing either Seller in all material respects connection with all Privacy Requirements any disclosure of Personal Data with respect to the Processing operation of Personally Identifiable Information the Business or a violation of any applicable Privacy and other dataData Security Requirements. 4.12.4 To the extent Sellers use Personal Data as part of developing, training, operating or maintaining internal or third-party Artificial Intelligence Tools, a record is maintained of what data is being used and has been used for these purposes. The Company Sellers use and its Subsidiaries have used commercially reasonable efforts (including, at a minimum, by conducting regular audits) to ensure (i) Sellers have sufficient rights in all data Processed by Sellers’ Artificial Intelligence Tools and (ii) Sellers’ Artificial Intelligence Tools operate as intended, in compliance with all applicable Laws and are not and reasonably likely to harm or disparage Sellers or the reputation or goodwill of Sellers. Sellers’ use of Artificial Intelligence Tools does not and, since January 1, 20182022, have not been subject to a Governmental Order ofhas not, resulted in the unauthorized disclosure to, or have received a notice fromaccess by, a Governmental Authority regarding actual or alleged non-compliance with or violation any third party of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability Personal Data in possession of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIISellers. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) 4.12.5 The consummation of the transactions contemplated by this Agreement as well as any subsequent use of Personal Data in a substantially similar manner to how such Personal Data is used by Sellers in connection with the Business immediately prior to the Closing will not breach or otherwise cause any violation of any Privacy Requirementand Data Security Requirements.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries are in compliance in all material respects with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its SubsidiariesRequirements. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company Transferor and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied comply in all material respects with all Privacy Requirements applicable Laws that govern the collection, use, processing, disclosure and protection of personally identifiable information (“PII”) (“Data Protection Laws”). The Transferred Business has in place, and operates in accordance with, reasonable procedures to comply with any Data Protection Laws applicable to the Transferred Business. As it relates to the Transferred Business, all arrangements made for the outsourcing to any third party of the processing of PII, or the international transfer of any PII, comply in all material respects with applicable Data Protection Laws. (b) In the preceding three (3) years, Transferor and its Subsidiaries, with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018Transferred Business, have not been subject to publicly posted a Governmental Order ofprivacy policy that conforms with Data Protection Laws and fairly and accurately describes, or have received a notice fromin all material respects, a Governmental Authority regarding the actual or alleged non-compliance with or violation practices of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality Transferred Business with respect to the collection, retention, use and disclosure of PII. Transferor has delivered or made available to Buyer true, complete, and correct copies of all such Company PIIprivacy policies in effect during the preceding three (3) years. (c) To During the knowledge preceding three (3) years, neither the Transferred Business nor Transferor or any of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries with respect to the Transferred Business has suffered any personal data breach that would require, under Data Protection Laws, Transferor or any of its Subsidiaries with respect to the Transferred Business to notify individuals whose information was compromised in that breach or any Governmental Authority of any Security Incidentregulatory agency. (d) The consummation During the preceding three (3) years, neither the Transferred Business nor Transferor or any of transactions contemplated its Subsidiaries with respect to the Transferred Business has received any written notices or any other communications from any Governmental Authority: (i) alleging material non-compliance with any Data Protection Laws; or (ii) notifying Transferor or any of its Subsidiaries with respect to the Transferred Business of any material regulatory investigation by this Agreement will not breach a Governmental Authority regarding Transferor or any Privacy Requirementof its Subsidiaries’ use with respect to the Transferred Business, of PII or non-compliance with Data Protection Laws, and to the Knowledge of Transferor, there are no circumstances as of the date hereof likely to give rise to any such notices or communications. (e) Transferor and its Subsidiaries take all commercially reasonable steps to protect the confidentiality, integrity and security of PII processed by the Transferred Business against any unauthorized or improper use, access, transmittal, interruption, modification or corruption.

Data Privacy and Security. (ai) The Company and each of its Subsidiaries complies, and during the past two (2) years has complied, with all Privacy and Information Security Requirements. Neither the Company nor any of its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is been notified in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has broughtwriting of, or threatened in writing to bringis the subject of, any Action against complaint, regulatory investigation or proceeding related to Processing of Personal Data by any third party, Governmental Entity, regarding any violations of any Privacy and Information Security Requirement by or with respect to the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy RequirementSubsidiaries. (bii) Since January 1, 2018, the The Company and each of its Subsidiaries have at all times complied employs commercially reasonable organizational, administrative, physical and technical safeguards that comply in all material respects with all Privacy and Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under Contract with respect to the Processing of Personally Identifiable Information and other dataCompany that Process Company Data on its behalf. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation each of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to ensure notification to applicable Governmental Entities), necessary for the reliability Processing (including international and onward transfer) of their employees, representatives, consultants, contractors all Personal Data in connection with the conduct of the business as currently conducted and agents that have access to in connection with the consummation of the transactions contemplated hereunder. (iii) Neither the Company PIInor any of its Subsidiaries, to train such individuals on all applicable Privacy Requirements and to ensure that all such employeesthe Company's knowledge, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality has suffered a security breach with respect to such Company PII. (c) To the knowledge any of the Company Data and, to the Company's knowledge, there have has been no unauthorized or illegal Processinguse of, access or disclosure to, or unavailability of any Company Data. Neither the Company nor any of its Subsidiaries has notified, or been required to notify, any Person of any information security breach or other incident involving Personal Data. To the Company's knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as "viruses," "worms," "time bombs," or "back doors") that have not been removed or fully remedied. Neither it nor any of its Subsidiaries, have experienced any disruption to, or interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other breach, violation failure or default (or event that, with or without deficiency on the giving of notice or lapse of time, would constitute a breach, violation or default) part of any Privacy Requirements by any third-party data suppliers, vendors computer Software or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentSystems. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) Program that is materially in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no No Person has brought, or threatened in writing to bringthe knowledge of the Company, otherwise threatened, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the The Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data, and have taken commercially reasonable steps designed to ensure that such Personally Identifiable Information and other data is protected against loss and against unauthorized access, use, modification, disclosure or other misuse, to which there has been no unauthorized access to or other misuse. The Neither the Company and nor any of its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental an Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and designed to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge Each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company and its Subsidiaries are in compliance in all material respects with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its SubsidiariesRequirements. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) The Company and its Subsidiaries have not used any data derived or aggregated from any Personally Identifiable Information received from or otherwise Processed on behalf of any Person in any way that would constitute a breach, violation or default of any Contract to which the Company or its Subsidiaries, as the case may be, is bound. (e) The consummation of transactions contemplated by this Agreement and the other Transaction Documents will not breach or otherwise cause any violation of any Privacy Requirement.

