Common use of DATA SECURITY AND COMPLIANCE Clause in Contracts

DATA SECURITY AND COMPLIANCE. 3.25.1 Each of the Acquired Companies complies, and (a) with respect to DSL, has in the past three (3) years and (b) with respect to BEOP, since July 1, 2024 complied, in each case, in all material respects, with (i) its internal privacy and data security policies, (ii) all applicable rules of self-regulatory organizations and codes of conduct, (iii) industry standards, guidelines and best practices concerning the Processing of Personal Information, (iv) all public statements, representations, obligations, promises, and commitments of the Acquired Companies concerning the privacy, security or the Processing of Personal Information, and (v) all Data Security Requirements. The Acquired Companies have provided true, accurate, complete and up-to-date versions of the documents referenced in the foregoing clauses (i) and (iv) to Purchaser. Neither the negotiation nor consummation of the transaction contemplated by this Agreement, nor any disclosure or transfer of information in connection therewith, will breach or otherwise cause any violation of any Data Security Requirement or require the consent, waiver or authorization of, or declaration, filing or notification to, any Person, including any Governmental Entity, under any such Data Security Requirement. All vendors, processors, subcontractors and other Persons acting for or on behalf of the Acquired Companies in connection with the Processing of Personal Information or that otherwise have been authorized to have access to the Seller IT Assets or the Personal Information in the possession or control of the Acquired Companies (the foregoing as “Processors”) are subject to contractual requirements, compliant with all applicable Data Security Requirements, regarding the Processing of Personal Information, and such Processors (a) with respect to DSL, has in the past three (3) years and (b) with respect to BEOP, since July 1, 2024, complied, in each case, in all material respects, with the Data Security Requirements and applicable contractual requirements. The Acquired Companies have not transferred or authorized the transfer of Personal Information outside of its relevant originating country, except where such transfers have complied with Data Security Requirements. The Acquired Companies have not combined, transferred, shared or sole any Personal Information in violation of any Data Security Requirements. There are no, and (a) with respect to DSL, in the past three (3) years and (b) with respect to BEOP, since July 1, 2024, have not been any actions, suits, claims, investigations or other legal proceedings pending or threatened against the Acquired Companies concerning any Data Security Requirement or compliance therewith or violation thereof by any Person, including any Governmental Entity. No Seller Party has entered into any agreement with, or is the subject of any order from, any Governmental Entity regarding data protection, privacy or the collection, use, disclosure, combination, sale or licensing of Personal Information or otherwise pertaining to Data Security Requirements. No Seller Party is currently Party to any consent order, consent decree, settlement or other similar agreement regarding data protection, privacy or the collection, use, disclosure, sale or licensing of Personal Data, or Data Security Requirements. No Seller Party is currently, and (a) with respect to DSL, has in the past six (6) years and (b) with respect to BEOP, since July 1, 2024, collected, stored or used any credit card information, credit scores, financial account information, social security numbers, health or medical information, any information regarding anyone under the age of thirteen (13) years, or any data designated as “sensitive” under any Data Security Requirement Laws. 3.25.2 The Acquired Companies have implemented and maintain a comprehensive written information security plan (a “Security Plan”), which implements disaster continuity plans, business continuity plans, and administrative, technical and physical safeguards designed to protect the integrity and security of the Seller IT Assets and the information and data stored therein (including personal data, personally identifiable information and other sensitive information) from loss, damage, misuse or unauthorized use, access, modification or disclosure, including, cybersecurity and malicious insider risks. In the past three (3) years with respect to DSL and since July 1, 2024 with respect to BEOP, (i) there has been no loss, damage, misuse or unauthorized use, unauthorized access, unauthorized acquisition or exfiltration, unauthorized modification or disclosure, or other breach (any of the foregoing as a “Cyberbreach”) of security of personal data or personally identifiable information maintained by or on behalf of the Acquired Companies, (ii) there have been no Cyberbreaches relating to any Seller IT Asset, and (iii) there has been no phishing, social engineering, business email compromise incident, or other Cyberbreach, that has resulted in a material monetary loss or that has otherwise had or would reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect on the Business of the Acquired Companies. Without limiting the foregoing, the Acquired Companies have implemented backup, security and disaster recovery measures and technology consistent with industry-best practices and has tested those measures and technology at least annually.

DATA SECURITY AND COMPLIANCE. 3.25.1 4.19.1 Each of the Acquired Companies Parent and Purchaser complies, and (a) with respect to DSL, has in the past three (3) years and (b) with respect to BEOP, since July 1, 2024 complied, in each case, in all material respects, with (i) its internal privacy and data security policies, (ii) all applicable rules of self-regulatory organizations and codes of conduct, (iii) industry standards, guidelines and best practices concerning the Processing of Personal Information, (iv) all public statements, representations, obligations, promises, and commitments of the Acquired Companies concerning the privacy, security or the Processing of Personal Information, and (v) all Data Security Requirements. The Acquired Companies have provided true, accurate, complete and up-to-date versions of the documents referenced in the foregoing clauses (i) and (iv) to Purchaser. Neither the negotiation nor consummation of the transaction contemplated by this Agreement, nor any disclosure or transfer of information in connection therewith, will breach or otherwise cause any violation of any Data Security Requirement or require the consent, waiver or authorization of, or declaration, filing or notification to, any Person, including any Governmental Entity, under any such Data Security Requirement. All vendors, processors, subcontractors and other Persons acting for or on behalf of the Acquired Companies Purchaser or the Parent in connection with the Processing of Personal Information or that otherwise have been authorized to have access to the Seller IT Assets Parent’s or the Purchaser’s technology, computer software, databases, systems, networks and internet sites and information stored or contained therein and/ or transmitted thereby or the Personal Information in the possession or control of the Acquired Companies (Parent or the foregoing as “Processors”) are subject to contractual requirements, compliant with all applicable Data Security Requirements, regarding the Processing of Personal Information, and such Processors (a) with respect to DSL, has processors have in the past three (3) years and (b) with respect to BEOP, since July 1, 2024, complied, in each case, in all material respects, with the Data Security Requirements and applicable contractual requirements. The Acquired Companies have not Neither Purchaser nor Parent has transferred or authorized the transfer of Personal Information outside of its relevant originating country, except where such transfers have complied with Data Security Requirements. The Acquired Companies have not Neither Purchaser nor Parent has combined, transferred, shared or sole any Personal Information in violation of any Data Security Requirements. There are no, and (a) with respect to DSL, in the past three (3) years and (b) with respect to BEOP, since July 1, 2024, have not been any actions, suits, claims, investigations or other legal proceedings pending or threatened against the Acquired Companies Parent or the Purchaser concerning any Data Security Requirement or compliance therewith or violation thereof by any Person, including any Governmental Entity. No Seller Party Neither Parent nor Purchaser has entered into any agreement with, or is the subject of any order from, any Governmental Entity regarding data protection, privacy or the collection, use, disclosure, combination, sale or licensing of Personal Information or otherwise pertaining to Data Security Requirements. No Seller Party Neither Parent nor Purchaser is currently Party to any consent order, consent decree, settlement or other similar agreement regarding data protection, privacy or the collection, use, disclosure, sale or licensing of Personal Data, or Data Security Requirements. No Seller Party Neither Parent nor Purchaser is currently, and (a) with respect to DSL, currently or has in the past six (6) years and (b) with respect to BEOP, since July 1, 2024, collected, stored or used any credit card information, credit scores, financial account information, social security numbers, health or medical information, any information regarding anyone under the age of thirteen (13) years, or any data designated as “sensitive” under any Data Security Requirement Laws. 3.25.2 The Acquired Companies 4.19.2 Each of Parent and Purchaser have implemented and maintain a comprehensive written information security plan (a “Security Plan”), which implements disaster continuity plans, business continuity plans, and administrative, technical and physical safeguards designed to protect the integrity and security of the Seller IT Assets Parent and the Purchaser’s technology, computer software, databases, systems, networks and internet sites and information and data stored or contained therein or transmitted thereby (including personal data, personally identifiable information and other sensitive information) from loss, damage, misuse or unauthorized use, access, modification or disclosure, including, cybersecurity and malicious insider risks. In the past three (3) years with respect to DSL and since July 1, 2024 with respect to BEOP, (i) there has been no loss, damage, misuse or unauthorized use, unauthorized access, unauthorized acquisition or exfiltration, unauthorized modification or disclosure, or other breach (any of the foregoing as a “Cyberbreach”) Cyberbreach of security of personal data or personally identifiable information maintained by or on behalf of the Acquired CompaniesPurchaser or the Parent, (ii) there have been no Cyberbreaches relating to any Seller IT Assetof the Parent and the Purchaser’s technology, computer software, databases, systems, networks and internet sites and information stored or contained therein or transmitted thereby, and (iii) there has been no phishing, social engineering, business email compromise incident, or other Cyberbreach, that has resulted in a material monetary loss or that has otherwise had or would reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect on the Business business of the Acquired CompaniesParent or the Purchaser. Without limiting the foregoing, the Acquired Companies each of the Parent and the Purchaser have implemented backup, security and disaster recovery measures and technology consistent with industry-best practices and has tested those measures and technology at least annually.