Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company and its Subsidiaries are, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Security Incident. (c) To the Knowledge of the Company, since the Lookback Date, the Company and its Subsidiaries have not experienced any Information Security Incident involving the Company or any of its Subsidiaries or third parties that process Company Information on behalf of the Company or its Subsidiaries. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws.

Data Privacy and Security. (a) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respects, and since the Lookback Date, have complied in all material respects, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) relating to the collection, use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Data. (b) Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company and its Subsidiaries are, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation be material to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Security Incident. (c) To the Knowledge of the CompanyBusiness, since the Lookback Date, the Company and (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have not experienced received any Information Security Incident involving complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Company Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or third parties that process Company Information on behalf of the Company Arbitration Decision, nor is any Order or its Subsidiaries. To Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the CompanyProcessing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, no circumstance has arisen in which have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws would require Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the Company avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to notify a person the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or Governmental Authority on behalf of a “breach of security” the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (or similar term such other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as “security breach”) as defined by applicable Privacy Lawsnecessary to conduct the Business.

Data Privacy and Security. Except (a) Since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Tempranillo Material Adverse Effect: (a) The Company and its Subsidiaries are, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (bc) The Company Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) have implemented operate and maintain commercially reasonable technicalperform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) since January 1, 2018, have commercially reasonable procedures in place designed to remediate not malfunctioned or failed (Aexcept for malfunctions or failures that have been fully remedied) Information Security Incidents and (Biii) audit are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any Systemother malicious Software. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in Systems that Except as would not reasonably be expected to cause an Information Security Incidenthave a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (cd) To the Knowledge of the CompanyTempranillo, since the Lookback Date, the Company Tempranillo and its Subsidiaries have not experienced executed current and valid Business Associate Agreements with each (i) customer that, to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any Information Security Incident involving such Business Associate Agreement with Tempranillo or any of its Subsidiaries. (e) To the Company extent Tempranillo or any of its Subsidiaries or third parties that process Company Information on behalf has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the Company or its Subsidiariesrequirements of HIPAA and other Privacy Requirements. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or extent Tempranillo and its Subsidiaries to notify a person or Governmental Authority have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Lawsde-identified data.

Data Privacy and Security. (a) Except as has not had, and would not reasonably be expected to havenot, individually or in the aggregate, reasonably be expected to have a Company Paramount Material Adverse Effect: , since January 1, 2021: (a) The Company Paramount and its Subsidiaries areand, and since to the Lookback Date knowledge of Paramount, all vendors, processors or other third parties Processing Personal Information for or on behalf of Paramount or any Subsidiaries of Paramount or otherwise sharing Personal Information with Paramount or any Subsidiaries of Paramount (each a “Paramount Data Partner”) have been, in compliance complied with (i) all applicable Privacy Commitments. To the Knowledge of the Company, Laws and (ii) all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, published privacy and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy data security policies, notices, or notices and statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company which Paramount and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Informationsubject. (b) The Company Except as would not, individually or in the aggregate, reasonably be expected to have a Paramount Material Adverse Effect, since January 1, 2021, Paramount and its Subsidiaries have, and have required any Paramount Data Partner to have, adopted and implemented at least commercially reasonable industry standard physical, technical, organizational, and administrative security measures and policies to (i) have implemented protect all Personal Information stored or processed by or on behalf of Paramount and maintain commercially reasonable technicalits Subsidiaries against any accidental, physicalunlawful or unauthorized access, and organizational measures intended to protect against and identify anticipated threats use, loss, disclosure, alteration, destruction, compromise or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including other Processing (a commercially reasonable