Data Privacy and Security. (a) Except as disclosed to the Purchaser in writing (including email) prior to the date hereof or in the Company Public Documents, the Company Entities currently comply and have complied at all times with applicable Company Privacy Policies and the Privacy Requirements in all material respects. The Company and its Subsidiaries Entities have developed, implemented established and maintained a written data protectioncommercially reasonable Information Security Program, data privacy and cybersecurity program (there have been no material violations of the “Data Protection Information Security Program”) that is in material compliance with all Privacy Requirements. The Company Entities have (i) assessed and its Subsidiaries have not experienced any tested the Information Security Program on a no less than annual basis, (ii) remediated all critical, high and medium risks and vulnerabilities, and (iii) the Information Security Program has proven sufficient and compliant with Privacy Requirements in all material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirementrespects. (b) Since January 1Except as disclosed to the Purchaser in writing (email included) prior to the date hereof or would not reasonably be expected to be material, 2018, (i) the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect Entities and, to the Processing Knowledge of Personally Identifiable Information and other data. The Company and its Subsidiaries are the Company, their Data Processors have not and since January 1, 2018suffered a Security Incident, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries required to notify any Person or Governmental Authority of any Security Incident. , and have not been adversely affected by any Malicious Code, ransomware or malware attacks, or denial-of-service attacks on any IT Systems; (dii) The consummation neither the Company Entities nor any third party acting at the direction or authorization of transactions contemplated by this Agreement will the Company Entities have paid any perpetrator of any actual or threatened Security Incident or cyber attack, including, but not breach limited to a ransomware attack or a denial-of-service attack; (iii) the Company Entities have not received a written notice (including any enforcement notice), letter, or complaint from a Governmental Authority or any Person alleging noncompliance or potential noncompliance with any Privacy RequirementRequirements or Company Privacy Policies and has not been subject to any actions, suits, demands, orders or proceedings relating to noncompliance or potential noncompliance with Privacy Requirements or the Company Entities’ Processing of Personal Data; and (iv) the Company Entities are not in breach or default of any Contracts relating to the IT Systems or to Company Data and does not transfer Personal Data internationally except where such transfers comply with Privacy Requirements and Company Privacy Policies.

Data Privacy and Security. (a) The To the Knowledge of the Company, the Company and its Subsidiaries have developedall Processing of Personal Information by or on behalf of the Company, implemented is and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is has at all times been in compliance in all material compliance respects with all Privacy Data Requirements. The Company and its Subsidiaries have has not experienced received any material Security Incidentwritten communication regarding any actual or suspected violation of any Data Requirements. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any No Action against the Company Company, or any audit or other investigation of its Subsidiaries in relation the Company, by any Governmental Entity under any Data Requirements has occurred, is pending or, to any actual or alleged Security Incident or violation or breach of any Privacy Requirementthe Company’s Knowledge, is threatened. (b) Except as set forth on Disclosure Schedule 2.24(b), the Company has established and has at all times maintained and, to the Knowledge of the Company, complied in all material respects with all policies regarding the confidentiality, nondisclosure, privacy, and security of all data and information Processed by or on behalf of the Company (“Company Data”) as required by all Data Requirements. The Company has obtained all applicable consents, permissions and authorizations required by all Data Requirements with respect to all Company Data and the Processing thereof. Without limiting the foregoing, the Company has entered into a valid and enforceable business associate agreement (as defined under HIPAA) with its Affiliated Practices, as applicable. To the Knowledge of the Company, the Company has entered into such other Contract as may be required under any Data Requirements in all instances in which the Company has processed Personal Information of, for, or on behalf of any Person, and in all instances in which any Person has processed Personal Information for or on behalf of the Company, that in each instance, to the Knowledge of the Company, complies with all Data Requirements. (c) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect has not notified, and, to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge Knowledge of the Company, there have been no unauthorized facts or illegal Processingcircumstances that would require the Company to notify, any Governmental Entity or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority Person of any Security Incident. (d) Following the Closing, the Company will retain and have all consents, permissions and authorizations necessary to Process all Company Data in the same manner and to the same extent the Company Data was Processed by and on behalf of Company prior to the Closing. The consummation of transactions contemplated by this Agreement Transactions will not cause, constitute, or result in a breach or violation of any Privacy Requirementapplicable Data Requirements.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times since May 1, 2017 (and, to the Seller’s Knowledge, prior to May 1, 2017) complied in all material respects with all applicable Data Security Requirements, Privacy Requirements with respect Policies, and Privacy Agreements relating to data protection and the collection, use or transfer of Personal Information, and no written claims have been asserted or, to the Processing Knowledge of Personally Identifiable Information the Company, threatened against the Company by any Person alleging a violation of Data Security Requirements concerning such Person’s Personal Information. (b) The Company has provided copies of all written website Privacy Policies and other datamaterial Privacy Agreements to Buyer, which comply in all material respects with all Data Security Requirements. The Company and its Subsidiaries are not and since January 1has agreements in place with vendors, 2018business partners, have not been subject affiliates or other Persons that provide services to a Governmental Order ofthe Company that involve the collection, protection, storage, processing, use or have received a notice fromdisclosure of Personal Information, a Governmental Authority regarding actual or alleged non-compliance which comply with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Data Security Requirements, Privacy Requirements Policies, and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIIPrivacy Agreements. (c) To The Company has implemented commercially reasonable, physical, technical and administrative safeguards that comply with applicable Data Security Requirements, Privacy Policies, and Privacy Agreements and that provide reasonable protection to Personal Information in the knowledge Company’s possession or control from unintended loss or destruction, unauthorized modification and unauthorized access. Since May 1, 2017 (and, to the Seller’s Knowledge, prior to May 1, 2017), the Company has received no written notice of any claims, charges or complaints against the Company by any Governmental Authority, data protection authority, or Person alleging a violation of any Data Security Requirements. Since May 1, 2017 (and, to the Seller’s Knowledge, prior to May 1, 2017), neither the Company, there have been no unauthorized or illegal Processingnor, or other breachto Sellers’ Knowledge, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information Person acting on behalf of the Company providing services related to Personal Information has been subject to any data breach of Company Personal Information or its Subsidiaries. No circumstances have arisen other security incident that has resulted in which the Privacy Requirements would require unauthorized access of Personal Information, or recommend the Company unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or its Subsidiaries to notify any Governmental Authority use of any Security IncidentPersonal Information. (d) The Company (i) maintains commercially reasonable backup and data recovery, disaster recovery, and business continuity plans, procedures, and facilities; (ii) acts in compliance therewith; and (iii) tests such plans and procedures on a regular basis, and such plans and procedures meet the Data Security Requirements in all material respects upon such testing, or have been appropriately remediated and proven effective in all material respects upon testing after the applicable remediation. The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirementviolate Data Security Requirements.