Common use of Information Security and Data Privacy Clause in Contracts

Information Security and Data Privacy. (a) In the collection and Processing by the Acquired Companies of any Personal Data, the Acquired Companies and their Personal Data Processors and Personal Data Suppliers are in compliance with and have always complied with all applicable Privacy Commitments. The Acquired Companies operate appropriate technical and organizational security measures to prevent the unlawful Processing of Personal Data and unauthorized access, accidental loss or destruction of or damage to Personal Data in its possession or control, which measures are in compliance in all material respects with the Privacy Commitments. Without limiting the foregoing, the Acquired Companies and their Personal Data Suppliers have collected all Personal Data fairly and lawfully including acquiring all necessary consents from Data Subjects and otherwise have all requisite legal authority to Process, use and hold Personal Data in the manner it is Processed by the Acquired Companies or by any Personal Data Processor on their behalf without breaching any of the Privacy Commitments. The Acquired Companies have at all times respected all Data Subject opt-outs and consent withdrawals. (b) To the extent that the Acquired Companies Process any financial account numbers (such as credit cards, bank accounts, PayPal accounts, debit cards), passwords, CCV data, or other related data, the Acquired Companies have implemented information security procedures, processes and systems that have at all times met all applicable Laws related to the Processing of cardholder data, including those established by applicable Governmental Entities, and the Payment Card Industry Standards Council (including the Payment Card Industry Data Security Standard). (c) The Acquired Companies have at all times presented a Privacy Policy which complies with Privacy Laws to Data Subjects prior to the collection of any Personal Data, and no such Privacy Policy is or has been inaccurate, misleading or deceptive. None of the Acquired Companies have made any statement to the general public regarding any of their information security practices applicable to any Personal Information other than those made in the Company Privacy Policies. None of the Acquired Companies have collected or received any Personal Data online from children under the age of thirteen (13) without (where legally required) verifiable parental consent or directed any of its websites to children under the age of thirteen (13) through which such Personal Data could be obtained. (d) None of the Acquired Companies Process Personal Information relating to customers or client end users located in the EEA or UK. None of the Acquired Companies have transferred or permitted the transfer of Personal Information originating in the EEA or UK outside the EEA or UK, except where such transfers have complied with the requirements of Privacy Laws and the Company Privacy Policies. Each of the Acquired Companies has implemented privacy by design into its practices and procedures and completed privacy impact assessments where required to do so remedying any risks to the rights and freedoms of individuals identified in the course of carrying out the privacy impact assessment. (e) None of the Acquired Companies sell, rent or otherwise make available to any Person any Personal Data, except in a manner that complies in all material respects with the applicable Privacy Commitments. The execution, delivery and performance of this Agreement and the transactions contemplated herein comply, and will comply, in all material respects, with all Privacy Commitments of Acquired Companies. Following the Closing Date, Acquired Companies will continue to be permitted to Process, collect, store, use and disclose Personal Data held by them on terms identical to those in effect as of the date of this Agreement and to the same extent the Acquired Companies would have been able to had the transactions contemplated by this Agreement not occurred. (f) None of the Acquired Companies have received any written notice that is or has been in breach of any Privacy Commitment to limit its use of, secure or otherwise safeguard Personal Data and no such breach has occurred within the applicable statute of limitations for a claim arising out of such a breach. (g) Each Acquired Company has in place and follows commercially reasonable procedures designed to ensure that there are Contracts in place with all Personal Data Processors, which comply with the requirements of all Privacy Laws and Company Privacy Policies, and require that such Personal Data Processor Processes Personal Data are in compliance with the Privacy Laws and the Company Privacy Policies and the Acquired Companies’ obligations under any Contract that governs the Processing of any Company Data. Each of the Acquired Companies and their respective data processors have taken commercially reasonable steps to ensure the reliability of their respective employees and contractors who have access to Company Data, to train such employees on all applicable aspects of Privacy Laws and Company Privacy Policies and to ensure that all employees with the authority and/or ability to access such data are under written obligations of confidentiality with respect to such data. (h) None of the Acquired Companies have experienced any unauthorized access to, deletion or other misuse of, any Personal Data in its possession or control (a “Security Incident”) or made or been required to make any disclosure, notification or take any other action under any applicable Privacy Laws in connection with any Security Incident. No Personal Data Supplier has experienced any Security Incident or made or has been required to make any disclosure, notification or take any other action under any applicable Privacy Laws in connection with any Security Incident with respect to any Personal Data provided by it to any Acquired Company. (i) None of the Acquired Companies have received a written request, complaint or objection to its collection or use of Personal Data from any data protection authority or third party (including Data Subjects) that remains unresolved. No action, audit, assessment, suit, legal proceeding, investigation, administrative enforcement proceeding or arbitration proceeding before any court, administrative body or other Governmental Body (whether or a criminal, civil or administrative nature) has been filed, commenced or threatened against any Acquired Company, alleging any failure to comply with any Privacy Laws, and none of the Acquired Companies have incurred any material liabilities under any Privacy Laws. None of the Acquired Companies have, and, to the knowledge of the Stockholders, no third parties have, filed, commenced or threatened any action against any Personal Data Supplier or Personal Data Processor with respect to any Personal Data Processed for any Acquired Company.