incident response plan and backup procedures, “Security Incident”) and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents identify and (B) audit or security assessment findings deemed to be a material, critical or high risk address internal and external risks to the effectiveness privacy and security of any System. The Company Personal Information processed by or on behalf of Paramount and its Subsidiaries have fully remediated any and all materialSubsidiaries. Except as would not, critical individually or high-risk security vulnerabilities associated with Systems for which in the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Companyaggregate, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an have a Paramount Material Adverse Effect, since January 1, 2021, Paramount, Subsidiaries of Paramount (and, to the knowledge of Paramount, Paramount Data Partners with respect to Personal Information of Paramount and its Subsidiaries) have not experienced a Security Incident. (c) To Except as would not, individually or in the Knowledge of the Companyaggregate, reasonably be expected to have a Paramount Material Adverse Effect, since the Lookback DateJanuary 1, the Company and its Subsidiaries have not experienced 2021, in relation to any Information Security Incident involving the Company Incident, none of Paramount or any of its the Subsidiaries of Paramount has been the subject of any formal complaint, claim or third parties that process Company Information on behalf of the Company investigation or its Subsidiaries. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries been required to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Lawsany Person.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, individually or 4.12.1 Each Seller is in the aggregate, a Company Material Adverse Effect: (a) The Company and its Subsidiaries arematerial compliance, and since January 1, 2022, has at all times been in material compliance, with all applicable Privacy and Data Security Requirements. Sellers have at all times obtained all rights, consents and licenses necessary to Process Personal Data in the Lookback Date manner it has been Processed, is now Processed and as proposed to be Processed in the Business by any Person on their behalf. 4.12.2 Sellers have beenat all times maintained, and presently maintain, reasonable backup, security and disaster recovery plans, in each case, using commercially reasonable efforts no less than industry-standard and in compliance with applicable Privacy and Data Security Requirements for the Business-Utilized IT Systems. Since January 1, 2022, to Sellers’ Knowledge, there have been (i) no unauthorized access to or unauthorized use of any Business-Utilized IT Systems and (ii) no unauthorized intrusions or breaches of security with respect to any Business-Utilized IT Systems. 4.12.3 Neither Seller has received any subpoenas, demands, or other written notices from any Governmental Body investigating, inquiring into, or otherwise relating to any actual or potential violation of any Privacy and Data Security Requirements, and neither Seller is under investigation by any Governmental Body for any actual or potential violation of any Privacy and Data Security Requirements. No Person (including any Governmental Body) has commenced any Action nor has any written notice or enforcement Action of any kind been served on, or initiated against, either Seller under any applicable Privacy and Data Security Requirements or with respect to loss, damage or unauthorized access, use or modification of any Personal Data by or on behalf of either Seller and, to Sellers’ Knowledge, there are no facts or circumstances that could form the basis for any such claim. Since January 1, 2022, there have been no, and there are currently no pending or, to Sellers’ Knowledge, threatened, fines or other penalties facing either Seller in connection with any disclosure of Personal Data with respect to the operation of the Business or a violation of any applicable Privacy and Data Security Requirements. 4.12.4 To the extent Sellers use Personal Data as part of developing, training, operating or maintaining internal or third-party Artificial Intelligence Tools, a record is maintained of what data is being used and has been used for these purposes. Sellers use and have used commercially reasonable efforts (including, at a minimum, by conducting regular audits) to ensure (i) Sellers have sufficient rights in all data Processed by Sellers’ Artificial Intelligence Tools and (ii) Sellers’ Artificial Intelligence Tools operate as intended, in compliance with all applicable Privacy CommitmentsLaws and are not reasonably likely to harm or disparage Sellers or the reputation or goodwill of Sellers. To Sellers’ use of Artificial Intelligence Tools does not and, since January 1, 2022, has not, resulted in the Knowledge unauthorized disclosure to, or access by, any third party of Personal Data in possession of Sellers. 4.12.5 The consummation of the Company, all transactions contemplated by this Agreement as well as any subsequent use of Personal Information collected, processed, transferred, disclosed, shared, stored, protected or Data in a substantially similar manner to how such Personal Data is used by the Company or its Subsidiaries, or shared with a third party, Sellers in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation Business immediately prior to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats Closing will not breach or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness otherwise cause any violation of any System. The Company Privacy and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Data Security IncidentRequirements. (c) To the Knowledge of the Company, since the Lookback Date, the Company and its Subsidiaries have not experienced any Information Security Incident involving the Company or any of its Subsidiaries or third parties that process Company Information on behalf of the Company or its Subsidiaries. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws.