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, a Company Material Adverse Effect: (a) The Company and its Subsidiaries and their respective officers and employees are, and since January 1, 2023, have developedbeen, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all applicable Privacy RequirementsCommitments. To the Knowledge of the Company, all Personal Information and Company Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since January 1, 2023, has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since January 1, 2023, have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information or Company Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place to remediate (x) Information Security Incidents and (y) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of the foregoing. (c) To the Knowledge of the Company, since January 1, 2023, the Company and its Subsidiaries have not experienced any material Information Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against Incident involving the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the third parties that process Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have To the Knowledge of the Company, since January 1, 2023, no circumstance has arisen in which the applicable Privacy Requirements Laws would require or recommend the Company or its Subsidiaries to notify any a person or Governmental Authority of any Security Incidenta “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”Except as set forth in Section 3.15(a) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against of the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018Disclosure Schedule, the Company and its Subsidiaries Acquired Companies, have at all times complied complied, and are currently in compliance, in all material respects with all Applicable Laws, public-facing policies, and procedures established by the Acquired Companies, and all restrictions and requirements contained in any Contract to which any of the Acquired Companies is bound, in each case, relating to (i) the privacy of the users of the products and services of the business of the Acquired Companies as currently conducted or (ii) the privacy, collection, maintenance, use, sale, storage, protection, retention, deletion, sharing, transfer or other processing of any Personally Identifiable Information (such requirements, the “Data Privacy Requirements Obligations”). (b) Except as set forth in Section 3.15(b) of the Company Disclosure Schedule, none of the Acquired Companies has been subject to any material security breaches with respect to any Personally Identifiable Information or any confidential information of the Processing Acquired Companies or the business thereof. (c) The Acquired Companies, have taken all commercially reasonable actions, and implemented policies and procedures, to protect and maintain the security of all Personally Identifiable Information and confidential information of any of the Acquired Companies, including protecting such information from any unauthorized access, disclosure, corruption, modification or other datamisuse. The No Acquired Company and its Subsidiaries are not and since January 1, 2018, have not is or has been subject to a Governmental an Order of, or have has received a notice from, a Governmental Authority, and there have been no complaints or notices, investigations or other proceedings asserted by any Person or any Governmental Authority regarding with respect to the Acquired Companies’ actual or alleged non-compliance with or violation of any Data Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps Obligations or in relation to ensure the reliability Acquired Companies’ loss of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no or unauthorized or illegal Processing, or other breach, violation or default (or event thatthe alleged loss of or unauthorized) use, with disclosure or without the giving transfer of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentInformation. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and each of its Subsidiaries have developedhave, implemented and maintained a written data protectionat all times, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance materially complied with all each Privacy RequirementsLegal Requirement. The Company and each of its Subsidiaries has adopted Privacy Policies and materially complied with such Privacy Policies. True, correct and complete copies of all written Privacy Policies have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, been made available to Parent. (b) With respect to all Personal Data gathered or threatened accessed in writing to bring, any Action against the course of the operation of the businesses of the Company or any of its Subsidiaries in relation Subsidiaries, the Company and each such Subsidiary have taken reasonable measures designed to any actual protect such data against loss, theft, unauthorized access, unauthorized disclosure or alleged Security Incident unlawful Processing, or violation other misuse. To the Knowledge of the Company, the Company has resolved or breach of any Privacy Requirementtaken commercially reasonable steps to mitigate material security vulnerabilities and risks relating to privacy, cybersecurity, or data protection. (bc) Since January 1, 20182021, there have not been any material Security Incidents or material breaches involving the Company, its Subsidiaries, agents, or employees or, to the Knowledge of the Company, any of its or their respective contractors relating to any Personal Data in its possession or control. There have not been any material incidents of or third-party claims alleging any failure, Security Incidents, or any unauthorized intrusions or breaches, of security with respect to the information technology systems owned or controlled by the Company or any of its Subsidiaries. (d) The Company and its Subsidiaries routinely engage in due diligence of vendors and business partners, including the adequacy of their written information security programs, before allowing them to access, receive or Process Sensitive Data, and impose contractual obligations and duties under Privacy Legal Requirements regarding Sensitive Data. (e) Since January 1, 2021, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been the subject to a Governmental Order ofof any audit, investigation, enforcement action (including any fines or have received a notice fromother sanctions) or other Action relating to, a Governmental Authority regarding actual any actual, alleged or alleged non-compliance with suspected Security Incident or violation of any of the Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure Legal Requirements, the reliability of their employeesPrivacy Agreements or otherwise by any Person, representativesincluding the U.S. Federal Trade Commission, consultantsany similar foreign bodies, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIIor any other Governmental Entity. (cf) To the knowledge Knowledge of the Company, there have been no unauthorized neither the execution, delivery or illegal Processingperformance of this Agreement nor the consummation of any of the Transactions will violate any Privacy Legal Requirements or otherwise prohibit, or other breach, violation or default (or event that, with or without require the giving of notice or lapse of time, would constitute a breach, violation or default) delivery of any Privacy Requirements by notice to or obtaining consent from any third-party data suppliersPerson for, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf the transfer of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries Sensitive Data to notify any Governmental Authority of any Security IncidentMerger Sub. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developeddata, implemented and maintained a written data protection, data privacy and cybersecurity program security practices of Acquired Companies’ and their Subsidiaries’ and their Processing of Personal Data (the “Data Protection Program”if any) that is in material compliance with all Privacy Requirements. The Company have complied, and its Subsidiaries have not experienced any material Security Incident. Since January 1do comply, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all applicable Privacy Requirements with respect to Commitments. To the Processing Knowledge of Personally Identifiable Information the Seller, the execution, delivery and other data. The Company performance of this Agreement and its Subsidiaries are the transactions contemplated herein will not and since January 1cause, 2018, have not been subject to constitute or result in a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with material breach or violation of any applicable Privacy Requirement. Commitments of the Acquired Companies and their Subsidiaries and, following the Closing Date, the Acquired Companies and their Subsidiaries will continue to be permitted to Process all Personal Data held by the Acquired Companies or their Subsidiaries on terms substantially similar to those in effect as of the date of this Agreement and to the same extent the Acquired Companies and their Subsidiaries would have been able to had the Transactions not occurred. (b) The Company Acquired Companies and its their Subsidiaries have taken commercially maintain reasonable steps technical, physical and organizational measures and safeguards to ensure prevent the reliability unlawful Processing of Personal Data and unauthorized access, accidental loss or destruction of or damage to Personal Data in their employeesrespective possession or control, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on which measures are in material compliance with all applicable data security requirements under the Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIILaws). (c) To the knowledge of the CompanyThe Acquired Companies and their Subsidiaries have at all times presented a privacy policy which complies, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event thatin all material respects, with or without Privacy Laws to data subjects prior to the giving of notice or lapse of time, would constitute a breach, violation or default) collection of any Privacy Requirements by any third-party data suppliersPersonal Data, vendors and, to the Knowledge of Seller, no such privacy policy is or other partners that Process any Company PII has been inaccurate, misleading or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incidentdeceptive. (d) The consummation Acquired Companies or their Subsidiaries do not sell, rent or otherwise make available to any Person any Personal Data, except in a manner that complies in all material respects with the applicable Privacy Commitments. To the Knowledge of transactions contemplated by this Agreement will not breach the Seller, none of the Acquired Companies nor any of their respective Subsidiaries have transferred or permitted the transfer of Personal Data originating in the EEA or UK outside the EEA or UK, except where such transfers have materially complied with the requirements of Privacy Laws and the Acquired Companies’ or their Subsidiaries’ Privacy Policies. (e) Neither the Acquired Companies nor any of their Subsidiaries has received any notice of any Legal Proceeding, Order, regulatory opinion, audit result or other allegation from a Governmental Entity or any other Person in the last six (6) years: (i) alleging or confirming non-compliance with a relevant requirement of any Privacy RequirementCommitments by any Acquired Company or any of its Subsidiaries; or (ii) giving notice of any Governmental Entity’s investigation, requisition of information from, or intention to enter the premises of, the Acquired Companies or any of their Subsidiaries in connection with any of the foregoing.

