Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. (a) The Company and each of its Subsidiaries are, and since January 1, 2019, have been in material compliance with all Privacy and Data Security Requirements. To the Knowledge of the Company, all Subprocessors are, and since January 1, 2019 have been in, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or control of the Company or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to the Company or any of its Subsidiaries by a third party, in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirement. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Company and each of its Subsidiaries arecomplies, and since January 1, 2019, have been during the past twelve (12) months has complied in all material compliance respects with all Privacy and Data Information Security Requirements. To the Knowledge of the Company, all Subprocessors are, and since January 1, 2019 have been in, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or control of the Company or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to the Company or any of its Subsidiaries by a third party, in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly been notified in writing of, or indirectly made is the subject of, any ▇▇▇▇▇▇ payments complaint, regulatory investigation or proceeding related to a Processing of Personal Data Incidentby any Governmental Entity or payment card association, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or regarding any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation violations of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, Privacy and Information Security Requirement by or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related with respect to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirement. (gb) The Company and each of its Subsidiaries have implemented and maintained appropriate employs commercially reasonable organizational, administrative, technical, physical, physical and organizational safeguards, security measures, technical safeguards that comply with all Privacy and controls, including a fully-implemented comprehensive written information security program appropriately designed Information Security Requirements to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information Data within its custody or control and confidential information and requires the operation, integrity, and security same of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of all vendors under contract with the Company or any of that Process Personal Data on its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreementsbehalf. The Company and each of its Subsidiaries have entered into provided all requisite notices and maintained appropriate contractual agreements obtained all required consents or otherwise identified legal basis for Personal Data, and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with all Subprocessors that materially comply the conduct of the Company Business as currently conducted and in connection with all Privacy and Data Security Requirementsthe consummation of the transactions contemplated hereunder, except in each case, as would not be reasonably expected to have a Material Adverse Effect with respect to the Company. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (jc) Neither the Company nor any of its Subsidiaries, to the Company’s knowledge, has suffered a security breach with respect to any of the Personal Data and, to the Company’s knowledge, there has been no unauthorized or illegal use of or access to any Personal Data. Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferredhas notified, or communicated been required to notify, any Person of any information security breach involving Personal Information to another Person for any consideration (a “Data Sale”)Data. To the Company’s knowledge, except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company Systems have had no material errors or defects that have not been fully remedied and each contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. To the Company’s knowledge, neither it nor any of its Subsidiaries, have experienced within the past twelve (12) months any material disruption to, or material interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, ransomware event, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any computer Software or the Company Systems.

Data Privacy and Security. (ai) The Company Purchaser and each of its Subsidiaries arecomplies, and since January 1during the past two years has complied, 2019in all material respects, have been in material compliance with all Privacy and Data Information Security Requirements. To Neither the Knowledge Purchaser nor any of the Company, all Subprocessors are, and since January 1, 2019 its Subsidiaries have been innotified in writing of, or is the subject of, any complaint, regulatory investigation or proceeding related to Processing of Personal Data by any third party, Governmental Entity or payment card association, regarding any material compliance with all violations of any Privacy and Data Information Security Requirements. (b) None of Requirement by or with respect to the Personal Information in the possession, custody, or control of the Company Purchaser or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to the Company or any ; (ii) The Purchaser and each of its Subsidiaries by a third party, employs commercially reasonable safeguards that comply in material violation of any all respects with all applicable Privacy and Information Security Requirements to protect Purchaser Data Security Requirement. (c) within its custody or control and requires the same of all vendors under contract with the Purchaser that Process Purchaser Data on its behalf. The execution, deliveryPurchaser and each of its Subsidiaries have provided all requisite notices and obtained all required consents, and performance satisfied all other requirements (including but not limited to notification to applicable Governmental Entities), necessary for the Processing (including international and onward transfer) of this Agreement all Personal Data in connection with the conduct of the business as currently conducted and in connection with the consummation of the transactions contemplated herebyhereunder, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, except to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject that any failure to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries do so would not have, individually or in material compliance with all Privacy and Data Security Requirementsthe aggregate, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws.a Purchaser Material Adverse Effect; and (eiii) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company Purchaser nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to the Purchaser’s knowledge, has suffered a security breach with respect to any Person sanctioned byof the Purchaser Data and, to the Purchaser’s knowledge, there has been no unauthorized or illegal use of, access or disclosure to, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation unavailability of any applicable Law. (f) Since January 1, 2019: (i) neither Purchaser Data. Neither the Company Purchaser nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondencehas notified, or other communication from been required to notify, any Governmental Authority Person of any information security breach or other Personincident involving Personal Data. To the Purchaser’s knowledge, and; (ii) to the Knowledge of the Company, there has Purchaser Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any audit, investigation, lawsuit, enforcement action manner the legitimate operation of such Purchaser Systems (including any fines what are sometimes referred to as “viruses,” “worms,” “time bombs,” or other Sanctions), “back doors”) that have not been removed or other legal action, related to the Company or fully remedied. Neither it nor any of its Subsidiaries’ Processing of Personal Information, have experienced any disruption to, or interruption in, the Company’s or any conduct of its Subsidiaries’ privacy business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or data security practicesother malicious programming, or any actual other failure or alleged Data Incident or violation deficiency on the part of any Privacy and Data Security Requirementcomputer software or the Purchaser Systems. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (ai) The Company and each of its Subsidiaries arecomplies, and since January 1during the past two years has complied, 2019in all material respects, have been in material compliance with all Privacy and Data Information Security Requirements. To the Knowledge of the Company, all Subprocessors are, and since January 1, 2019 have been in, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or control of the Company or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to the Company or any of its Subsidiaries by a third party, in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly been notified in writing of, or indirectly made is the subject of, any ▇▇▇▇▇▇ payments complaint, regulatory investigation or proceeding related to a Processing of Personal Data Incidentby any third party, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company Governmental Entity or payment card association, regarding any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation material violations of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, Privacy and Information Security Requirement by or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related with respect to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirement.; (gii) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls employs commercially reasonable safeguards that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective comply in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with all applicable Privacy and Data Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under contract with all customers and other Persons on whose behalf the Company or any of that Process Company Data on its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreementsbehalf. The Company and each of its Subsidiaries have entered into provided all requisite notices and maintained appropriate contractual agreements obtained all required consents, and satisfied all other requirements (including but not limited to notification to applicable Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with all Subprocessors that materially comply the conduct of the business as currently conducted and in connection with all Privacy and Data Security Requirements.the consummation of the transactions contemplated hereunder; and (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (jiii) Neither the Company nor any of its Subsidiaries have since January 1Subsidiaries, 2019to the Company’s knowledge, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information has suffered a security breach with respect to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company Data and, to the Company’s knowledge, there has been no unauthorized or illegal use of, access or disclosure to, or unavailability of any Company Data. Neither the Company nor any of its Subsidiaries has notified, or been required to notify, any Person of any information security breach or other incident involving Personal Data. To the Company’s knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and each contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. Neither it nor any of its Subsidiaries, have experienced any disruption to, or interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any computer software or the Company Systems.

Data Privacy and Security. (a) The Company and each of its Subsidiaries are, and since Since January 1, 2019, the Company and its Subsidiaries have been at all times materially complied, and are currently in material compliance compliance, in all respects with all Privacy Requirements and Data Security Requirements. To all requirements contained in any Contract to which the Knowledge Company or any of its Subsidiaries is bound, in each case, relating to (i) the privacy of the Companyusers of the products, all Subprocessors areservices and websites of their business and/or (ii) the collection, use, storage, processing and disclosure of any Personal Data and other confidential data or information collected or stored by or on behalf of their business. No claims or Actions have been asserted or threatened against the Company or any of its Subsidiaries by any Person in relation to any actual or alleged Security Incident or otherwise for or arising as a result of any actual or alleged violation, breach of such Person’s privacy, personal or confidentiality rights under any applicable laws, rules, policies, procedures or Contracts, or other non-compliance with or of any Privacy Requirement in each instance. (b) The Company and its Subsidiaries are not, and since January 1, 2019 have not been, subject to a Governmental Order of, or since January 1, 2019 have received a notice from, and has not been inrequired to notify, material any Person or a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and Data Security Requirementsto ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (bc) None