Data Privacy and Security. (a) The operation of the Acquired Business complies, and since January 1, 2022, has complied, in all material respects, with applicable Information Privacy and Security Requirements. Except as has not had, and would not reasonably be expected to haveexpected, individually or in the aggregate, a Company Material Adverse Effect: to be material to the Acquired Business, neither PepsiCo nor any of its Affiliates has, since January 1, 2022, (aA) The Company and its Subsidiaries areexperienced any breach of security, and since the Lookback Date have beenphishing incident, ransomware or malware attack or other incident in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all which any Personal Information collectedor other Data or information included in the Transferred Data was lost, processedstolen, transferredaccessed, used, disclosed, shared, stored, protected modified or used by the Company exfiltrated in an unauthorized or its Subsidiariesunlawful manner, or shared has received any written notices or complaints from any Person or been the subject of any claim, proceeding or investigation with a third partyrespect thereto or (B) been required under any Information Privacy and Security Requirements to notify any Person of the loss or theft of or unauthorized or unlawful access to any Personal Information or other Data or information included in the Transferred Data, that would prevent the transfer of the Transferred Data to Celsius in accordance with the Transaction Documents or that would be reasonably expected to cause any exposure or leakage of or unauthorized access to the material Trade Secrets included in the Transferred Data. PepsiCo and its Affiliates have, in each case to the extent required by Information Privacy and Security Requirements, provided notices, obtained consents, and satisfied all other requirements necessary for their processing of Personal Information included in the Transferred Data in connection with the operation Acquired Business and for the consummation of their respective businesses isthe Transactions that can be satisfied by PepsiCo and its Affiliates, including providing notices and since obtaining consents necessary for the Lookback Date has beenlawful and effective transfer of the Transferred Data to Celsius. Except as would not reasonably be expected, collectedindividually or in the aggregate, processedto be material to the Acquired Business, transferred, disclosed, shared, stored, protected PepsiCo and used by the Company, its Subsidiaries or Affiliates have contractually obligated any third parties acting on their behalf that process, access or store Personal Information or other Data or information included in accordance the Transferred Data to abide by terms that are compliant in all material respects with all applicable Information Privacy Commitmentsand Security Requirements. No disclosures made Neither the execution, delivery or performance of this Agreement or the Additional Agreements nor the consummation of the Transactions will result in any written privacy policies, noticesa breach or violation of, or statements published by constitute a default under, any Information Privacy and Security Requirements. Neither PepsiCo nor any of its Affiliates is subject to any Information Privacy and Security Requirements that, following the Company Closing, would prevent Celsius from receiving or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented using any Personal Information to a third party for monetary or other valuable consideration. To Data or information included in the Knowledge Transferred Data in all material respects in the manner in which PepsiCo and its Affiliates receive and use any Personal Information or other Data or information included in the Transferred Data in the operation of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation Acquired Business prior to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal InformationClosing. (b) The Company PepsiCo and its Subsidiaries (i) Affiliates have implemented and maintain at all times taken commercially reasonable actions and measures, including adopting and following policies and procedures and putting in place technological, physical, administrative, operational and other safeguards, to protect the confidentiality, integrity, availability, privacy and security of the Transferred Data. PepsiCo and its Affiliates have timely remediated and addressed any material and adverse audit findings relating to the implementation of technical, physical, administrative and organizational operational security measures intended pertinent to protect against and identify anticipated threats safeguarding material Trade Secrets included in the Transferred Data. There have been no material failures, breakdowns or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness performance reductions of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Information Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Security Incidentany exposure or leakage of or unauthorized access to the material Trade Secrets included in the Transferred Data. (c) To The Information Systems and related services provided under the Knowledge Transition Services Agreement will be sufficient for the operation of the Company, since Acquired Business immediately after the Lookback Date, Closing in all material respects in the Company same manner as currently conducted by PepsiCo and its Subsidiaries have not experienced any Information Security Incident involving the Company or any of its Subsidiaries or third parties that process Company Information on behalf of the Company or its Subsidiaries. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy LawsAffiliates.