Data Privacy and Security. The Company and each of its Subsidiaries is, and during the three (a3) The years immediately prior to the date hereof has been, in compliance in all material respects with (i) all applicable Information Privacy and Security Laws, (ii) all Contracts or terms of use to which it is a party or otherwise apply to the Company or a Subsidiary relating to data privacy, data use, data protection and data security, including with respect to the collection, storage, transmission, transfer (including cross-border transfers), disclosure, destruction, amendment and use of, and individual access to, Personal Information, and (iii) the Payment Card Industry Data Security Standard (PCI-DSS). Each of the Company and its Subsidiaries have developedhas adopted and published privacy notices and policies to any website, implemented mobile application or other electronic platform and maintained a written data protection, data privacy complied with those notices and cybersecurity program (policies. Each of the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced has all necessary authority, consents and authorizations to receive, access, use and disclose the Personal Information in each of the Company’s or any material Security IncidentSubsidiary’s possession or under its control in connection with the operation of the Business. Since January 1Each of the Company and its Subsidiaries has implemented and maintains reasonable administrative, 2018technical and physical safeguards to ensure that Personal Information is protected against loss, no Person has broughtdamage and unauthorized access, use, modification, or threatened in writing other misuse. During the three (3) years immediately prior to bringthe date hereof, there has been no loss, damage or unauthorized access, use, disclosure, modification, or other misuse of any Action against Personal Information maintained by or on behalf of the Company or any of its Subsidiaries, including any loss, damage or unauthorized access, use or disclosure for which the Company or any of its Subsidiaries in relation is required under applicable Laws to notify a Person. No Person (including any actual Governmental Authority) has provided any notice, made any Claim or, to the Company’s knowledge, commenced any investigation, litigation or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements proceeding with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1loss, 2018damage or unauthorized access, have not been subject to a Governmental Order ofuse, or have received a notice fromdisclosure, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processingmodification, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) misuse of any Privacy Requirements Personal Information maintained by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or any of its Subsidiaries and, to notify the Company’s knowledge, there is no reasonable basis for any Governmental Authority such notice, Claim or investigation, litigation or proceeding. The (A) collection, storage, processing, transfer, sharing and destruction of any Security Incident. (d) The consummation of Personal Information in connection with the transactions contemplated by this Agreement will not breach and (B) execution, delivery and performance of this Agreement and the other agreements and instruments contemplated hereby and the consummation of the transactions contemplated hereby and thereby complies with the Company’s applicable privacy notices and policies and with all applicable Information Privacy and Security Laws. The Company or one of its Subsidiaries, as applicable, has at all times made all disclosures to, and obtained any necessary consents and authorizations from, users, customers, employees, contractors and other applicable Persons required by applicable Information Privacy Requirementand Security Laws and has filed any required registrations with the applicable data protection authority, including any consents or authorizations necessary to operate the Business.

Data Privacy and Security. (ai) The Company Company, each of its subsidiaries and its Subsidiaries have developedeach Licensed Entity complies, implemented and maintained a written data protectionduring the past three years has complied, data privacy and cybersecurity program (the “Data Protection Program”) that is in all material compliance respects, with all Privacy and Information Security Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1None of the Company, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries subsidiaries, nor any Licensed Entity has been notified in relation writing of, or is the subject of, any complaint or proceeding or to the Company’s knowledge, any, regulatory investigation related to Processing of Personal Data by any Governmental Authority or payment card association, regarding any actual or alleged Security Incident or violation or breach possible violations of any Privacy Requirementand Information Security Requirement by or with respect to the Company, any of its subsidiaries or any Licensed Entity. (bii) Since January 1The Company, 2018each of its subsidiaries and each Licensed Entity employs commercially reasonable organizational, the Company administrative, physical and its Subsidiaries have at all times complied technical safeguards that comply in all material respects with all Privacy and Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under contract with respect the Company that Process Company Data on its behalf. The Company, each of its subsidiaries and each Licensed Entity has provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to notification to Governmental Authorities), necessary for the Processing (including international and onward transfer) of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents Personal Data in connection with the right to access such Company PII are under written obligations conduct of confidentiality the business as currently conducted and in connection with respect to such Company PIIthe consummation of the transactions contemplated hereunder. (ciii) To the knowledge of the Company, none of the Company, any of its subsidiaries nor any Licensed Entity has suffered a security breach with respect to any of the Company Data and to the Company’s knowledge, there have has been no unauthorized or illegal Processinguse of or access to any Company Data. None of the Company, any of its subsidiaries nor any Licensed Entity has notified, or been required to notify, any person of any information security breach involving Personal Data. To the Company’s knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses”, “worms”, “time bombs” or “back doors”) that have not been removed or fully remedied. None of the Company, any of its subsidiaries nor any Licensed Entity has experienced any material disruption to, or material interruption in, the conduct of its business that affected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other breach, violation failure or default (or event that, with or without deficiency on the giving of notice or lapse of time, would constitute a breach, violation or default) part of any Privacy Requirements by any third-party data suppliers, vendors computer software or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentSystems. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Since March 31, 2019, each Group Company has been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between such Group Company and its Subsidiaries have developedother Persons relating to Personal Data and (ii) applicable written policies, implemented public statements and maintained a written data protectionother public representations relating to the Processing of Personal Data, data privacy inclusive of all disclosures required by applicable Privacy Laws (“Privacy and cybersecurity program (the Data Security Policies,” and together with Privacy Laws and such Contracts, “Data Protection ProgramPrivacy Commitments”) that is in material compliance with all Privacy Requirements). The Company execution, delivery and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against performance by the Company of this Agreement and the Ancillary Documents to which the Company is or any will be a party, and the consummation of its Subsidiaries the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in relation to any actual or alleged Security Incident or a violation or breach of any Privacy RequirementCommitments that would be materially adverse to the Group Companies, taken as a whole. (b) Since January 1March 31, 20182019, the Company Privacy and its Subsidiaries Data Security Policies have at all times complied been maintained and made available to individuals in all material respects accordance with all reasonable industry practices and as required by Privacy Requirements Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of each Group Company with respect to the Processing of Personally Identifiable Information Personal Data conform in all material respects to the Privacy and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents Data Security Policies that have access to Company PII, to train govern such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PIIPersonal Data. (c) There is (and in the prior three years there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental Entity, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Commitments. To the knowledge Company’s knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any Proceeding for any potential violation of any Privacy Commitments. (d) In the Companyprior three years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company (“Security Incident”), (ii) there have been no unauthorized intrusions or illegal Processingbreaches of security into any Company IT Systems, and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other breachunauthorized or unlawful access to, violation or default use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each Group Company has implemented commercially reasonable administrative, physical and technical safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data. (e) Each Group Company owns or event thathas a license or other right to use the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are (i) free from any defect, with bug, virus or without programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the giving operation of notice the Group Companies’ businesses (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or lapse of timein the aggregate, would constitute material to the Group Companies, taken as a breachwhole. In the prior three years, violation there have not been any material failures, breakdowns or default) continued substandard performance of any Privacy Requirements by any third-party data suppliers, vendors Company IT Systems that have caused a material failure or other partners that Process any Company PII or other Personally Identifiable Information on behalf disruption of the Company IT Systems other than routine failures or its Subsidiaries. No circumstances disruptions that have arisen been remediated in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority ordinary course of any Security Incidentbusiness. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, a Company Material Adverse Effect: (a) The Company and its Subsidiaries and their respective officers and employees are, and since January 1, 2021, have developedbeen, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all applicable Privacy RequirementsCommitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since January 1, 2021, has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since January 1, 2021, have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place to remediate (x) Information Security Incidents and (y) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of the foregoing. (c) To the Knowledge of the Company, since January 1, 2021, the Company and its Subsidiaries have not experienced any material Information Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against Incident involving the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the third parties that process Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have To the Knowledge of the Company, since January 1, 2021, no circumstance has arisen in which the applicable Privacy Requirements Laws would require or recommend the Company or its Subsidiaries to notify any a person or Governmental Authority of any Security Incidenta “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 20182017, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 20182017, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 20182017, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries are in compliance in all material respects with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its SubsidiariesRequirements. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (Except as disclosed in the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018Commission Documents, the Company and its Subsidiaries have at all times since the Business Combination Closing complied in all material respects with all applicable Privacy Requirements with respect Laws, Privacy and Data Security Policies (as defined below), and contractual commitments concerning the Payment Card Industry Data Security Standards (if any) (collectively, the “Privacy Requirements”). Except as disclosed in the Commission Documents, the Company and its Subsidiaries have implemented adequate written policies relating to the Processing of Personally Identifiable Information Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). Except as disclosed in the Commission Documents, there is no pending, nor has there been since the Business Combination Closing Date any material Actions against the Company or any of its Subsidiaries initiated by (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iii) any other dataGovernmental Authority, foreign or domestic; or (iv) any regulatory or self-regulatory entity alleging that any Processing of Personal Data by or on behalf of the Company or any of its Subsidiaries is in violation of any Privacy Requirements. The Except as disclosed in the Commission Documents, since the Business Combination Closing Date, there has been no material breach of security resulting in unauthorized access, use or disclosure of Personal Data in the possession or control of the Company or any of its Subsidiaries (as applicable) or, to the Company’s Knowledge, any of their respective contractors with regard to any Personal Data obtained from or on behalf of the Company or any of its Subsidiaries (as applicable), or any material unauthorized intrusions or breaches of security into the systems of the Company or any of its Subsidiaries (as applicable). Except as disclosed in the Commission Documents, the Company or one of its Subsidiaries owns or has license to use the IT Systems as necessary to operate the Business of the Company and its Subsidiaries are not and since January 1as currently conducted. To the Company’s Knowledge, 2018except as disclosed in the Commission Documents, have not been subject to a Governmental Order ofnone of the IT Systems contain any worm, bomb, backdoor, clock, timer or have received a notice fromother disabling device, a Governmental Authority regarding actual code, design or alleged non-compliance with or violation routine that causes the software of any Privacy Requirementportion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized Person, except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Except as disclosed in the Commission Documents, the Company and its Subsidiaries have taken commercially reasonable steps organizational, physical, administrative and technical measures required by Privacy Requirements consistent with standards prudent in the industry in which the Company and its Subsidiaries operate to ensure protect (i) the reliability integrity, security and operations of their employeesinformation technology systems, representativesand (ii) the confidential data owned by the Company or any of its Subsidiaries or provided by the Company’s or any Subsidiary’s customers, consultantsand Personal Data against data security incidents or other misuse, contractors except where the failure to take such organizational, physical, administrative or technical measures would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, the Company and agents that its Subsidiaries have access to Company PIIimplemented reasonable procedures, satisfying the requirements of applicable Privacy Laws in all material respects, to train such individuals on all applicable Privacy Requirements detect data security incidents and to ensure that all such employeesprotect Personal Data against loss and against unauthorized access, representativesuse, consultantsmodification, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, disclosure or other breachmisuse, violation except where the failure to implement such reasonable procedures would not, individually or default (or event thatin the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, in connection with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any each third-party data suppliers, vendors service provider whose services are material to the Company or other partners that Process any Company PII or other Personally Identifiable Information one of its Subsidiaries and involve the Processing of Personal Data on behalf of the Company or any of its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend , the Company or one of its Subsidiaries has in accordance with Privacy Laws, since the Business Combination Closing Date, entered into valid data processing agreements with any such third party in accordance with applicable Privacy Laws, except where the failure to notify enter into such valid data processing agreements with any Governmental Authority such third party would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, there have not been any Actions related to any data security incidents or any violations of any Security IncidentPrivacy Requirements that have been asserted in writing against the Company or any of its Subsidiaries, and, to the Company’s Knowledge, none of the Company or any of its Subsidiaries has received any written correspondence relating to, or written notice of any Actions with respect to, alleged violations by the Company or any of its Subsidiaries of, Privacy Requirements, in each case which Actions, if adjudicated adversely to the Company or any of its Subsidiaries, would, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, neither the Company nor any of its Subsidiaries has transferred any Personal Data from the European Union or United Kingdom to a jurisdiction outside the European Economic Area or United Kingdom, other than in accordance with Articles 45 and 46(2) of the GDPR, except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, has implemented and maintained a maintains commercially reasonable written data protection, data privacy policies relating to (i) the Processing of Personal Data to the extent required by applicable Privacy Law (“Privacy and cybersecurity program (the “Data Protection ProgramSecurity Policies”) that and (ii) other Data Security Requirements. The conduct of the Business is (and has in the past three (3) years been) in material compliance with all Privacy Data Security Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1December 31, 20182020, the Company has not received written notice of any pending Proceedings, nor has there been any Proceedings against the Company initiated by (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; or (iii) any other Governmental Entity, in each case, alleging that any Processing of Personal Data by or on behalf of the Company is in violation of any applicable Data Security Requirements. (c) Since December 31, 2020, to the Company’s Knowledge, (i) there has been no actual, suspected, or alleged unauthorized or unlawful access, use, loss, disclosure or other Processing of Personal Data or trade secrets in the possession or control of the Company and its Subsidiaries (ii) there have at been no actual, suspected, or alleged unauthorized intrusions or breaches of security into the Company IT Systems. (d) The Company owns or has a license to use the Company IT Systems as necessary to operate the business of the Company as currently conducted. The Company IT Systems are sufficient and in good working condition for the operation of the Business, including as to capacity, scalability, and ability to process current and anticipated peak volumes in a timely manner. Since December 31, 2020, there have been no failures, continued substandard performance or other adverse events affecting any Company IT Systems that have caused any material disruption or interruption in the use of any Company IT Systems or the conduct of the Business. The Company has taken reasonable precautions to protect the confidentiality, integrity and security of the Company IT Systems and Personal Data stored or contained therein or transmitted or Processed thereby from any theft, corruption, loss or unauthorized use, access, interruption or modification or other Processing by any Person. The Company maintains commercially reasonable security plans, procedures and facilities, and acts in material compliance therewith. The Company has purchased a sufficient number of license seats (and scope of rights) for all times third-party Software that is used or held for use in the conduct of the Business, and the Company has complied in all material respects with all Privacy Requirements the terms and conditions of the agreements corresponding to such Software, including with respect to the Processing use of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure such Software in the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge conduct of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentBusiness. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in compliance in all material compliance respects with all the Privacy Requirements. The Since January 1, 2019, the Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 20182019, no Person has claimed any compensation or damages from the Company or any of its Subsidiaries, or has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries Subsidiaries, in each case, in relation to any actual or alleged Security Incident or violation otherwise for or arising as a result of any actual or alleged violation, breach or other non-compliance with or of any Privacy Requirement. (b) Since Except as set forth in Section 5.14(b) of the Company Disclosure Schedule, since January 1, 20182019, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other dataCompany PII. The Company and its Subsidiaries are not not, and since January 1, 20182019, have not been been, subject to a Governmental Order of, or have received a written notice from, a Governmental Authority regarding regarding, actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company and except as set forth in Section 5.14(c) of the Company Disclosure Schedule, (i) each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries are in compliance in all material respects with the Privacy Requirements, and (ii) there have been no material unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements by any third-party data suppliersRequirements. Since January 1, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in 2019, no Security Incident has occurred for which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentAuthority. (d) The consummation of transactions contemplated by this Agreement the Transactions will not breach any Privacy Requirement, except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole.

Data Privacy and Security. ‌ (a) The Company is in compliance and has complied with all applicable Privacy Laws, except where such failure to comply, individually or in the aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect. (b) The Company has in place policies and procedures for the proper collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information that comply with Privacy Laws.‌ (c) There is no currently pending or, to the Company’s knowledge, threatened, and there has not been any, Action against the Company or its Subsidiaries initiated by (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; (iii) any regulatory entity, privacy regulator or otherwise, or (iv) any other Person, in each case, with respect to privacy, cybersecurity, or Personal Information. (d) There have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to the Company’s knowledge, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities with respect to the Company’s or its Subsidiaries’ services or with respect to the Company IT Systems that would have a materially adverse impact on their operations or cause a material Security Incident. To the Company’s knowledge, no circumstance has arisen in which Privacy Laws would require the Company to notify a Person or Governmental Entity of a data security breach or Security Incident.‌ (e) The Company and its Subsidiaries own, or have developedlicense to use, implemented pursuant to a Contract of the Company or its Subsidiaries, respectively, the Company IT Systems as necessary to operate their respective businesses as currently conducted and maintained a written data protection, data privacy and cybersecurity program (such Company IT Systems are sufficient for the “Data Protection Program”) that is in material compliance with all Privacy Requirementsoperation of their respective businesses as currently conducted. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1back-up and disaster recovery arrangements, 2018, no Person has brought, or threatened procedures and facilities for the continued operation of its businesses in writing to bring, any Action against the event of a failure of the Company or any IT Systems that are, in the reasonable determination of its Subsidiaries the Company, commercially reasonable and in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied accordance in all material respects with all Privacy Requirements standard industry practice. There has not been any material disruption, failure or, to the Company’s knowledge, unauthorized access with respect to any of the Processing Company IT Systems that has not been remedied, replaced or mitigated in all material respects. To the Company’s knowledge, none of Personally Identifiable Information and the Company IT Systems contain any worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other data. damaging devices, malicious codes, designs, hardware component, or software routines that causes the Company Software or any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized person. (f) The Company and its Subsidiaries are not have, and since January 1have had, 2018in place commercially reasonable and appropriate administrative, have not been subject to a Governmental Order oftechnical, or have received a notice fromphysical and organizational measures and safeguards, a Governmental Authority regarding actual or alleged non-in compliance with or violation of any all data security requirements under Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps Laws, to (i) ensure the reliability of their employeesintegrity, representativessecurity, consultantsand the continued, contractors uninterrupted, and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any thirderror-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf free operation of the Company or its Subsidiaries. No circumstances have arisen in which IT Systems, and the Privacy Requirements would require or recommend confidentiality of the Company or its Subsidiaries to notify any Governmental Authority source code of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.Company Software,

Data Privacy and Security. (a) The Company Entities complied and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is are in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other dataCommitments. The Company Entities have implemented and its Subsidiaries are not maintained appropriate physical, technical and since January 1organizational security measures to prevent the unlawful Processing of Personal Information and unauthorized access, 2018, have not been subject accidental loss or destruction of or damage to a Governmental Order of, or have Personal Information in their respective control. (b) No Company Entity has received a any written notice from, a from any Governmental Authority regarding actual or alleged non-compliance with any Person alleging that any Company Entity is or violation has been in breach of any Privacy Requirement. The Company and Commitment or seeking to limit its Subsidiaries have taken commercially reasonable steps to ensure the reliability use of their employees, representatives, consultants, contractors and agents that have access to Company PIIPersonal Information and, to train the Knowledge of the Company, no such individuals on all breach has occurred within the applicable Privacy Requirements and statute of limitations for a claim arising out of such a breach. No Company Entity has received a written request, complaint or objection to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations its collection or use of confidentiality with respect to such Company PIIPersonal Information from any Governmental Authority or any Person. (c) To The Company Entities have at all times made all disclosures to and obtained consents from third Persons (or otherwise have an appropriate legal basis) required by applicable Privacy Laws prior to the knowledge Processing of any Personal Information from such Persons and none of such disclosures made or contained in any Privacy Policy of a Company Entity or in any such materials has been inaccurate, misleading, or deceptive or in violation of any applicable Privacy Laws, including by omission. No action is pending and, to the Knowledge of the Company, there no Person has threatened to commence any action concerning any claim that any Company Entity has violated any Privacy Commitment in connection with, or relating to, any Personal Information or the Processing of Personal information by any Company Entity. (d) The execution, delivery and performance of this Agreement and the Transactions comply, and will comply, in all material respects, with all Privacy Commitments. Following the Closing Date, the Company Entities will continue to be permitted to collect, store, use and disclose Personal Information held by the Company Entities on terms substantially similar to those in effect as of the date of this Agreement and to the same extent the Company Entities would have been able to had the Transactions not occurred. (e) No Company Entity and, to the Knowledge of the Company, no Personal Information Processor, has experienced any material unauthorized or illegal Processingaccess to, deletion or other breachmisuse of, violation any Personal Information in its possession or default control (a “Security Incident”) or event thatmade or been required to make any disclosure, notification or take any other action under any applicable Privacy Laws in connection with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (df) The consummation Company Entities have established and maintain appropriate technical, physical, administrative and organizational policies, measures and security systems and technologies consistent with industry standards and in compliance with data security requirements under applicable Privacy Laws that ensure that Company Data is protected against unauthorized access, use, modification, disclosure, misuse, or accidental or unlawful Processing. The Company Entities have not received any written complaint, proceeding, investigation (formal or informal) or claim against, any Company Entity, by any private party, data protection authority, the Federal Trade Commission, or any other Governmental Authority, foreign or domestic, with respect to the collection, use, retention, disclosure, transfer, storage, security, disposal, or other Processing of transactions contemplated by this Agreement will not breach Company Data. There has been no unauthorized Processing of any Company Data and no event or circumstance has occurred or arisen in which Privacy RequirementLaws would require any Company Entity to notify a Governmental Authority of a data security breach, security incident or violation of any data security policy.