Information Security and Data Privacy. (a) In the collection and Processing by the Acquired Companies Each of any Personal Data, the Acquired Companies and their Personal Data Processors and Personal Data Suppliers Company Subsidiaries are in compliance with and have always complied in all material respects with all applicable Privacy Commitments. The Acquired Companies and Company Subsidiaries operate appropriate technical and organizational security measures to prevent the unlawful Processing of Personal protect Company Data and against unauthorized access, accidental loss or destruction of or damage to Personal Company Data in its possession or control, which measures are, to the Knowledge of the Stockholders, consistent with standards that are customary in compliance the industry in all material respects with the Privacy Commitments. Without limiting the foregoing, which the Acquired Companies and their Personal Data Suppliers have collected all Personal Data fairly and lawfully including acquiring all necessary consents from Data Subjects and otherwise have all requisite legal authority to Process, use and hold Personal Data in the manner it is Processed by the Acquired Companies or by any Personal Data Processor on their behalf without breaching any of the Privacy Commitments. The Acquired Companies have at all times respected all Data Subject opt-outs and consent withdrawalsCompany Subsidiaries operates. (b) To the extent that Knowledge of the Acquired Companies Process any financial account numbers (such as credit cardsStockholders, bank accounts, PayPal accounts, debit cards), passwords, CCV data, or other related data, the Acquired Companies have implemented information security procedures, processes and systems that have at all times met all applicable Laws related to the Processing of cardholder data, including those established by applicable Governmental Entities, and the Payment Card Industry Standards Council (including the Payment Card Industry Data Security Standard). (c) The Acquired Companies have at all times presented a Privacy Policy which complies with Privacy Laws to Data Subjects prior to the collection of any Personal Data, and no such Privacy Policy is or has been inaccurate, misleading or deceptive. None none of the Acquired Companies have made any statement to the general public regarding any of their information security practices applicable to any Personal Information other than those made in the or Company Privacy Policies. None of the Acquired Companies Subsidiaries have collected or received any Personal Data online from children under the age of thirteen (13) without (where legally required) verifiable parental consent or directed any of its websites to children under the age of thirteen (13) through which such Personal Data could be obtained. (dc) None of the Acquired Companies or Company Subsidiaries Process Personal Information Information, except for name and contact information, relating to customers or client end users located in the EEA or UK. None of the Acquired Companies or Company Subsidiaries have transferred or permitted the transfer of Personal Information Data originating in the EEA or UK outside the EEA or UK, except where such transfers have complied with the requirements of Privacy Laws and the Company applicable Privacy Policies. Each of the Acquired Companies has implemented privacy by design into its practices and procedures and completed privacy impact assessments where required to do so remedying any risks to the rights and freedoms of individuals identified in the course of carrying out the privacy impact assessmentCommitments. (ed) None of the Acquired Companies or Company Subsidiaries sell, rent or otherwise make available to any Person any Personal Data, except in a manner that complies in all material respects with the applicable Privacy Commitments. The execution, delivery and performance of this Agreement and the transactions contemplated herein comply, and will comply, in all material respects, with all Privacy Commitments of Acquired Companies. Following the Closing Date, Acquired Companies will continue to be permitted to Process, collect, store, use and disclose Personal Data held by them on terms identical to those in effect as of the date of this Agreement and to the same extent the Acquired Companies would have been able to had the transactions contemplated by this Agreement not occurredCompany Subsidiaries. (fe) None of the Acquired Companies or Company Subsidiaries have received any written notice that it is or or, to the Knowledge of the Stockholders, has been in breach of any Privacy Commitment to limit its use of, secure or otherwise safeguard Personal Data and no such breach has occurred within the applicable statute of limitations for a claim arising out of such a breach. (gf) Each Acquired Company has in place and follows commercially reasonable procedures designed Except as disclosed on Section 3.12(f) of the Disclosure Schedule, to ensure that there are Contracts in place with all Personal Data Processorsthe Knowledge of the Stockholders, which comply with the requirements of all Privacy Laws and Company Privacy Policies, and require that such Personal Data Processor Processes Personal Data are in compliance with the Privacy Laws and the Company Privacy Policies and the Acquired Companies’ obligations under any Contract that governs the Processing of any Company Data. Each none of the Acquired Companies and their respective data processors have taken commercially reasonable steps to ensure the reliability of their respective employees and contractors who have access to or Company Data, to train such employees on all applicable aspects of Privacy Laws and Company Privacy Policies and to ensure that all employees with the authority and/or ability to access such data are under written obligations of confidentiality with respect to such data. (h) None of the Acquired Companies Subsidiaries have experienced any unauthorized access to, deletion or other misuse of, any Personal Data in its possession or control (a “Security Incident”) or made or been required to make any disclosure, notification or take any other action under any applicable Privacy Laws in connection with any Security Incident. No Personal Data Supplier has experienced any Security Incident or made or has been required to make any disclosure, notification or take any other action under any applicable Privacy Laws in connection with any Security Incident with respect to any Personal Data provided by it to any Acquired Company. (ig) None of the Acquired Companies or Company Subsidiaries have received a written request, complaint or objection to its collection or use of Personal Data from any data protection authority or third party (including Data Subjectsany individuals) that remains unresolved. No action, audit, assessment, suit, legal proceeding, investigation, administrative enforcement proceeding or arbitration proceeding before any court, administrative body or other Governmental Body (whether or a criminal, civil or administrative nature) has been filed, commenced or threatened against any Acquired CompanyCompany or Company Subsidiary, alleging any failure to comply with any Privacy Laws, and none of the Acquired Companies or Company Subsidiaries have incurred any material liabilities under any applicable Privacy Laws. None of the Acquired Companies have, and, to the knowledge of the Stockholders, no third parties have, filed, commenced or threatened any action against any Personal Data Supplier or Personal Data Processor with respect to any Personal Data Processed for any Acquired Company.