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company A2iA and its Subsidiaries arecomply, and since at all times during the Lookback Date past three (3) years have beencomplied, in compliance all material respects with all applicable Privacy Commitments. To its internal privacy policies relating to the Knowledge use, collection, storage, disclosure and transfer of the Company, all any Personal Information collected, processed, transferred, disclosed, shared, stored, protected collected by A2iA or used its Subsidiaries or by third parties acting on behalf of or having authorized access to the Company records of A2iA or its Subsidiaries, . Neither A2iA nor any of its Subsidiaries has received any written complaint (b) A2iA’s or shared with a third party, its Subsidiaries’ operation of any websites used in connection with the operation business of their respective businesses isA2iA and its Subsidiaries, the content thereof, and since the Lookback Date has beenall data processed, collected, processedstored or disseminated in connection therewith, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf comply in accordance all material respects with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are notApplicable Laws, and since the Lookback Date have do not been, (i) under audit violate any Person’s right of privacy or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any Systempublicity. The Company A2iA and its Subsidiaries have fully remediated any posted privacy policies governing A2iA’s and all materialits Subsidiaries’ use of data, critical or high-risk security vulnerabilities associated with Systems for which the Company or and disclaimers of liability, on its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Companywebsites, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Security Incident. (c) To the Knowledge of the Company, since the Lookback Date, the Company and A2iA and its Subsidiaries have not experienced complied with such applicable privacy policies in all material respects. A2iA and its Subsidiaries have taken reasonable steps in accordance with normal industry practices to secure its websites and data from unauthorized access or use thereof by any Information Security Incident involving Person. To the Company Sellers’ Knowledge, no website security measure implemented by A2iA or any of its Subsidiaries has been penetrated, and no website maintained by A2iA or third parties that process Company Information on behalf any of the Company or its Subsidiaries. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries to notify a person has been the target of any defacement, unauthorized access, denial-of-service assault or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined other attack by applicable Privacy Lawshackers.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company and its Subsidiaries areThere is not currently pending or, to Acquiror’s knowledge, threatened, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company there has not soldsince January 1, licensed or rented 2019 been any, Proceeding against any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, Acquiror Group Member initiated by (i) under audit the United States Federal Trade Commission, any state attorney general or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or similar state official; (ii) subject any other Governmental Entity, foreign or domestic; (iii) any regulatory entity, privacy regulator or otherwise, or (iv) any other Person, in each case, with respect to any third-party notificationprivacy, claimcybersecurity, demandand, audit or action in relation to the CompanyAcquiror’s collectionknowledge, processing, transfer, disclosure, sharing, storing, security and use of Personal Informationthere are no facts upon which such a Proceeding could be based. (b) The Company and its Subsidiaries (i) Except as set forth on Section 5.13 of the Acquiror’s Disclousre Schedules, there have implemented and maintain commercially reasonable technicalnot been any actual, physicalsuspected, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information alleged material Security Incidents and (B) audit or security assessment findings deemed actual or alleged claims related to be a materialmaterial Security Incidents, critical or high risk and, to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the CompanyAcquiror’s knowledge, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities existing in with respect to the Acquiror Group’s services or with respect to the Acquiror IT Systems that would reasonably be expected to have a materially adverse impact on their operations or cause an Information a material Security Incident. (c) To The Acquiror Group Members own or have license to use pursuant to an Acquiror Material Contract the Knowledge Acquiror IT Systems as necessary to operate their respective businesses as currently conducted and such Acquiror IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Acquiror Group Members have back-up and disaster recovery arrangements, procedures and facilities for the continued operation of its businesses in the event of a failure of the CompanyAcquiror IT Systems that are, since in the Lookback Datereasonable determination of Acquiror, commercially reasonable and in accordance in all material respects with standard industry practice. Since January 1, 2019, there has not been any material disruption, failure or, to Acquiror’s knowledge, unauthorized access with respect to any of the Company and its Subsidiaries have Acquiror IT Systems that has not experienced been remedied, replaced or mitigated in all material respects. To Acquiror’s knowledge, none of the Acquiror IT Systems contain any Information Security Incident involving worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Company Acquiror Software or any portion thereof to be erased, inoperable or otherwise incapable of its Subsidiaries being used, either automatically, with the passage of time or third parties that process Company Information on behalf upon command by any unauthorized person. (d) The Acquiror Group Members have, and since January 1, 2019 have had, in place reasonable and appropriate administrative, technical, physical and organizational measures and safeguards to (i) ensure the integrity, security, and the continued, uninterrupted, and error-free operation of the Company or its Subsidiaries. To Acquiror IT Systems, and the Knowledge confidentiality of the Companysource code of any Acquiror Software, since the Lookback Dateand (ii) to protect Business Data against loss, no circumstance has arisen in which applicable Privacy Laws would require the Company damage, and unauthorized access, use, modification, or its Subsidiaries to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Lawsother misuse.