Data Privacy and Security. (a) The Since January 1, 2019, the Company and its Subsidiaries have developedat all times materially complied, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is are currently in material compliance compliance, in all respects with all Privacy Requirements. The Requirements and all requirements contained in any Contract to which the Company and or any of its Subsidiaries is bound, in each case, relating to (i) the privacy of the users of the products, services and websites of their business and/or (ii) the collection, use, storage, processing and disclosure of any Personal Data and other confidential data or information collected or stored by or on behalf of their business. No claims or Actions have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, been asserted or threatened in writing to bring, any Action against the Company or any of its Subsidiaries by any Person in relation to any actual or alleged Security Incident or violation otherwise for or arising as a result of any actual or alleged violation, breach of such Person’s privacy, personal or confidentiality rights under any applicable laws, rules, policies, procedures or Contracts, or other non-compliance with or of any Privacy RequirementRequirement in each instance. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not not, and since January 1, 2018, 2019 have not been been, subject to a Governmental Order of, or since January 1, 2019 have received a notice from, and has not been required to notify, any Person or a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge Each of the Company’s and its Subsidiaries’ current and former third-party data suppliers, vendors, and partners that Process or have access to any Company PII or other Personal Data on behalf of the Company or its Subsidiaries are in material compliance with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security IncidentRequirements. (d) The consummation of the transactions contemplated by this Agreement will not breach any Privacy RequirementRequirements.

Data Privacy and Security. (a) The Except as would not have a Company Material Adverse Effect, each member of the Company Group is, and its Subsidiaries have developedat all times since January 1, implemented and maintained a written data protection2021 has been, data in compliance with all applicable privacy and cybersecurity program information security obligations to which it is subject, including with respect to the Company Group’s collection, maintenance, transmission, accessing, transfer, storage, use, disclosure, disposal, and other processing (collectively, “Processing”) of Personal Information, under applicable Privacy Laws (including, as applicable, Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”)), Contracts, industry standards (including, as applicable, the Payment Card Industry Data Security Standard), privacy policies or online terms of use (collectively, “Data Protection ProgramRequirements”) that is in material compliance ). Except as would not have a Company Material Adverse Effect, neither the Company nor any Company Subsidiary has received any written or, to the Knowledge of the Company, other notices or complaints from any person or Governmental Authority alleging, or been subject to any audits or investigations concerning, any failure to comply with all Privacy any Data Protection Requirements. The Except as would not have a Company and its Subsidiaries have not experienced any material Security Incident. Since January 1Material Adverse Effect, 2018, there has been no Person has broughtunauthorized access to, or threatened in writing to bringuse or disclosure of, any Action against Personal Information collected, maintained, processed or stored by the Company or any Company Subsidiary. Except as would not have a Company Material Adverse Effect, the Company and the Company Subsidiaries have not, nor to the Knowledge of its Subsidiaries in relation the Company has any third party Processing Business Data, notified or been required under Data Protection Requirements to notify any actual Governmental Authority or alleged any other person of a data security breach, Security Incident or violation or breach of any Privacy Requirementdata security policy or Data Protection Requirement pertaining to the business of the Company or any Company Subsidiary. (b) Since January 1Except as would not have a Company Material Adverse Effect, 2018the Systems are adequate for, reasonably maintained and in sufficiently good working condition and performance for the conduct of the business of the Company and each Company Subsidiary as currently conducted and as currently contemplated to be conducted. Except as would not have a Company Material Adverse Effect, the Company and its Subsidiaries have at each Company Subsidiary has implemented and maintained all times complied in all material respects with all Privacy Requirements with respect necessary and appropriate controls, policies, procedures, and safeguards to maintain and protect the Processing confidentiality, integrity and security of Personally Identifiable the Systems, Personal Information and other data. The Company Business Data used in connection with their businesses, and its Subsidiaries are not and since January 1there has been no failure, 2018malfunction, have not been subject to a Governmental Order breakdown, performance reduction or other adverse event affecting any Systems, nor any unauthorized access to, or use, intrusion, or breach of security of, any Systems, or have received a notice fromany other loss, a Governmental Authority regarding actual or alleged non-compliance with or violation unauthorized Processing of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure Business Data, including Personal Information, in the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized possession or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf control of the Company or its Subsidiariesany Company Subsidiary (each, as “Security Incident”), nor any incidents under internal review or investigations relating to the same. No circumstances Except as would not have arisen in which the Privacy Requirements would require or recommend a Company Material Adverse Effect, the Company and each Company Subsidiary maintains commercially reasonable backup and data recovery, disaster recovery, and business continuity plans, procedures, and facilities, and is and has been in compliance with all of the Company Group’s policies related to the foregoing. Except as would not have a Company Material Adverse Effect, the Systems are free from any disabling codes or its Subsidiaries to notify any Governmental Authority of any Security Incidentinstructions, spyware, Trojan horses, worms, viruses or other Software routines that could permit or cause unauthorized access to, or disruption, impairment, disablement, or destruction of, Software, data or other materials. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.

Data Privacy and Security. (a) The All Personal Data that is or previously has been collected, stored, maintained, possessed or otherwise used or controlled by or on behalf of the Company and its Subsidiaries have developedSubsidiaries, implemented has been collected, stored, maintained and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is used in material compliance accordance with all Privacy Requirementsapplicable Laws, contracts, and industry standards, the Company’s own privacy policy or service agreement under which such Personal Data was collected and the privacy policies or service agreement under which such Personal Data was collected by any Subsidiary of the Company, and any other policies of the Company and/or any Subsidiary of the Company concerning data protection and with all applicable Laws governing the collection, sharing, use, storage, disclosure, transfer or security from unauthorized disclosure of such Personal Data. The Company Seller has proof of opt in for all email addresses included in Personal Data and its Subsidiaries proof of express written consent for all telephone numbers that have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing been sold to bring, any Action against lead generation purchasers by the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirementsince January 1, 2014. (b) Since January 1, 2018, Neither the Company and its Subsidiaries have at all times complied in all material respects nor any Subsidiary of the Company has received a notice of noncompliance with all Privacy Requirements with respect applicable data protection Laws, or industry standards or the Company’s privacy policy or the privacy policies of any Subsidiary of the Company nor has there been any investigation by a Governmental Authority related to the Processing of Personally Identifiable Information and other datasame. The Company and its Subsidiaries are not and since January 1, 2018, each Subsidiary of the Company have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The made all registrations that the Company and its Subsidiaries each Subsidiary of the Company are required to have taken commercially reasonable steps made in relation to ensure the reliability processing of their employeesdata, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality in good standing with respect to such Company PIIregistrations, and have paid all fees due with respect thereto. (c) To At all times during which the knowledge Company or any Subsidiary of the Company has collected, stored, maintained or otherwise used data, the Company and each Subsidiary of the Company have privacy policies or statements describing the data collected, and the manner in which it used and disclosed such data, and the Company’s and each of its Subsidiaries’ practices are in substantial compliance with (i) their then-current internal or customer-facing or consumer-facing privacy policy or data security policy or statement, including the privacy policy or statement posted on the Company’s and each of its Subsidiaries’ websites, (ii) their customers’ and vendors’ privacy policies, when required to do so by contract, and (iii) any policy or agreement in connection with each third party servicing, outsourcing or similar arrangement, contractually obligated any service provider that has access to Personal Data to (A) comply in all respects with the Laws described in this Section with respect to any Personal Data acquired from or with respect to the Company and/or its Subsidiaries, (B) take industry standard steps to protect and secure from unauthorized disclosure any Personal Data acquired from or with respect to the Company and/or its Subsidiaries, and (C) to restrict use of any Personal Data acquired from or with respect to the Company to those authorized or required under the servicing, outsourcing or similar arrangement (each such foregoing policy or statement collectively referred to herein as “Privacy Statements”). With respect to Personal Data collected from individuals pursuant to any Privacy Statement other than a Privacy Statement currently in effect, there are no differences between such previous Privacy Statements and Current Privacy Statements that would materially affect the Company’s or its Subsidiaries’ ability to retain, use or disclose such information in the same manner and to the same extent as it may retain, use and disclose information pursuant to its Privacy Statements currently in effect. (d) The Company and each Subsidiary of the Company have implemented and maintained appropriate and reasonable measures to protect and maintain the confidential nature of any Personal Data. The Company and each Subsidiary of the Company have adequate technological and procedural measures and internal controls in place to protect Personal Data collected by the Company or any Subsidiary of the Company against loss, theft, and unauthorized access or disclosure which would have a Material Adverse Effect. (e) There has been no material data security breach of any computer systems or networks or unauthorized use of any Personal Data that is owned, used, stored, received, or controlled by or on behalf of the Company and/or any Subsidiary of the Company, there have . There has been no unauthorized or illegal Processingmaterial privacy breach of any Personal Data that is owned, used, stored, received, or other breach, violation controlled by or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. any Subsidiary of the Company No circumstances have arisen in which the Privacy Requirements would require claims are pending or recommend threatened or likely to be asserted against the Company or its Subsidiaries to notify any Governmental Authority Subsidiary of the Company by any Person alleging a violation of any Security Incidentapplicable Laws or rights relating to privacy, Personal Data, or any other confidentiality rights under any applicable Laws, policies or procedures. (df) The consummation Company and each Subsidiary of transactions contemplated the Company have the full power and authority to transfer any and all rights in any individual’s Personal Data in the Company’s and any of its Subsidiaries’ possession or control to Buyer and its Affiliates. Neither the Company nor any Subsidiary of the Company is subject to any obligation that would prevent Company and the Subsidiaries of the Company from using the Personal Data in a manner consistent with any Law or industry standard regarding the collection, retention, use, or disclosure of such information. (g) The Company and each Subsidiary of the Company do not knowingly collect information from or about, or target, children under the age of thirteen (13), nor has the Company nor any Subsidiary ever knowingly done so. (h) To Seller’s Knowledge, no Person has commenced any Action relating to the Company’s or its Subsidiaries’ information privacy or data security practices, including with respect to the access, disclosure or use of customer Data or Personal Data that is or previously has been possessed or otherwise controlled by this Agreement will not breach or on behalf of the Company or any Privacy Requirementof its Subsidiaries, or threatened any such Action, or made any complaint, investigation or inquiry relating to such practices.

Data Privacy and Security. (a) The Except as set forth on Section 3.22(a) of the Company Disclosure Schedule, the Company and each of its Subsidiaries have developed, implemented and maintained a written data protectionfollowed in all material respects commercially reasonable physical, data privacy technical, organizational, and cybersecurity program administrative security measures, policies, and procedures that are designed to: (i) mitigate potential security risks with respect to the “Company’s services; (ii) comply with the Data Protection Program”Privacy Requirements, (iii) that is identify security breach risks relating to the Company’s information technology systems, (iv) prevent security breaches, (v) identify, document, and remediate actual or suspected security breaches relating to the Company’s information technology systems and the Company’s services, and (vi) at least annually, train all employees, consultants, agents, and contractors of the Company and each of its Subsidiaries applicable to their service to the Company, in material (A) their responsibilities relating to compliance with all Data Privacy Requirements. The , and (B) recognizing and minimizing security breach risks relating to the Company’s information technology systems, the Company’s services, and any customer data held by the Company and each of its Subsidiaries. (b) No complaint, claim, enforcement action, or litigation that alleges any non-compliance by the Company or any of its Subsidiaries have not experienced with any material Security Incident. Since January 1applicable Data Privacy Requirement has been served on or, 2018to the Knowledge of the Company, no Person has brought, or threatened in writing to bring, any Action initiated against the Company or any of its Subsidiaries in relation and the Company and each of its Subsidiaries have not received any subpoenas, demands, or other written notices from any Governmental Entity investigating, inquiring into, or otherwise relating to any actual or alleged Security Incident or violation or breach of any Data Privacy Requirement and, to the Knowledge of the Company, the Company and each of its Subsidiaries are not under investigation by any Governmental Entity for any actual or potential violation of any Data Privacy Requirement. (bc) Since January 1, 2018, the The Company and each of its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to not experienced any security breaches within the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a past three (3) years that would require law enforcement or Governmental Order ofEntity notification, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all remedial action under any applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) of any Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or recommend the Company or its Subsidiaries to notify any Governmental Authority of any Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement.Data Privacy