Each of the Personal Information in the possession, custody, or control of the Company or any of Company’s and its Subsidiaries’ current and former third-party data suppliers, received by the vendors, and partners that Process or have access to any Company PII or any of its Subsidiaries, or otherwise Processed by or other Personal Data on behalf of the Company or any of its Subsidiaries, has Subsidiaries are in material compliance with the Privacy Requirements and there have been collected byno unauthorized or illegal Processing, or provided to other breach, violation or default (or event that, with or without the Company giving of notice or lapse of time, would constitute a breach, violation or default) by any of its Subsidiaries by a third partysuch supplier, in material violation vendor or other partner of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the ClosingRequirements. (d) The Company and each consummation of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of the transactions contemplated by this Agreement will not breach any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirement. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Except as otherwise disclosed in the Registration Statement and the Prospectus or as would not be reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect, the Company and each of its Subsidiaries are, and since January 1, 20192023, have been has been, in material compliance with all applicable Privacy and Security Requirements. Except as otherwise disclosed in the Registration Statement and the Prospectus, the Company and each of its Subsidiaries has, where appropriate to the risk level, implemented technical, administrative and organizational measures, including policies relating to the lawful Processing of Personal Data, data privacy and data security, as and to the extent required by applicable Privacy Law (“Privacy and Data Security RequirementsPolicies”). To Except as otherwise disclosed in the Knowledge of Registration Statement and the CompanyProspectus, all Subprocessors are, and since January 1, 2019 have 2023, there has been inno Proceeding, material compliance with all Privacy and Data Security Requirements. (b) None of to the Personal Information in the possessionCompany’s knowledge, custody, or control of there is no Proceeding currently pending against the Company or any of its SubsidiariesSubsidiaries initiated by any Person (including (i) the United States Federal Trade Commission, received by the Company any state attorney general or any of its Subsidiariessimilar state official, or otherwise Processed (ii) any other Governmental Entity, foreign or domestic) that, in each case, alleged that any Processing of Personal Data by or on behalf of the Company or any of its Subsidiaries, has been collected by, Subsidiary is or provided to the Company or any of its Subsidiaries by a third party, was in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, Requirements or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data IncidentPolicies. Except as set forth otherwise disclosed in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of Registration Statement and the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019Prospectus, neither the Company nor any of its Subsidiaries have notifiedis under any Order issued by any Governmental Entity, foreign or domestic, related to Privacy and Security Requirements. Except as otherwise disclosed in the Registration Statement and the Prospectus, to the Company’s knowledge, since January 1, 2023, (i) there have been no facts incidents of unauthorized Processing of Personal Data that have adversely affected the business or circumstances that would require operations of the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned bymaterial way, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. and (f) Since January 1, 2019: (iii) neither the Company nor any of its Subsidiaries have received has notified, or has been required by applicable Privacy Laws or agreement to notify, any written noticePerson of any (A) loss, requesttheft or damage of, claimor (B) other unauthorized access to, complaintacquisition of, correspondenceor use, disclosure, or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security RequirementData. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Company and each of its Subsidiaries arehave developed, implemented and since January 1maintained a written data protection, 2019, have been data privacy and cybersecurity program (the “Data Protection Program”) that is in compliance in all material compliance respects with all Privacy and Data Security Requirements. To the Knowledge knowledge of the Company, all Subprocessors arethe Company and its Subsidiaries have not experienced any Security Incident that (i) was material or (ii) otherwise in respect of which the Privacy Requirements would require or recommend the Company or its Subsidiaries notify any Person or Governmental Authority, except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and since its Subsidiaries, taken as a whole. Since January 1, 2019 have been in2018, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, no Person has claimed any compensation or control of the Company or any of its Subsidiaries, received by damages from the Company or any of its Subsidiaries, or otherwise Processed by or on behalf has brought or, to the knowledge of the Company or Company, threatened in writing to bring any of its Subsidiaries, has been collected by, or provided to Action against the Company or any of its Subsidiaries by in relation to any actual or alleged Security Incident or otherwise for or arising as a third partyresult of any actual or alleged violation, in material violation breach or other non-compliance with or of any Privacy Requirement in each instance that would reasonably be expected to be, individually or in the aggregate, material to the Company and Data Security Requirementits Subsidiaries, taken as a whole. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (db) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies complied in all material respects with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject Requirements with respect to the Processing of Personal Personally Identifiable Information as and other data, including (i) providing adequate notice and obtaining any necessary consents from customers required by Privacy and Data Security Requirements. The Company and each for the Processing of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed PII as conducted by or on behalf of the Company or any of its Subsidiaries and with (ii) abiding by any other valid and lawful request related to data subject rights under Privacy Laws. privacy choices (e) Except as set forth in Section 3.17(cincluding opt-outs, do-not-calls or similar choices) of the end users relating to Personally Identifiable Information. The Company Disclosure Letterand its Subsidiaries are not, and since January 1, 20192018, no Personal Information or confidential information in the possessionhave not been, custodysubject to a Governmental Order of, or control have received a written notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of the any Privacy Requirement. The Company or any of and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII, in each case in all material respects. (including Personal Information and confidential information Processed by any Subprocessor on behalf c) To the knowledge of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) , each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company Disclosure Letter, since January 1, 2019, no IT Systems maintained PII or operated by or other Personally Identifiable Information on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth are in Section 3.17(c) of compliance in all material respects with the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, Privacy Requirements and there have been no facts unauthorized or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authorityillegal Processing, or other Person breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a Data Incident. Except as set forth in Section 3.17(cbreach, violation or default) of the Company Disclosure Letterby any such supplier, neither the Company nor any of its Subsidiaries have directly vendor or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation other partner of any applicable LawPrivacy Requirements. (fd) Since January 1, 2019: (i) neither To the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge knowledge of the Company, there has the consummation of the transactions contemplated by this Agreement will not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of breach any Privacy and Data Security RequirementRequirements in any material respect. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Company data, privacy and each security practices of its Subsidiaries areAcquired Companies’ and their Subsidiaries’ and their Processing of Personal Data (if any) have complied, and since January 1do comply, 2019, have been in all material compliance respects with all applicable Privacy and Data Security RequirementsCommitments. To the Knowledge of the CompanySeller, all Subprocessors are, and since January 1, 2019 have been in, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or control of the Company or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to the Company or any of its Subsidiaries by a third party, in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, delivery and performance of this Agreement and the consummation of the transactions contemplated herebyherein will not cause, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with constitute or result in a material breach or violation of any applicable Privacy Commitments of the Acquired Companies and their Subsidiaries and, following the Closing Date, the Acquired Companies and their Subsidiaries will continue to be permitted to Process all Personal Data held by the Acquired Companies or breach their Subsidiaries on terms substantially similar to those in effect as of the date of this Agreement and to the same extent the Acquired Companies and their Subsidiaries would have been able to had the Transactions not occurred. (b) The Acquired Companies and their Subsidiaries maintain reasonable technical, physical and organizational measures and safeguards to prevent the unlawful Processing of Personal Data and unauthorized access, accidental loss or destruction of or damage to Personal Data in their respective possession or control, which measures are in material compliance with all applicable data security requirements under the Privacy Laws). (c) The Acquired Companies and their Subsidiaries have at all times presented a privacy policy which complies, in all material respects, with Privacy Laws to data subjects prior to the collection of any Personal Data, and, to the Knowledge of Seller, no such privacy policy is or has been inaccurate, misleading or deceptive. (d) The Acquired Companies or their Subsidiaries do not sell, rent or otherwise make available to any Person any Personal Data, except in a manner that complies in all material respects with the applicable Privacy Commitments. To the Knowledge of the Seller, none of the Acquired Companies nor any of their respective Subsidiaries have transferred or permitted the transfer of Personal Data originating in the EEA or UK outside the EEA or UK, except where such transfers have materially complied with the requirements of Privacy Laws and the Acquired Companies’ or their Subsidiaries’ Privacy Policies. (e) Neither the Acquired Companies nor any of their Subsidiaries has received any notice of any Legal Proceeding, Order, regulatory opinion, audit result or other allegation from a Governmental Entity or any other Person in the last six (6) years: (i) alleging or confirming non-compliance with a relevant requirement of any Privacy and Data Security Requirement (as currently existing or as existing at Commitments by any time during which any Personal Information was collected or Processed by or for the Acquired Company or any of its Subsidiaries); or (ii) require giving notice of any Governmental Entity’s investigation, requisition of information from, or intention to enter the consent of premises of, the Acquired Companies or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its their Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, in connection with any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closingforegoing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirement. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Company and each of its Subsidiaries areis, and at all times since January 1December 31, 2019, have 2016 has been in material compliance with respect to: (i) customer Contracts, (ii) all applicable Laws relating to the safeguarding of and access to Personally Identifiable Information, including all Privacy and Data Security Requirements. To the Knowledge of the Company, all Subprocessors areLaws, and since January 1(iii) all Contracts (or portions thereof) between the Company and its vendors, 2019 have been in, material compliance with all Privacy marketing affiliates or other partners that are applicable to the use and Data Security Requirementsdisclosure of Personally Identifiable Information. (b) None The Company is, and at all times since December 31, 2016 has been in compliance with its stated privacy policies including any privacy policies distributed to employees of the Personal Information in the possession, custody, or control of the Company or customers and privacy policies contained on any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed websites maintained by or on behalf of the Company except where non-compliance would not result, individually or in the aggregate, in a Material Adverse Effect. The Company’s privacy policies concerning the collection, use, storage, registration and disclosure of Personally Identifiable Information are accurate, comprehensive and implemented, and conform, and at all times since December 31, 2016 have conformed to the Company’s contractual commitments (including to its customers and their employees or other users whose Personally Identifiable Information the Company collects, uses, or stores in the course of the Business), except where such inaccuracy or non-conformity would not result, individually or in the aggregate, in a Material Adverse Effect. Neither this Agreement or the ancillary documents contemplated by this Agreement, nor the Transactions contemplated hereby or thereby will violate any applicable Privacy and Security Laws or any of its Subsidiariesthe Company’s privacy policies as they currently exist or as they existed at any time since December 31, has 2016. All applicable and necessary filings, registrations and/or notifications have been collected by, or provided made to Governmental Entities in relation to the Company or any processing activities including export of its Subsidiaries personal data undertaken the by a third party, in material violation of any Privacy and Data Security Requirementthe Company. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated herebyCompany contractually requires third parties, including vendors, marketing partners and other Persons providing services to the transfer Company who, to any material degree, have access to or receive Personally Identifiable Information from the Company to comply with all applicable Laws regarding the use of all Personal such Personally Identifiable Information and confidential information in the possession, custody, to use commercially reasonable efforts to protect such Personally Identifiable Information against unauthorized access or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential informationuse. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of To the Company’s SubsidiariesKnowledge, or Parent from receiving, using, or otherwise Processing Personal Information no third party is in substantially the same manner in which the Company or any breach of its Subsidiaries Processed contractual obligations regarding such Personal Information prior third party’s use of or access to the ClosingPersonally Identifiable Information. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies has used commercially reasonable efforts consistent with all Privacy applicable Laws, prevailing industry practices and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy the Company’s privacy policies to protect the integrity, security and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies confidentiality of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to Personally Identifiable Information maintained by the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy LawsCompany. (e) Except as set forth in Section 3.17(cTo the Company’s Knowledge, there has been no material loss, unauthorized or illegal use, processing or disclosure of, or access to, any Personally Identifiable Information stored or secured by or for the Company. (f) of No claims or proceedings have been asserted or, to the Company’s Knowledge, are threatened against the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf Person alleging a violation of any Person’s privacy, personal or confidentiality rights including rights under any of the Company) ’s privacy policies. The Company is not currently and has not been impacted under investigation by a material Data Incident. Except as set forth in Section 3.17(c) of any Governmental Entity or received any written or, to the Company Disclosure LetterCompany’s Knowledge, since January 1oral claim, 2019complaint, no IT Systems maintained inquiry or operated by or on behalf of the Company notice from any third party or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments Entity related to a Data Incidentwhether the Company’s collection, including ▇▇▇▇▇▇ payments made by another Person on behalf processing, use, storage, maintenance, access, receipt, security and/or disclosure of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or Personally Identifiable Information (i) is in violation of any applicable Law. (f) Since January 1Laws, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, privacy policies or other communication from any Governmental Authority security policies or other Person, and; (ii) to the Knowledge of the Companyotherwise constitutes an unfair, there has not been any audit, investigation, lawsuit, enforcement action (including any fines deceptive or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirementmisleading trade practice. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The Company and each of its Subsidiaries are, and since January 1, 2019, have been in material compliance with all Privacy and Data Security Requirements. To the Knowledge of the Company, all Subprocessors are, and since January 1, 2019 have been in, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or control of the Company or any of its Subsidiaries, received by the Company or any of its Subsidiaries, or otherwise Processed by or on behalf of the Company or any of its Subsidiaries, has been collected by, or provided to the Company or any of its Subsidiaries by a third party, in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c3.15(a) of the Company Disclosure LetterSchedule, since January 1the Acquired Companies, 2019have at all times complied, no Personal Information or confidential information and are currently in compliance, in all material respects with all Applicable Laws, public-facing policies, and procedures established by the possessionAcquired Companies, custody, or control and all restrictions and requirements contained in any Contract to which any of the Company or any of its Subsidiaries Acquired Companies is bound, in each case, relating to (including Personal Information and confidential information Processed by any Subprocessor on behalf i) the privacy of the Companyusers of the products and services of the business of the Acquired Companies as currently conducted or (ii) has been impacted by a material the privacy, collection, maintenance, use, sale, storage, protection, retention, deletion, sharing, transfer or other processing of any Personally Identifiable Information (such requirements, the “Data Incident. Privacy Obligations”). (b) Except as set forth in Section 3.17(c3.15(b) of the Company Disclosure LetterSchedule, since January 1, 2019, no IT Systems maintained or operated by or on behalf none of the Company Acquired Companies has been subject to any material security breaches with respect to any Personally Identifiable Information or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) confidential information of the Company Disclosure LetterAcquired Companies or the business thereof. (c) The Acquired Companies, since January 1have taken all commercially reasonable actions, 2019and implemented policies and procedures, neither to protect and maintain the Company nor security of all Personally Identifiable Information and confidential information of any of its Subsidiaries have notifiedthe Acquired Companies, including protecting such information from any unauthorized access, disclosure, corruption, modification or other misuse. No Acquired Company is or has been subject to an Order of, or has received a notice from, a Governmental Authority, and there have been no facts complaints or circumstances that would require the Company or any of its Subsidiaries to notifynotices, any data subject, Governmental Authority, investigations or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made proceedings asserted by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) with respect to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its SubsidiariesAcquired Companies’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security practices, or any actual or alleged Data Incident non-compliance with or violation of any Data Privacy and Data Security Requirement. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks Obligations or in relation to the privacy Acquired Companies’ loss of or security unauthorized (or the alleged loss of Personal Information and confidential information; (iior unauthorized) monitor and improve adequate safeguardsuse, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security disclosure or transfer of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Personally Identifiable Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) The All Personal Data that is or previously has been collected, stored, maintained, possessed or otherwise used or controlled by or on behalf of the Company and each of its Subsidiaries areSubsidiaries, has been collected, stored, maintained and used in accordance with all applicable Laws, contracts, and since January 1industry standards, 2019, have been in material compliance with all Privacy the Company’s own privacy policy or service agreement under which such Personal Data was collected and the privacy policies or service agreement under which such Personal Data Security Requirements. To the Knowledge was collected by any Subsidiary of the Company, all Subprocessors are, and since January 1, 2019 have been in, material compliance with all Privacy and Data Security Requirements. (b) None of the Personal Information in the possession, custody, or control any other policies of the Company and/or any Subsidiary of the Company concerning data protection and with all applicable Laws governing the collection, sharing, use, storage, disclosure, transfer or any security from unauthorized disclosure of its Subsidiaries, received such Personal Data. Seller has proof of opt in for all email addresses included in Personal Data and proof of express written consent for all telephone numbers that have been sold to lead generation purchasers by the Company or any of its Subsidiaries since January 1, 2014. (b) Neither the Company nor any Subsidiary of the Company has received a notice of noncompliance with applicable data protection Laws, or industry standards or the Company’s privacy policy or the privacy policies of any Subsidiary of the Company nor has there been any investigation by a Governmental Authority related to same. The Company and each Subsidiary of the Company have made all registrations that the Company and each Subsidiary of the Company are required to have made in relation to the processing of data, and are in good standing with respect to such registrations, and have paid all fees due with respect thereto. (c) At all times during which the Company or any Subsidiary of the Company has collected, stored, maintained or otherwise used data, the Company and each Subsidiary of the Company have privacy policies or statements describing the data collected, and the manner in which it used and disclosed such data, and the Company’s and each of its Subsidiaries’ practices are in substantial compliance with (i) their then-current internal or customer-facing or consumer-facing privacy policy or data security policy or statement, including the privacy policy or statement posted on the Company’s and each of its Subsidiaries’ websites, (ii) their customers’ and vendors’ privacy policies, when required to do so by contract, and (iii) any policy or agreement in connection with each third party servicing, outsourcing or similar arrangement, contractually obligated any service provider that has access to Personal Data to (A) comply in all respects with the Laws described in this Section with respect to any Personal Data acquired from or with respect to the Company and/or its Subsidiaries, (B) take industry standard steps to protect and secure from unauthorized disclosure any Personal Data acquired from or with respect to the Company and/or its Subsidiaries, and (C) to restrict use of any Personal Data acquired from or with respect to the Company to those authorized or required under the servicing, outsourcing or similar arrangement (each such foregoing policy or statement collectively referred to herein as “Privacy Statements”). With respect to Personal Data collected from individuals pursuant to any Privacy Statement other than a Privacy Statement currently in effect, there are no differences between such previous Privacy Statements and Current Privacy Statements that would materially affect the Company’s or its Subsidiaries’ ability to retain, use or disclose such information in the same manner and to the same extent as it may retain, use and disclose information pursuant to its Privacy Statements currently in effect. (d) The Company and each Subsidiary of the Company have implemented and maintained appropriate and reasonable measures to protect and maintain the confidential nature of any Personal Data. The Company and each Subsidiary of the Company have adequate technological and procedural measures and internal controls in place to protect Personal Data collected by the Company or any Subsidiary of the Company against loss, theft, and unauthorized access or disclosure which would have a Material Adverse Effect. (e) There has been no material data security breach of any computer systems or networks or unauthorized use of any Personal Data that is owned, used, stored, received, or controlled by or on behalf of the Company and/or any Subsidiary of the Company. There has been no material privacy breach of any Personal Data that is owned, used, stored, received, or controlled by or on behalf of the Company or any Subsidiary of the Company No claims are pending or threatened or likely to be asserted against the Company or any Subsidiary of the Company by any Person alleging a violation of any applicable Laws or rights relating to privacy, Personal Data, or any other confidentiality rights under any applicable Laws, policies or procedures. (f) The Company and each Subsidiary of the Company have the full power and authority to transfer any and all rights in any individual’s Personal Data in the Company’s and any of its Subsidiaries’ possession or control to Buyer and its Affiliates. Neither the Company nor any Subsidiary of the Company is subject to any obligation that would prevent Company and the Subsidiaries of the Company from using the Personal Data in a manner consistent with any Law or industry standard regarding the collection, retention, use, or disclosure of such information. (g) The Company and each Subsidiary of the Company do not knowingly collect information from or about, or target, children under the age of thirteen (13), nor has the Company nor any Subsidiary ever knowingly done so. (h) To Seller’s Knowledge, no Person has commenced any Action relating to the Company’s or its Subsidiaries’ information privacy or data security practices, including with respect to the access, disclosure or use of customer Data or Personal Data that is or previously has been possessed or otherwise Processed controlled by or on behalf of the Company or any of its Subsidiaries, has been collected byor threatened any such Action, or provided to the Company or any of its Subsidiaries by a third party, in material violation of any Privacy and Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential information. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no Personal Information or confidential information in the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances that would require the Company or any of its Subsidiaries to notify, any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable Law. (f) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, investigation or other communication from any Governmental Authority or other Person, and; (ii) inquiry relating to the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related to the Company or any of its Subsidiaries’ Processing of Personal Information, the Company’s or any of its Subsidiaries’ privacy or data security such practices, or any actual or alleged Data Incident or violation of any Privacy and Data Security Requirement. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.

Data Privacy and Security. (a) Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, since January 1, 2022, (i) the IT Systems have not suffered any failures, bugs, or outages; (ii) the Company and its Subsidiaries have implemented commercially reasonable administrative and technical safeguards designed to protect the integrity, security and confidentiality of Personal Information stored in the IT Systems; and (iii) to the Knowledge of the Company, there have been no unauthorized intrusions or breaches of the security of the IT Systems. The Company and each of its Subsidiaries have purchased a sufficient number of license seats, and scope of rights, for all material third party software used by the Company and its Subsidiaries for their respective businesses as currently conducted and have complied in all material respects with the terms of the corresponding agreement. (b) Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect: (i) the Company and its Subsidiaries are, and since January 1, 20192022 have been, have been in material compliance with all Privacy applicable Data Protection Requirements; and Data Security Requirements. To (ii) since January 1, 2022, to the Knowledge of the Company, all Subprocessors are, and since January 1, 2019 there have been inno breaches, material compliance with all Privacy and Data Security Requirements. (b) None violations, outages or unauthorized uses of the or accesses to Personal Information in the possession, custody, or control of the Company or any of its Subsidiaries, received maintained by the Company or any its Subsidiaries that would require notification of its Subsidiariesindividuals, or otherwise Processed by or on behalf of the Company law enforcement or any of its Subsidiaries, has been collected by, or provided to the Company or Governmental Authority under any of its Subsidiaries by a third party, in material violation of any Privacy and applicable Data Security Requirement. (c) The execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Information and confidential information in the possession, custody, or control of the Company and each of its Subsidiaries (including Personal Information and confidential information held or Processed by any Subprocessor), do not and will not: (i) materially conflict with or result in a material violation or breach of any Privacy and Data Security Requirement (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of its Subsidiaries); or (ii) require the consent of or notice to any Person concerning such Person’s Personal Information or confidential informationProtection Law. Neither the Company nor any of its Subsidiaries are subject to any Privacy and Data Security Requirements or other legal obligations that, following the Closing, would prohibit the Company, any of the Company’s Subsidiaries, or Parent from receiving, using, or otherwise Processing Personal Information in substantially the same manner in which the Company or any of its Subsidiaries Processed such Personal Information prior to the Closing. (d) The Company and each of its Subsidiaries have at all times posted to each of their websites, mobile applications, and other online services and provided or otherwise made available to each data subject prior to Processing such data subject’s Personal Information an appropriate Company Privacy and Data Security Policy that materially complies with all Privacy and Data