Data Privacy and Security. (a) Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, have a Company Material Adverse Effect: (a) The , each member of the Company and its Subsidiaries areGroup is, and at all times since the Lookback Date have January 1, 2021 has been, in compliance with all applicable privacy and information security obligations to which it is subject, including with respect to the Company Group’s collection, maintenance, transmission, accessing, transfer, storage, use, disclosure, disposal, and other processing (collectively, “Processing”) of Personal Information, under applicable Privacy CommitmentsLaws (including, as applicable, Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”)), Contracts, industry standards (including, as applicable, the Payment Card Industry Data Security Standard), privacy policies or online terms of use (collectively, “Data Protection Requirements”). To Except as would not have a Company Material Adverse Effect, neither the Company nor any Company Subsidiary has received any written or, to the Knowledge of the Company, all other notices or complaints from any person or Governmental Authority alleging, or been subject to any audits or investigations concerning, any failure to comply with any Data Protection Requirements. Except as would not have a Company Material Adverse Effect, there has been no unauthorized access to, or use or disclosure of, any Personal Information collected, processedmaintained, transferred, disclosed, shared, stored, protected processed or used stored by the Company or its Subsidiariesany Company Subsidiary. Except as would not have a Company Material Adverse Effect, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its and the Company Subsidiaries have been inaccuratenot, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information nor to a third party for monetary or other valuable consideration. To the Knowledge of the CompanyCompany has any third party Processing Business Data, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) notified or been required under audit or investigation by Data Protection Requirements to notify any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notificationother person of a data security breach, claim, demand, audit Security Incident or action in relation violation of any data security policy or Data Protection Requirement pertaining to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use business of Personal Informationthe Company or any Company Subsidiary. (b) The Except as would not have a Company Material Adverse Effect, the Systems are adequate for, reasonably maintained and in sufficiently good working condition and performance for the conduct of the business of the Company and its Subsidiaries (i) each Company Subsidiary as currently conducted and as currently contemplated to be conducted. Except as would not have a Company Material Adverse Effect, the Company and each Company Subsidiary has implemented and maintain commercially reasonable technicalmaintained all necessary and appropriate controls, physicalpolicies, procedures, and organizational measures intended safeguards to maintain and protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability security of the Systems, Personal Information and other Business Data used in connection with their businesses, and there has been no failure, malfunction, breakdown, performance reduction or other adverse event affecting any Systems, nor any unauthorized access to, or use, intrusion, or breach of security of, any Systems, or any other loss, or unauthorized Processing of any Business Data, including Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit the possession or security assessment findings deemed to be a material, critical or high risk to the effectiveness control of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Companyany Company Subsidiary (each, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information as “Security Incident. (c) To ”), nor any incidents under internal review or investigations relating to the Knowledge of the Company, since the Lookback Datesame. Except as would not have a Company Material Adverse Effect, the Company and its Subsidiaries have not experienced any Information Security Incident involving the each Company or any of its Subsidiaries or third parties that process Company Information on behalf Subsidiary maintains commercially reasonable backup and data recovery, disaster recovery, and business continuity plans, procedures, and facilities, and is and has been in compliance with all of the Company Group’s policies related to the foregoing. Except as would not have a Company Material Adverse Effect, the Systems are free from any disabling codes or its Subsidiaries. To the Knowledge of the Companyinstructions, since the Lookback Datespyware, no circumstance has arisen in which applicable Privacy Laws would require the Company Trojan horses, worms, viruses or its Subsidiaries to notify a person other Software routines that could permit or Governmental Authority of a “breach of security” (cause unauthorized access to, or similar term such as “security breach”) as defined by applicable Privacy Lawsdisruption, impairment, disablement, or destruction of, Software, data or other materials.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company and its Subsidiaries areThere is not currently pending or, to Acquirer’s knowledge, threatened, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company there has not soldsince January 1, licensed or rented 2020 been any, Proceeding against any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, Acquirer Group Member initiated by (i) under audit the United States Federal Trade Commission, any state attorney general or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or similar state official; (ii) subject any other Governmental Entity, foreign or domestic; (iii) any regulatory entity, privacy regulator or otherwise, or (iv) any other Person, in each case, with respect to any third-party notificationprivacy, claimcybersecurity, demandand, audit or action in relation to the CompanyAcquirer’s collectionknowledge, processing, transfer, disclosure, sharing, storing, security and use of Personal Informationthere are no facts upon which such a Proceeding could be based. (b) The Company and its Subsidiaries (i) Except as set forth on Section 5.13 of the Acquirer’s Disclosure Schedules, there have implemented and maintain commercially reasonable technicalnot been any actual, physicalsuspected, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information alleged material Security Incidents and (B) audit or security assessment findings deemed actual or alleged claims related to be a materialmaterial Security Incidents, critical or high risk and, to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the CompanyAcquirer’s knowledge, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities existing in with respect to the Acquirer Group’s services or with respect to the Acquirer IT Systems that would reasonably be expected to have a materially adverse impact on their operations or cause an Information a material Security Incident. (c) To The Acquirer Group Members own or have license to use pursuant to an Acquirer Material Contract the Knowledge Acquirer IT Systems as necessary to operate their respective businesses as currently conducted and such Acquirer IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Acquirer Group Members have back-up and disaster recovery arrangements, procedures and facilities for the continued operation of its businesses in the event of a failure of the CompanyAcquirer IT Systems that are, since in the Lookback Datereasonable determination of Acquirer, commercially reasonable and in accordance in all material respects with standard industry practice. Since January 1, 2020, there has not been any material disruption, failure or, to Acquirer’s knowledge, unauthorized access with respect to any of the Company and its Subsidiaries have Acquirer IT Systems that has not experienced been remedied, replaced or mitigated in all material respects. To Acquirer’s knowledge, none of the Acquirer IT Systems contain any Information Security Incident involving worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Company Acquirer Software or any portion thereof to be erased, inoperable or otherwise incapable of its Subsidiaries being used, either automatically, with the passage of time or third parties that process Company Information on behalf upon command by any unauthorized person. (d) The Acquirer Group Members have, and since January 1, 2020 have had, in place reasonable and appropriate administrative, technical, physical and organizational measures and safeguards to (i) ensure the integrity, security, and the continued, uninterrupted, and error-free operation of the Company or its Subsidiaries. To Acquirer IT Systems, and the Knowledge confidentiality of the Companysource code of any Acquirer Software, since the Lookback Dateand (ii) to protect Business Data against loss, no circumstance has arisen in which applicable Privacy Laws would require the Company damage, and unauthorized access, use, modification, or its Subsidiaries to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Lawsother misuse.