Security Requirements. No material disclosure or representation made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy and Data Security Requirement (including by containing any material omission). The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently in effect. The Company and each of its Subsidiaries have, to the extent required by Privacy and Data Security Requirements, obtained the consent of data subject to the Processing of Personal Information as required by Privacy and Data Security Requirements. The Company and each of its Subsidiaries have, in material compliance with all Privacy and Data Security Requirements, implemented all valid and lawful requests pertaining to access, notice, rectification, portability, deletion, restriction, automated decision making, or objection of any Person made to the Company or any of its Subsidiaries regarding Personal Information Processed by or on behalf of the Company or any of its Subsidiaries and with any other valid and lawful request related to data subject rights under Privacy Laws. (e) Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since Since January 1, 2019, no Personal Information or confidential information in 2022 until the possession, custody, or control of the Company or any of its Subsidiaries (including Personal Information and confidential information Processed by any Subprocessor on behalf of the Company) has been impacted by a material Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019, no IT Systems maintained or operated by or on behalf of the Company or any of its Subsidiaries have been impacted by a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, since January 1, 2019date hereof, neither the Company nor any of its Subsidiaries have notified, and there have been no facts or circumstances has received written communication from any Governmental Authority that would require alleges that the Company or any of its Subsidiaries to notify, is not in compliance with any data subject, Governmental Authority, or other Person of a Data Incident. Except as set forth in Section 3.17(c) of the Company Disclosure Letter, neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries. Neither the Company nor any of its Subsidiaries have directly or indirectly made any ▇▇▇▇▇▇ payments related to a Data Incident, including ▇▇▇▇▇▇ payments made by another Person on behalf of the Company or any of its Subsidiaries, to any Person sanctioned by, or any Person located in a jurisdiction sanctioned by, the U.S. Department of Treasury’s Office of Foreign Assets Control or in violation of any applicable LawProtection Laws. (fc) Since January 1, 2019: (i) neither the Company nor any of its Subsidiaries have received any written notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and; (ii) to To the Knowledge of the Company, there has not been any audit, investigation, lawsuit, enforcement action (including any fines or other Sanctions), or other legal action, related and to the extent required under applicable Data Protection Laws, the Company or any and its Subsidiaries have provided all notices and obtained all consents and approvals necessary to use and disclose the Personal Information maintained by the Company and its Subsidiaries to the extent required in connection with the operation of its Subsidiaries’ Processing of Personal Information, the Company’s business as currently conducted except as would not, individually or any in the aggregate, reasonably be expected to have a Company Material Adverse Effect. To the Knowledge of its Subsidiaries’ privacy or data security practicesthe Company, or any actual or alleged Data Incident or the consummation of the transactions contemplated by this Agreement shall not result in the violation of any Privacy and Data Security RequirementProtection Requirement in any material respect. (g) The Company and each of its Subsidiaries have implemented and maintained appropriate administrative, technical, physical, and organizational safeguards, security measures, and controls, including a fully-implemented comprehensive written information security program appropriately designed to (i) identify and address internal and external risks to the privacy or security of Personal Information and confidential information; (ii) monitor and improve adequate safeguards, security measures, and controls that protect Personal Information and confidential information and the operation, integrity, and security of its software, IT Systems, applications, and websites involved in the Processing of Personal Information or confidential information; (iii) protect Personal Information, confidential information, and information technology resources of the Company or any of its Subsidiaries against a Data Incident; and (iv) provide notification in compliance with applicable Privacy Laws in the event of a Data Incident.. The Company and each of its Subsidiaries have (i) implemented and maintained appropriate backups and disaster recovery and business continuity plans and (ii) regularly test such plans to ensure such plans are effective in all material respects upon such testing. (h) The Company and each of its Subsidiaries have entered into and maintained valid data processing agreements that materially comply with Privacy and Data Security Requirements with all customers and other Persons on whose behalf the Company or any of its Subsidiaries Processes or have Processed Personal Information. The Company and each of its Subsidiaries comply and have since January 1, 2019 materially complied with all such data processing agreements. The Company and each of its Subsidiaries have entered into and maintained appropriate contractual agreements with all Subprocessors that materially comply with all Privacy and Data Security Requirements. (i) The Company and each of its Subsidiaries have since January 1, 2019, at least annually performed an appropriate security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company and each of its Subsidiaries have used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessments. (j) Neither the Company nor any of its Subsidiaries have since January 1, 2019, sold, licensed, rented, leased, released, disclosed, disseminated, made available, transferred, or communicated Personal Information to another Person for any consideration (a “Data Sale”), except where such Sale complies with Privacy and Data Security Requirements. (k) The Company and each its Subsidiaries have since January 1, 2019, maintained cyber insurance policies that are adequate and suitable for the nature and volume of Personal Information and confidential information Processed by or on behalf of the Company and each of its Subsidiaries.