Data Privacy and Security. Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company TPCO and each of its Subsidiaries arecomplies, and since the Lookback Date have beenhas complied in all material respects, in compliance with all applicable Privacy Commitmentsand Information Security Requirements. To the Knowledge Neither TPCO nor any of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccuratenotified in writing of, misleading or deceptive. The Company has not soldis the subject of, licensed any complaint, regulatory investigation or rented any proceeding related to Processing of Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation Data by any Governmental Authority Entity or payment card association, regarding the Company’s compliance any violations of any Privacy and Information Security Requirement by or with applicable Privacy Commitments respect to TPCO or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Informationits Subsidiaries. (b) The Company TPCO and each of its Subsidiaries (i) have implemented and maintain employs commercially reasonable technicalorganizational, physicaladministrative, physical and organizational measures intended technical safeguards that comply with all Privacy and Information Security Requirements to protect against Personal Data within its custody or control and identify anticipated threats or hazards to, requires the security, confidentiality, integrity same of all vendors under contract with TPCO that Process Personal Data on its behalf. TPCO and availability each of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any provided all requisite notices and obtained all materialrequired consents or otherwise identified legal basis for Personal Data, critical or high-risk security vulnerabilities associated and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge conduct of the CompanyTPCO Business as currently conducted and in connection with the consummation of the transactions contemplated hereunder, there are no vulnerabilities existing except in Systems that each case, as would not be reasonably be expected to cause an Information Security Incidenthave a Material Adverse Effect with respect to TPCO. (c) To the Knowledge Neither TPCO nor any of its Subsidiaries, to TPCO's knowledge, has suffered a security breach with respect to any of the CompanyPersonal Data and, since the Lookback Dateto TPCO's knowledge, the Company and its Subsidiaries have not experienced there has been no unauthorized or illegal use of or access to any Information Security Incident involving the Company or Personal Data. Neither TPCO nor any of its Subsidiaries has notified, or third parties been required to notify, any Person of any information security breach involving Personal Data. To TPCO's knowledge, TPCO Systems have had no material errors or defects, and/or if TPCO Systems have had any material errors or defects, such have been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such TPCO Systems (including what are sometimes referred to as "viruses," "worms," "time bombs," or "back doors" or any other form of malware) that process Company Information on behalf have not been removed or fully remedied. To TPCO's knowledge, neither it nor any of the Company or its Subsidiaries. To , have experienced any material disruption to, or material interruption in, the Knowledge conduct of its business that effected the Companybusiness for more than one calendar week, since the Lookback Dateand attributable to a defect, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries to notify a person or Governmental Authority bug, breakdown, ransomware event, unauthorized access, introduction of a “breach virus or other malicious programming, or other failure or deficiency on the part of security” (any computer Software or similar term such as “security breach”) as defined by applicable Privacy Lawsthe TPCO Systems.

Data Privacy and Security. (a) Except as has for those matters that, individually or in the aggregate, have not had, been and would not reasonably be expected to be material to the North American Business or the Transferred Group Members, taken as a whole, Parent and the Parent Subsidiaries are and at all times since January 1, 2018 have been in compliance in all material respects with (i) all Privacy Laws and (ii) all Privacy and Data Security Policies and written contractual requirements pertaining to the processing of Personally Identifiable Information (collectively, the “Parent Privacy Commitments”). (b) Parent and the Parent Subsidiaries have, with respect to the North American Business, (i) implemented and maintained industry standard security measures, plans, procedures, controls, and programs, including a written information security program and a data protection management system to prevent data breaches, and (ii) established and implemented Privacy and Data Security Policies and other organizational, physical, administrative and technical measures regarding privacy, cyber security and data security. (c) The execution, delivery and performance of this Agreement will not cause a material breach of any Privacy Laws applicable to the North American Business or Parent Privacy Commitments, in each case with respect to the North American Business only. Copies of all current Privacy and Data Security Policies applicable to the North American Business have been made available to Purchaser and such copies are true and complete. (d) Except for those matters that, individually or in the aggregate, have not been and would not reasonably be expected to be material to the North American Business or the Transferred Group Members, taken as a Company Material Adverse Effect: (a) The Company and its Subsidiaries arewhole, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To to the Knowledge of the CompanyParent, all Personal Information collectedsince January 1, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been2018, (i) under audit neither Parent nor the Parent Subsidiaries have suffered any accidental or investigation by unlawful destruction, loss, alteration or unauthorized disclosure or access to or misuse of any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Personally Identifiable Information, Company including Personally Identifiable Information and Systems, including processed by a commercially reasonable incident response plan and backup procedures, third party on Parent’s or the Parent Subsidiaries’ behalf and (ii) have commercially reasonable procedures in place designed no Action by any Governmental Entity or Person has been asserted or, to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of Parent, threatened against Parent or the CompanyParent Subsidiaries alleging a violation of any Person’s privacy or Personally Identifiable Information or data rights, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Security Incidentor Parent Privacy Commitments. (c) To the Knowledge of the Company, since the Lookback Date, the Company and its Subsidiaries have not experienced any Information Security Incident involving the Company or any of its Subsidiaries or third parties that process Company Information on behalf of the Company or its Subsidiaries. To the Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries to notify a person or Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws.