Common use of Privacy and Data Security Clause in Contracts

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract.

Privacy and Data Security. The (a) Each Group Company is and that maintains a web site has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or posted on its web site a privacy policy regarding the collection, handlinguse and disclosure of Personal Information that it collects, is in its possession, or in its custody or control. Each Group Company has complied in all material respects with all Information Privacy and Security Laws and material agreements to which it is a party that contain, involve or deal with receipt, collection, compilation, use, maintenancestorage, storageprocessing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, transferor transfer (including cross-border) Personal Information. No Group Company has been notified in writing of any Action or any other claim related to data security or privacy or alleging a violation of any of its privacy policies, or other processing ofany Information Privacy and Security Law, Personal Information (including any such information of individualsnor, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, has any such claim been threatened in writing. Each Group Company has taken commercially reasonable administrative, physical and technical measures designed to protect and maintain the confidentiality, security, integrity and accessibility (as applicable) of: (a) Systems and all data contained therein (including Company Data and Data Sets and other data subject to confidentiality obligations), (ib) all Personal Information and other Sensitive Data collected by or on behalf of the Group Companies in connection with their business, including in each case, in accordance with all Information Privacy and Security Laws and Group Company’s published policies. Each Group Company has implemented and maintains taken commercially reasonable written policies and procedures steps to ensure that all material third party service providers, outsourcers, contractors, or other persons who access, process, store or otherwise handle Personal Information for or on behalf of a Group Company have agreed in writing to materially comply with applicable Information Privacy and Security Laws and are designed taken reasonable steps to protect the privacy and security of secure Personal Information from loss, theft, misuse or unauthorized access, use, modification or disclosure. (the “b) There are no unsatisfied written requests that any Group Company has received from individuals seeking to exercise their data protection rights under Information Privacy Policies”and Security Laws. Except as set forth on Schedule 3.13.9(b), there is not and has not been any (i) and Action or (ii) written allegation that a Group Company has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company received by any Person alleging a violation of Privacy Lawsprivate party, Privacy Policiesany data protection authority, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, Governmental Authority with respect to, or to the Group Companies’ collection, handling, use, maintenance, storage, disclosure, transfer, or other processing ofof Personal Information or compliance with Information Privacy and Security Laws, Personal Informationnor has any such Action been threatened. To the Knowledge of the Company, there have There has been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access tomaterial Security Breach involving Systems, or collection, use, disclosure, modification or destruction ofCompany Data and Data Sets, Personal Information or other data Sensitive Data in the possession or control of any Group Company. No Group Company has notified, or been required to notify, any Person or Governmental Authority of any Security Breach, nor has the Group Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in paid a notification obligation ▇▇▇▇▇▇ to any Person under applicable Law or pursuant to the terms perpetrator as a result of any Company Contractactual or threatened cyber-attack.

Privacy and Data Security. The (a) Each Group Company is complies, and has at all times been has complied, in compliance all material respects, with all applicable Privacy Laws and Requirements. There are no material unsatisfied requests from individuals to any Group Company seeking to exercise rights under any Privacy Requirement. The Transactions and, to the applicable terms knowledge of the Company, the Share Purchase will not constitute a material breach or violation of any applicable Privacy Requirement. There is no, and has not been any, (i) Action of any nature pending or, to the knowledge of the Company, threatened against any Group Company Contracts governing relating to privacy, data protection, or data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, security with respect to, to the Processing of Personal Data by or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation on behalf of the Company’s business)Group Companies; or (ii) notice of any actual or asserted noncompliance with any Privacy Requirement, except, in each case, for such noncompliance except as has not had, and would not reasonably be expected to havenot, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect. (b) The Group Companies have (i) implemented and maintained reasonable measures to ensure material compliance with applicable Privacy Requirements; (ii) implemented and maintained reasonable measures to preserve and protect the confidentiality, availability, security, and integrity of all Systems and Personal Data within the possession or control of the Group Companies; and (iii) implemented and maintained reasonable technical, physical and organizational measures and security systems and technologies that are designed to protect the Personal Data within the possession or control of the Group Companies in a manner appropriate to the risks represented by the Processing of such data by the Group Companies and any third parties Processing Personal Data on their behalf, including with respect to redundancy, reliability, scalability and security. To Except as set forth in Section 3.15(b) of the Knowledge Disclosure Schedules, none of the Group Companies has suffered any material security breach resulting in any material unauthorized access to, or acquisition of, any Personal Data within the possession or control of the Group Companies and, to the knowledge of the Company, no circumstances have arisen in which the Privacy Requirements would require any of the Group Companies to notify any Governmental Authority of any material data security breach or material security incident. (c) The execution and consummation of the Transactions and, to the knowledge of the Company, the Share Purchase and the continued Processing of the Personal Data by the Group Companies in a manner consistent with the current Processing of the Personal Data will not violate any Privacy Requirement in any material respect. (d) The Company (i) has implemented IT Assets, including any portions which are provided or operated by Third Parties, are adequate and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed sufficient to protect the privacy and security confidentiality of all Personal Information (the “Data and Third Party information and are in material compliance with all applicable Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse EffectRequirements. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge knowledge of the Company, there have been no data material instances of unauthorized access, intrusions or breaches of the security incidents of (i) any such Company IT Assets operated or data breaches controlled by any Group Company or other adverse events any Third Party or incidents that have resulted (ii) any Personal Data under the custody or control of any Group Company, and no person (including any Governmental Authority) has made any claim in writing or commenced any proceeding against any Group Company or any Third Party service provider to any Group Company with respect to loss, damage or unauthorized access toaccess, or collectiondisclosure, use, disclosure, modification or destruction of, other misuse of Personal Information or other data in the possession or control of the Data by any Group Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractGroup Company.

Privacy and Data Security. The Company is has provided true and has at correct copies of all times been in compliance with all applicable current Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with Policies adopted by the Company or any of its Subsidiaries in connection with the operation of the Company’s its business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, The Company has, during the Company period beginning inception through the Agreement Date: (i) has implemented and maintains reasonable written policies and procedures that materially comply complied with all applicable Privacy Laws and are designed related to protect the protection, privacy and security of Personal Information (Data, and any similar federal, state or foreign law and other laws regarding the “Privacy Policies”) and disclosure of Personal Data; (ii) has complied with such not violated its applicable Privacy Policies, except for such noncompliance as has not had, ; (iii) taken commercially reasonable steps to protect and would not reasonably be expected maintain the confidential nature of Personal Data provided to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, its Subsidiaries or any of their respective Affiliates in accordance with its applicable Privacy Policies; (iv) has not discovered any unauthorized or improper access to or use or disclosure of Personal Data or other confidential information to any unauthorized or improper third party; and (v) no Legal Proceeding has threatened or actual breach of Personal Data by or against the Company. No claims have been asserted or or, are threatened against the Company by any Person alleging a violation of any person’s privacy, confidentiality or other rights under any Company Privacy LawsPolicy, Privacy Policiesunder any contract, or under any Law relating to any Personal Data or Customer Data. With respect to any Personal Data and Customer Data, the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, has taken commercially reasonable measures (including implementing and monitoring compliance with respect to, or the collection, handlingto technical and physical security) designed to safeguard such data against loss and against unauthorized access, use, maintenancemodification, disclosure or other misuse. There has been no unauthorized access to or other misuse of any Customer Data and Personal Data. The Company has not received any complaint from any Person (including any action letter or other inquiry from any Governmental Authority) regarding the Company’s collection, storage, hosting, disclosure, transmission, transfer, or disposal, other processing of, or security of Customer Data or Personal InformationData. To the Knowledge of the Company, there There have been no facts or circumstances that would require Company to give notice to any customers, suppliers, consumers or other similarly situated Persons of any actual or perceived data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms an applicable Laws requiring notice of any Company Contractsuch a breach.

Privacy and Data Security. The (a) Each Group Company is complies, and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacyhave complied, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance except as has not had, been and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, be material to the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply or its Subsidiaries, taken as a whole, with all applicable Privacy Laws, with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge with applicable contractual obligations of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts and its Subsidiaries governing privacy, data protection, and data security with respect to the Processing of Personal Data by the Company and its Subsidiaries. There are no material unsatisfied requests from individuals to the Company or any of its Subsidiaries seeking to exercise rights under any Privacy Law. Neither the execution of this Agreement nor the consummation of the Transactions constitutes a material breach or violation of any applicable Privacy Law, any applicable Privacy Policy, or any applicable contractual obligations of the Company and its Subsidiaries governing privacy, data protection, and data security with respect to the Processing of Personal Data by the Company and its Subsidiaries. There is no, and has not been any, (i) Action of any nature pending or threatened against the Company or any of its Subsidiaries relating to privacy, data protection, or data security with respect to the Processing of Personal Data by the Company and its Subsidiaries; or (ii) written notice of any actual or asserted noncompliance with any Law to which the Company or any of its Subsidiaries are subject relating to privacy, data protection, or data security with respect to the Processing of Personal Data by the Company. (b) The Company and its Subsidiaries have at all times (i) implemented and maintained reasonable measures in compliance with applicable Privacy Laws, designed to preserve and protect the confidentiality, availability, security, trans-border data flow, data loss, data theft, and integrity of all Systems and Personal Data within the possession or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge control of the Company, there have been no data Company and its Subsidiaries; (ii) implemented and maintained reasonable disaster recovery and business continuity plans for their business; and (iii) not suffered any security incidents or data breaches or other adverse events or incidents that have resulted breach (x) resulting in any material unauthorized access to, or collection, use, disclosure, modification or destruction acquisition of, any Personal Information or other data in Data within the possession or control of the Company or any service provider acting on behalf of its Subsidiaries or (y) which required a regulatory notification or reporting requirement to any Governmental Authority. (c) The IT Assets of the Company and its Subsidiaries, including any portions of which are provided or operated by Third Parties, are adequate and sufficient to protect the privacy and confidentiality of all Personal Data and Third Party information in compliance in all material respects with reasonable industry practices and all applicable Privacy Laws and agreements. There have been no material unauthorized access, intrusions or breaches of the security of (i) any such IT Assets operated or controlled by the Company or any of its Subsidiaries or any Third Party or (ii) any Personal Data under the custody or control of the Company, in each case, where such incident, breach . No person (including any Governmental Authority) has made any claim or event resulted in a notification obligation to commenced any Person under applicable Law proceeding against the Company or pursuant any Third Party service provider to the terms Company or any of its Subsidiaries with respect to loss, damage or unauthorized access, disclosure, use, modification or other misuse of Personal Data by the Company, any Company Contractof its Subsidiaries, or any of their respective service providers.

Privacy and Data Security. The Except as would not be material to the Company is and has at all times its Subsidiaries, taken as a whole, the Company and the Company Subsidiaries have been and are in compliance in all material respects with all applicable Privacy Laws and the applicable terms of Data Security Laws, any Company Contracts governing internal and external policies relating to privacy or data security, any contractual obligations relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, security or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Processing of Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with binding on the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not hador Company Subsidiaries, and would not reasonably be expected any applicable industry standards or self-regulatory standards relating to haveprivacy or data security binding on the Company or Company Subsidiaries (collectively with Privacy and Data Security Laws, “Privacy and Data Security Obligations”). Except as, individually or in the aggregate, does not constitute a Company Material Adverse Effect. To the Knowledge of the Company, the Company and the Company Subsidiaries have a valid and legal right (iwhether contractually, by law, or otherwise) has implemented to access or use any and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of all Company Data (including any Personal Information (contained therein) received, Processed, used or disclosed by or on behalf of the “Privacy Policies”) Company or the Company Subsidiaries in connection with the use or operation of its products, services and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to havebusiness. Except as, individually or in the aggregate, does not constitute a Company Material Adverse Effect, (a) the Company and Company Subsidiaries have provided any and all necessary notices, obtained any and all necessary consents or other forms of authorization required for the Processing of Personal Information, and honored any and all opt-out requests or privacy choices made by a Person in accordance with applicable Privacy and Data Security Obligations; and (b) the Company’s and Company Subsidiaries’ use of cookies or other forms of tracking technologies, including but not limited to session replay software, comply with and have at all times complied with applicable Privacy and Data Security Obligations. To Except as would not be material to the Company and its Subsidiaries, taken as a whole, the Company and the Company Subsidiaries have not received any notification of any complaint, audit, investigation, inquiry, claim, suit, action or other legal proceeding asserted against the Company or the Company Subsidiaries initiated by (i) any Person, (ii) any Governmental Authority or (iii) any regulatory or self-regulatory entity alleging that any activity or conduct of the Company or the Company Subsidiaries is in violation of applicable Privacy and Data Security Obligations and have no Knowledge of any facts or circumstances that, individually or in the Companyaggregate, would reasonably indicate material non-compliance of applicable Privacy and Data Security Obligations by the Company and Company Subsidiaries and there are no Legal Proceeding has pending, nor have there been asserted in the past three (3) years, complaints, actions, suits, audits, investigations, inquiries, claims, suits, actions or other proceedings by or before any court or Governmental Authority or body threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms Company Subsidiaries alleging non-compliance with any Privacy and Data Security Obligations. Except as would not be material to the Company and its Subsidiaries, taken as a whole, the Company and the Company Subsidiaries have at all times (A) implemented and maintain a written information security program designed to protect and appropriate to the level of risk posed to Company Systems and Company Data (and any Personal Information contained therein), including against Security Events and (B) taken reasonable steps to ensure that any third party or subcontractor with access to any Company Contracts governing privacySystems or Company Data has implemented and maintain the same. Except as would not be material to the Company and its Subsidiaries, data protectiontaken as a whole, data the Company and the Company Subsidiaries, as part of its written information security program, have established and maintain commercially reasonable information technology, information security, trans-border cyber security and data flowprotection controls, data losspolicies and procedures (including incident response, data theftdisaster recovery and business continuity plans and procedures) consistent with industry practice and applicable Privacy and Data Security Obligations; and for the past three (3) years the Company Systems (I) have not experienced any material failure, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transferbreakdown, or other processing ofadverse event, Personal Information(II) have been and are sufficient and adequate for the needs of the business of the Company and Company Subsidiaries as presently conducted and (III) are in sufficiently good working condition to effectively perform all information technology operations and include sufficient licensed capacity (whether in terms of authorized sites, units, users, seats or otherwise), in each case, as necessary for the conduct of the business as currently conducted. To the Knowledge of Company’s knowledge there are no material bugs, backdoors, Trojan Horses, worms, spyware, viruses, malware, malicious computer code or other similar programs or defects in the Company Systems that would reasonably be expected to cause material harm or unauthorized disruption, access or other breach to any Company System. Except as would not be material to the Company and its Subsidiaries, taken as a whole, to the Company’s knowledge, there for the past three (3) years, (1) the Company and Company Subsidiaries have not been no data security incidents subject to a cybersecurity breach, any loss, theft or data breaches misuse of, or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification Processing or destruction of, disclosure of Personal Information or other data in the possession or control of (collectively, “Security Event”), and (2) no circumstances have arisen that would require the Company or any service provider acting on behalf the Company Subsidiaries to notify a Governmental Authority or a Person of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractSecurity Event.

Privacy and Data Security. (a) The Company and each of its Subsidiaries is currently and has at all times been in compliance with (i) HIPAA and all other applicable Privacy and Security Laws and Standards; and (ii) any obligations of the applicable terms of any Company or its Subsidiaries under Contracts governing privacy, data to which the Company or a Subsidiary is a party concerning the protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingaccess, use, maintenancestorage, disposal, disclosure, or transfer of Personal Information and any related notifications. Without limiting the foregoing, the Company and its Subsidiaries have entered into business associate agreements (“▇▇▇▇”) with each applicable third party to the extent required by HIPAA and have posted, in accordance with Privacy and Security Laws and Standards, a privacy policy governing the use of Personal Information on public-facing websites and internally for employees. (b) Except as set forth on Section 3.08(b) of the Company Disclosure Letter, the Company and each of its Subsidiaries has (i) developed, implemented, and conducted its business in compliance with any public privacy notices and data security or privacy policies and procedures (copies of which have been made available to Parent); (ii) maintained commercially reasonable administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Personal Information in its possession or control, and to prevent the loss and unauthorized use, access, alteration, destruction, or disclosure of such Personal Information; and (iii) trained its employees to follow these policies and procedures. (c) Neither the Company nor any of its Subsidiaries have been subject to or received notice of any Order or Legal Action by any Person (including any Governmental Entity) or any complaints regarding the protection, collection, access, use, storage, disposal, disclosure, transfer, or other processing of, transfer of Personal Information (including or the violation of any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians applicable Privacy and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, Security Laws and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse EffectStandards. To the Knowledge of the CompanyCompany and its Subsidiaries, no such Legal Action is threatened against the Company or any of its Subsidiaries. (d) Neither the Company nor any of its Subsidiaries have suffered, discovered, or been notified of any unauthorized acquisition, use, disclosure, access to, or breach of any Personal information that (i) has implemented and maintains reasonable written policies and procedures that materially comply with constitutes a breach or a data security incident under any applicable Privacy and Security Laws and are designed Standards or that would trigger a notification or reporting requirement under any BAA or Contract to protect which the privacy and security Company or any of Personal Information (its Subsidiaries is a party, or the “Privacy Policies”) and PCI-DSS; or (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, materially compromises (individually or in the aggregate) the security or privacy of such Personal Information. (e) The Company has not created, a Company Material Adverse Effect. To the Knowledge of the Companyreceived, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policiesmaintained, or the applicable terms of any Company Contracts governing privacytransmitted protected health information (“PHI”) or electronic PHI (“ePHI), data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control as defined by HIPAA regulations at 45 C.F.R. 160.103. (f) Except as set forth on Section 3.08(f) of the Company or any service provider acting on behalf Disclosure Letter, the Company and each of its Subsidiaries has complied with all Contracts and all Privacy and Security Laws and Standards, including the CompanyHIPAA standards for de-identification set forth in 45 C.F.R. 164.514(b) and for data aggregation, as that term is defined in 45 C.F.R. 164.501, in each case, where as applicable. (g) Neither the Company nor any of its Subsidiaries have any Contract obligation to maintain Personal Information in a manner that physically separates data of one customer from that of another. (h) The Company and each of its Subsidiaries has (i) annually performed a security risk assessment, (ii) created and maintained documentation in accordance with applicable Laws, including Privacy and Security Laws and Standards, and (iii) addressed and remediated all threats and deficiencies identified in such incident, security risk assessment. (i) Neither the Company nor any of its Subsidiaries have reported a breach or event resulted in a notification obligation compromise of Personal Information to any Person under or Governmental Authority, either voluntarily or based on Contract obligations or Privacy and Security Laws and Standards. (j) The consummation of the Transaction does not violate any Privacy and Security Laws and Standards, Contract obligation related to Personal Information, or an applicable Law privacy policy or pursuant notice. Upon the Closing Date, the Surviving Corporation will own and continue to have the right to use all Personal Information on identical terms and conditions as the Company and its Subsidiaries enjoyed immediately prior to the terms of any Company ContractClosing Date.

Privacy and Data Security. (a) The Company has not and no third party that Processes Protected Data for or on behalf of the Company has, experienced any Security Breaches, and the Company has not received any notices or complaints from any Person regarding such a Security Breach. The Company has not, and no third party that Processes Protected Data for or on behalf of the Company has, received any notices, complaints, claims, demands, inquiries or other notices, including a notice of investigation, or any other notices from any Person (including any Governmental Entity or self-regulatory authority or entity) regarding the unauthorized Processing of Protected Data or non-compliance with applicable Privacy and Security Requirements. The Company maintains systems and procedures to receive and effectively respond to complaints and, to the extent required by applicable Privacy and Security Requirements, individual rights requests in connection with the Company’s Processing of Personal Information, and, to the extent required by applicable Privacy and Security Requirements, the Company has complied with all such individual rights requests. The Company does not engage in the sale, as defined by applicable Privacy and Security Requirements, of Personal Information. (b) The Company is and always has at all times been in material compliance with all applicable Privacy Laws and Security Requirements and has Processed Protected Data in material compliance with all Privacy and Security Requirements and with appropriate disclosures and consents as required to provide the applicable terms Protected Data to third parties in the course of any its business. The Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, has valid and legal rights to Process all Protected Data that is Processed by or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information on behalf of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the use and/or operation of the Company’s its products, services and business), except, in each case, for such noncompliance as has not had, and would the execution, delivery, or performance of this Agreement will not reasonably be expected to haveaffect these rights or violate any applicable Privacy and Security Requirements. The Company has implemented, individually and all third parties that receive Protected Data from or in the aggregate, a Company Material Adverse Effect. To the Knowledge on behalf of the CompanyCompany have implemented, the Company (i) has implemented reasonable physical, technical and maintains reasonable written policies and procedures administrative safeguards consistent with industry standards that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not hadProtected Data from unauthorized access by any Person, and would not reasonably be expected to have, individually or ensure compliance in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of all material respects with all applicable Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractand Security Requirements.

Privacy and Data Security. The (a) Each of the Company is and has at all times its Subsidiaries have, since January 1, 2017 (i) been in compliance in all material respects with all applicable Privacy Laws and the applicable terms of any Company Contracts governing with their own respective published privacy policies and internal privacy policies relating to privacy, data protection, protection and data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, including with respect to, or to the collection, handlingstorage, transmission, transfer (including cross-border transfers), disclosure and use of Personal Data; and (ii) taken commercially reasonable measures to protect against loss, damage, and unauthorized access, use, maintenance, storage, disclosure, transfermodification, or other processing ofmisuse of Personal Data collected, Personal Information transmitted or stored by the Company or its Subsidiaries. Since January 1, 2017, no Person (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with Governmental Authority) has commenced any Legal Proceeding against the Company in connection or its Subsidiaries with respect to the operation Company’s alleged loss, damage, or unauthorized access, use, modification, or other misuse of any Personal Data collected, transmitted or stored by the Company or any of its Subsidiaries (or any of their respective employees or contractors), and to the knowledge of the Company, there is no reasonable basis for any such Legal Proceeding. (b) None of the Company or its Subsidiaries has experienced any material unauthorized access to, use or misuse of, or other breach of security with respect to (A) any Software or other Company Systems or any Personal Data or other Data or information stored or Processed thereon or thereby; (B) the Confidential Information in the Company’s business)or its Subsidiaries’ possession, exceptcustody or control; (C) the Company Data, in each case, collected, held or otherwise managed by the Company or any of its Subsidiaries; or (D) the Company Data, in each case, collected, transmitted or stored on behalf of the Company or any of its Subsidiaries. (c) Since January 1, 2017, the Company and its Subsidiaries have taken reasonable measures for such noncompliance as has not hadresponding, and have complied in all material respects with any obligations relating, to data subject requests for access, rectification, deletion, portability or objections to Processing of Personal Data or other rights under Privacy Laws. To the extent the Company or any of its Subsidiaries have entered into Contracts with any third parties who are Processing Personal Data on behalf of the Company or any of its Subsidiaries, such Contracts obligate any such third parties to comply with all Privacy Laws. To the knowledge of the Company, such third parties are in compliance with such Contracts and all Privacy Laws, except as would not reasonably be expected to havenot, individually or in the aggregate, be material to the Company and its Subsidiaries, taken as a Company Material Adverse Effect. To whole. (d) The execution, delivery and performance of this Agreement and the Knowledge consummation of the transactions contemplated hereby complies (and the disclosure to and use by the Surviving Corporation, the Surviving Entity, and Parent and its Affiliates of such information after the Effective Time will comply) with the Company’s and its Subsidiaries’ applicable privacy policies and in all material respects with all applicable Laws relating to privacy and data security. Since January 1, 2017, the Company (i) has implemented and maintains reasonable written policies each of its Subsidiaries have made all material disclosures to, and procedures that materially comply with obtained any necessary consents from, users, customers, employees, contractors and other applicable Privacy Persons required by applicable Laws and are designed related to protect the privacy and data security of Personal Information (the “Privacy Policies”) and (ii) has complied have filed any required registrations with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractprotection authority.

Privacy and Data Security. (a) The Company is Group Companies are and has have at all times since the Look Back Date been in compliance in all material respects with all applicable Privacy Laws Data Security Requirements. To the extent required by Data Security Requirements, each of the Group Companies display a privacy policy on each website and mobile application owned, controlled or operated by the applicable terms Group Companies and such privacy policy complies in all material respects with the Data Security Requirements. (b) Since the Look-Back Date, none of the Group Companies has received any written notices from any Governmental Entity and, to the Company’s knowledge, no audit or investigation has been conducted by any Governmental Entity against any Group Company, in each case, alleging any violation of any Company Contracts governing privacy, data protection, data Data Security Requirements by any Group Company. (c) The Group Companies have implemented and at all times since the Look Back Date maintained commercially reasonable security, trans-border monitoring and detection measures and capabilities that comply with all applicable Data Security Requirements and that are consistent with standards prudent in the industry in which the Group Companies operate to protect the Personal Data and Company Systems against data flowsecurity incidents, personal data lossbreaches, data theftransomware incidents, or breach notificationany other instance of unauthorized access, unauthorized disclosure and unauthorized use of Company Systems or data localization(collectively, sending solicited “Security Incidents”). Since the Look Back Date, there have been no Security Incidents related to any Company Systems, Personal Data, or unsolicited electronic mail data in the custody or text messagescontrol of the Group Companies or, cookies to the knowledge of the Company, any service provider acting on behalf of any of the Group Companies, nor have any such Security Incidents occurred or other tracking technologybeen threatened in writing. Since the Look Back Date, there have not been any Actions related to Security Incidents, and there are no facts or circumstances which could reasonably serve as the basis for any such Actions. Each Group Company provides its employees with respect regular training on privacy and data security matters. (d) Since the Look Back Date, each Group Company has: (i) regularly conducted and regularly conducts vulnerability testing, risk assessments, and external audits of, and tracks Security Incidents related to, the Company Systems (collectively, “Information Security Reviews”); (ii) timely corrected any material exceptions or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal vulnerabilities identified in such Information Security Reviews; and (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians iii) timely installed software security patches and other health care professionalsfixes to identified technical information security vulnerabilities. (e) The Company Systems are adequate for, clinical trial investigators, researchers, pharmacists that interact and operate and perform in all material respects in accordance with the Company their documentation and functional specifications and otherwise as required in connection with the operation of the Company’s business)business of the Group Companies as previously conducted and as currently conducted. The Company Systems have not malfunctioned or failed at any time since the Look Back Date in a manner that resulted in significant or chronic disruptions to the operation of the business of the Group Companies. The Company Systems do not contain any computer code designed to disrupt, except, disable or harm in each case, for such noncompliance any manner the operation of any software or hardware. Except as has not had, and would not reasonably be expected material to havethe Group Companies, individually or in the aggregatetaken as a whole, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control none of the Company Systems contains any unauthorized feature (including any worm, bomb, backdoor, clock, timer or other disabling device, code, design or routine) that causes the software or any service provider acting portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time, or upon command by any Person. The Group Companies’ have implemented commercially reasonable backup, security and disaster recovery technology consistent with industry practices. (f) Except as would not be material to the Group Companies, taken as a whole, in connection with each third-party servicing, outsourcing, processing, or otherwise using Personal Data collected, held, or processed by or on behalf of the each Group Company, each such Group Company has in each caseaccordance with applicable Data Security Requirements entered into valid, where binding, and enforceable written data processing agreements with any such incident, breach or event resulted third party in a notification obligation to any Person under applicable Law or pursuant to accordance with the terms Data Security Requirements. (g) The consummation of any of the transactions contemplated hereby or thereby, will not violate in any material respect any applicable Data Security Requirements. (h) Since the Look-Back Date, no Group Company Contracthas transferred, directed and/or authorized the transfer of any Personal Data across any national borders except in compliance with all applicable Data Security Requirements.

Privacy and Data Security. The (a) Each of Intermediate Parent and Company is complies, and has at all times been in compliance has complied, with all Privacy Requirements applicable to the Business. Intermediate Parent and Company have implemented, documented and maintained reasonable and appropriate measures consistent with good industry practice designed to ensure that the Business complies with all Privacy Laws and the applicable terms of Requirements. No disclosure made or contained in any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theftBusiness Privacy Policy is, or breach notificationat any time has been, data localizationmaterially inaccurate, sending solicited misleading or unsolicited electronic mail deceptive in a manner that has violated Privacy Requirements (including by containing any material omission). (b) Company has sufficient rights and authority under Privacy Requirements to permit the use and other Processing of Business Data by or text messagesfor Company, cookies including that Company has obtained all applicable consents from any Persons (including natural persons to whom Personal Data relates). (c) Neither Intermediate Parent nor Company, nor, to Company’s Knowledge, any of its service providers in connection with their Processing of Business Data or other tracking technologyprovision of services, with respect has been subject to, or received any notice of or audit request relating to, any Legal Proceeding relating to the collectionProcessing of Business Data, handlingthe security of Systems, use, maintenance, storage, disclosure, transferany actual or alleged non-compliance with any Privacy Requirement, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers Security Incident. No Person has alleged in writing that either Intermediate Parent or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact Company has failed to comply with the Company any Privacy Requirement in connection with the operation of the Business. (d) None of the execution, delivery or performance of this Agreement or any of the Transaction Documents, the consummation of any of the transactions contemplated by this Agreement or Company’s businessprovision to Purchaser (or any of its designated Affiliates), exceptor Purchaser’s (or any of its designated Affiliates’) possession, transfer to or from any jurisdiction in each casethe world or Processing of, for such noncompliance as has not hadBusiness Data will or would reasonably be expected to result in any material violation of any Privacy Requirement. Purchaser’s (or its designated Affiliate’s) Processing of Business Data in the operation of the Business will not, and would not reasonably be expected to haveto, individually result in any violation of any Privacy Requirement, so long as Purchaser (or such designated Affiliate(s)) Processes such Business Data in a manner substantially consistent with any Processing carried out by the aggregate, a Company Material Adverse Effect. To the Knowledge Business as of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractClosing Date.

Privacy and Data Security. (i) The Collection and Use and dissemination by the Company of any Personal Data is in compliance in all respects with the Company’s privacy policies and terms of use, industry standards, all applicable Information Privacy and Security Laws, all Personal Data Obligations, and all Contracts to which the Company is bound. No Personal Data is stored or otherwise maintained outside the United States by the Company or any third party. The Company has not engaged in cross-border processing of Personal Data. True and complete copies of all privacy policies that have been used by the Company since the Reference Date have been provided to Buyer. The Company has consistently posted a privacy policy in a clear and conspicuous location on all websites and any mobile applications owned or operated by the Company. (ii) The Company does not Collect or Use Personal Data from any Person in any manner other than as described in the Contracts and privacy policies delivered to Buyer. (iii) The Company maintains policies and procedures regarding data security and privacy and maintains administrative, technical and physical safeguards that are commercially reasonable and, in any event, in compliance with industry standards, all applicable Information and Privacy and Security Laws and all Contracts to which the Company is bound. True and complete copies of all such policies and procedures have been provided to Buyer. The Company has complied at all times been in compliance all respects with all applicable Privacy Laws and the applicable terms of any all Contracts to which the Company Contracts governing is a party relating to data privacy, data protection, data security, trans-border data flow, data loss, data theft, security or breach notification, data localization, sending solicited notification (including provisions that impose conditions or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or restrictions on the collection, handlinguse, usedisclosure, transmission, destruction, maintenance, storage, or safeguarding of Personal Data). (iv) At any time since the Reference Date, there have been no security breaches relating to, or violations of any security policy or Information Privacy and Security Law regarding, or any unauthorized access, disclosure, transferor use of, any data or information used by the Company, including Personal Data. No notice has been provided to the Company by a third party vendor or any other person of any security breach relating to Personal Data. The Company has not experienced a loss or unauthorized disclosure, use, or other processing of, breach of privacy or security of any Personal Information Data in the custody or control of the Company that would have required notice to any third Person (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers Governmental Entity or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of parties to any Contract) under any applicable Law. No Person (including any Governmental Authority) has commenced any Action relating to the Company’s business)information privacy or data security practices, except, in each case, for such noncompliance as has not had, and would not reasonably be expected or to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, threatened any such Action or made any complaint, investigation, or inquiry relating to such practices. (v) The Company does not (x) have or solicit any customers in the European Economic Area, or (y) except as set forth in Section 4.15(g)(v) of the Disclosure Schedule, process, transmit, or store any Personal Data of any Persons located in the European Economic Area. (vi) The Company has taken all required steps to limit access to Personal Data to: (x) those Company personnel and third-party vendors providing services to or on behalf of the Company who have a need to know such Personal Data in the execution of their duties to the Company; and (iy) has implemented and maintains reasonable written such other Persons permitted to access such Personal Data in accordance with the privacy policies and procedures terms of use, industry standards, all applicable Information Privacy and Security Laws and all Contracts to which the Company is bound. (vii) The Company maintains a written technical information security program that materially comply contains administrative, technical and physical safeguards (including encryption) compliant in all respects with industry standards and applicable Information Privacy and Security Laws (the “Security Program”). The Security Program is designed to: (v) protect the integrity and confidentiality of Personal Data; (w) protect against reasonably anticipated threats or hazards to the security of Personal Data; (x) protect against the unauthorized access, disclosure or use of Personal Data; (y) address computer and network security; and (z) provide for the secure destruction and disposal of Personal Data. The Security Program has been updated as required by all applicable Information Privacy and Security Laws. All third-party vendors or persons with access to Personal Data have entered into contracts or written agreements with the Company requiring that such vendors or persons maintain a substantially similar security program. (viii) The Company controls the access to its computer and information technology networks through the utilization of industry-standard or better security measures that are designed to prevent unauthorized access to such networks. All of the Company’s security measures are designed to be consistent with or exceed industry standards and the requirements of applicable Laws and are designed to protect (x) prevent the privacy and security unauthorized disclosure of confidential information (including Personal Information (the “Privacy Policies”Data) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against (y) prevent access without express authorization (and immediately terminate such unauthorized access) to the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control networks and information system of the Company or any service provider acting on behalf and (z) facilitate the Company’s identification of the Company, in each case, where person making or attempting to make such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractunauthorized access.

Privacy and Data Security. Schedule 3.1(32) identifies and describes each distinct electronic or other database containing (in whole or in part) Personal Information and Customer Data maintained by or for Corporation at any time, the types of Personal Information and Customer Data in each such database, the means by which the Personal Information and Customer Data was collected, and the security policies that have been adopted and maintained with respect to each such database. The Company is Corporation has established privacy policies which are in conformance with reputable industry practice and has at all Applicable Laws. At all times since inception, the Corporation has provided accurate notice of its privacy practices on all of its websites (and through client-side and web interface products) and these notices have not contained any material omissions of the Corporation’s privacy practices and have not been misleading, deceptive, or in violation of Applicable Laws. The Corporation has complied with and is in compliance with all applicable Privacy Laws Applicable Laws, all rules, policies, and the applicable terms requirements of self-regulatory organizations, and its internal and external privacy policies, and with any Company Contracts governing privacycontractual obligations and consumer-facing statements on its Web site and in any marketing or promotional materials relating to its use, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenanceretention, storage, disclosure, transfer, or disposal, and other processing ofof any Personal Information and Customer Data, and the execution, delivery and performance of this Agreement will not result in a breach or violation of any of the foregoing. The Corporation has obtained all consents necessary from providers of Customer Data and Personal Information (including a) to collect and use such Customer Data and Personal Information in the conduct of the Corporation’s business as currently conducted and as proposed by Corporation to be conducted and (b) to transfer such Customer Data and Personal Information to Purchaser. The Corporation has not received, and there has been no, complaint to any such information Governmental Authority, or any audit, proceeding, investigation (formal or informal), or claim against, the Corporation or any of individualsits customers (in the case of customers, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with to the extent relating to the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (iProducts) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Lawsprivate party or any Governmental Authority, Privacy Policies, or regarding the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosureretention, modification storage, transfer, disposal, disclosure or destruction of, other processing of Personal Information or Customer Data. (p) Social Media Presence. Schedule 3.1(32) identifies and describes each distinct social media presence maintained by or for the Corporation at any time, and the passwords and other data in the possession or control of the Company or any service provider acting on behalf of the Company, in account management information with respect to each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractsocial media presence.

Privacy and Data Security. (a) The Group Companies are, and have been, in compliance with, not in violation of, and have not received any notices of violation with respect to all Data Protection Laws, regarding the collection, storage, processing, use and transfer of Personal Information and in material compliance with all Contracts, the Group Companies’ privacy policies, and contractual obligations or representations with respect to Personal Information (collectively, “Company Privacy Obligations”). The Group Companies have made and completed any and all necessary filings, disclosures and registrations under all applicable Data Protection Laws with any relevant Governmental Entity, to the extent applicable, and all such filings, disclosures and registrations are current and up-to-date. (b) The Group Companies have established and implemented commercially reasonable administrative, technical and physical safeguards to protect the confidentiality, integrity and security of Personal Information in its possession, custody or control against unauthorized access, use, disclosure or other misuse. Except as otherwise would not be material to the Group Companies or its operations, the Group Companies have not experienced any loss, damage, or unauthorized access, disclosure, use or breach of security of any Personal Information in their possession, custody or control. (c) The Group Companies have a privacy policy regarding the collection, storage, use and disclosure of Personal Information in connection with their operations, and the Group Companies have been in compliance with such privacy policy in all material respects. The Group Companies have posted a privacy policy in a clear and conspicuous location on all websites and any mobile applications owned or operated by the Group Companies. The Group Companies are and have been in compliance in all material respects with the terms of all Contracts to which any Group Company is a party relating to privacy, security or breach notification of Personal Information. (d) All sales and has at all times marketing activities by the Group Companies are and have been in compliance with all applicable Privacy Laws in all material respects, including those requiring the Group Companies to obtain Consent from potential customers to receive such sales and marketing materials. The Group Companies have complied with all applicable requirements to register databases with the appropriate Governmental Entity in accordance with applicable terms Data Protection Laws. The consummation of the transactions contemplated by this Agreement will not violate any Company Contracts governing privacyPrivacy Obligation, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect nor require the Group Companies to provide any notice to, or the collectionseek any Consent from, handlingany employee, usecustomer, maintenancesupplier, storage, disclosure, transfer, service provider or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of third-party under any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractprivacy policy.

Privacy and Data Security. The Company Acquired Companies’ Processing of any Sensitive Data is and has at all times been in compliance with all applicable Privacy Laws and the applicable privacy policies, terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenanceLegal Requirements, storageand Contracts applicable to any Acquired Company or to or by which any Acquired Company is bound. The Acquired Companies maintain policies and procedures regarding data security and privacy and maintain administrative, disclosuretechnical, transferand physical safeguards that are commercially reasonable and, in any event, in compliance with all applicable Legal Requirements and Contracts applicable to any Acquired Company or other processing of, Personal Information (including to or by which any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Acquired Company in connection with the operation of is bound. To the Company’s business)Knowledge, exceptthere has been no (a) Security Breaches, (b) unauthorized access or unauthorized use of any of the Company Technology, or (c) any unauthorized access or acquisition of any Personal Data or confidential business information used by the Acquired Companies or maintained by a third party service provider on behalf of the Acquired Companies; and no Person has given notice to any of the Acquired Companies of any such breach or violation. The Acquired Companies have not notified in each casewriting, for such noncompliance as has not hador been required by applicable Legal Requirements, Governmental Authorities or other Privacy Obligation to notify in writing, any Person of any Security Breach. The Acquired Companies have implemented and maintain an information security program that is comprised of reasonable and appropriate organizational, physical, administrative, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are technical safeguards designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flowconfidentiality, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control integrity and availability of the Company or any service provider acting on behalf of Technology and all Sensitive Data the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under Acquired Companies Process that are consistent with all Legal Requirements and Contracts applicable Law or pursuant to the terms of any Company ContractAcquired Companies.

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and (a) Except as set forth on Section 6.26(a) of the applicable terms of any Company Contracts governing privacyDisclosure Memorandum, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not hadand its Subsidiaries, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company its and their vendors, processors or third parties that process Personal Information, (i) has implemented are taking and maintains have, since the Compliance Date, taken commercially reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed measures to protect the privacy and security of the Personal Information (of each student or other natural person collected by the “Privacy Policies”) Company and its Subsidiaries or on its or their behalf and to maintain in confidence such Personal Information, and (ii) has complied with such Privacy Policies, except for such noncompliance as has not hadare, and would not reasonably be expected since January 1, 2016, have been, in material compliance with its or their applicable Privacy Laws and Requirements. (b) No Claim is pending, or to havethe Knowledge of the Company, individually has, since the Compliance Date, been threatened in writing against the Company or in any of its Subsidiaries by any individual, third party or any Governmental Entity with respect to Personal Information collected, used, processed or shared by the aggregateCompany or any of its Subsidiaries, a or held or processed by any vendor, processor, or other third party for or on behalf the Company Material Adverse Effector its Subsidiaries, alleging any violation of Privacy Laws and Requirements. To Since the Compliance Date, there has been no loss or other misuse by the Company or any of its Subsidiaries, or to the Knowledge of the Company, by any vendor, processor, or third party for or on behalf of the Company or any of its Subsidiaries of such Personal Information, and, to the Knowledge of the Company, no Legal Proceeding third party has been asserted had unauthorized access to or threatened against misused the Personal Information collected by the Company or any of its Subsidiaries, or collected by any Person alleging a violation of Privacy Lawsvendor, Privacy Policiesprocessor, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, third party for or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control on behalf of the Company or any service provider acting of its Subsidiaries. (c) The execution, delivery and performance of this Agreement and the consummation of the transactions contemplated hereby, do not and will not: (i) conflict with or result in a material violation or breach of any applicable Privacy Laws and Requirements, including applicable published privacy policies or internal privacy policies or guidelines (as currently existing or as existing at the time during which any Personal Information was collected or processed by, for, or on behalf of the Company, in each case, where such incident, breach Company or event resulted in a notification obligation any of its Subsidiaries); or (ii) require the consent of or notice to any Person under applicable Law or pursuant concerning such Person’s Personal Information. (d) Since the Compliance Date, to the terms extent required by applicable Privacy Laws and Requirements, the Company and its Subsidiaries have posted to each of their websites and mobile applications and provided or otherwise made available in connection with any Company products or services a Company privacy policy. No disclosure or representation made or contained in any Company privacy policy has been materially inaccurate, misleading, deceptive, or in material violation of any Company Contractapplicable Privacy Laws and Requirements.

Privacy and Data Security. The Except as set forth on Schedule 4.16 of the Company is and Disclosure Letter: (a) Each of the Group Companies and, to the Knowledge of the Group Companies, any Processor, to the extent such Processor was Processing Personal Information on behalf of any Group Company, has at all times been in compliance with materially complied with: (i) all applicable Privacy Laws Laws; (ii) all of the Group Companies’ obligations regarding Personal Information and information security under any Contracts; and (iii) any mandatory industry standards and guidelines related to privacy, information security or data security. None of the applicable terms Group Companies has received any written notice of, nor, to the Knowledge of the Group Companies, has there been any threat of, any investigation, audit, complaint or claim relating to any (A) Group Company’s use of Personal Information, (B) violation of any Privacy Laws, (C) Personal Information Breaches, or (D) Group Company’s Contractual obligations relating to Personal Information or information security; and none of the Group Companies has reason to believe that any such notice is likely to be received. (b) Each of the Group Companies has implemented and maintained, and required that its third party vendors and Processors implement and maintain, commercially reasonable policies and business continuity and technical and organizational security designed to protect the confidentiality, integrity and availability of the Company Contracts governing privacyIT Systems and Personal Information, data protectionbusiness proprietary or sensitive information, data securityin its possession, trans-border data flowcustody, data or control, including against loss, data theft, misuse or breach notificationunauthorized Processing, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingaccess, use, maintenance, storage, modification or disclosure, transfer, or other processing of, Personal Information . (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. c) To the Knowledge of the CompanyGroup Companies, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data breaches, security incidents incidents, misuse of, or data breaches or other adverse events or incidents that have resulted in any unauthorized Processing of, access to, or collectiondisclosure of, useany Personal Information (each a “Personal Information Breach”) in the possession, disclosurecustody, modification or destruction ofcontrol of any of the Group Companies, (ii) none of the Group Companies have experienced any information security incident that has materially compromised the integrity or availability of the Company IT Systems, Personal Information or other data in the possession or control thereon, and (iii) none of the Company Group Companies have provided or been legally required to provide any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation notices to any Person under applicable Law in connection with any Personal Information Breach or pursuant to the terms of any Company Contractother information security incident.

Privacy and Data Security. (a) The Company’s data, privacy and security practices comply in all material respects, and during the past five (5) years have complied in all material respects, with applicable Data Protection and Security Requirements. The Company is has provided all notices and has at obtained all times been in compliance with consents required by Data Protection and Security Requirements and satisfied all applicable Privacy Laws other requirements of Data Protection and Security Requirements for their Processing of Personal Data and that are necessary for the applicable terms conduct of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians business as currently conducted and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation consummation of the Company’s business)transaction contemplated hereunder. Without limitation, except, in each case, for such noncompliance the transactions to be consummated hereunder as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Closing Date will comply with all applicable Data Protection and Security Requirements. (b) The Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws appropriate organizational, physical, administrative and are technical measures designed to protect the privacy operation, confidentiality, integrity and security of Personal Information all of the Company’s confidential and other data and information, in any format, generated or used in the conduct of the business (the “Privacy PoliciesBusiness Data”) and the IT Assets, against unauthorized access, acquisition, interruption, alteration, modification or use. Without limiting the generality of the foregoing, the Company has implemented policies and procedures (i) designed to identify internal and external risks to the security of the Business Data or IT Assets and (ii) has complied with such Privacy Policiesimplemented, except for such noncompliance as reasonable and appropriate safeguards designed to control those risks. The Company has not hadexperienced (nor have any third parties acting on the Company’s behalf) any actual or alleged Security Incident, including, without limitation, any “breach” (as defined in 45 C.F.R. Part 164, Subpart D) of unsecured Protected Health Information or of EU Personal Data. The Company has not (nor have any third parties acting on the Company’s behalf) notified, and would the Company has not reasonably be expected to haveexperienced any event resulting in any requirement that the Company notify, individually any Person or Data Protection Authority of any Security Incident that has resulted in the aggregateloss or unauthorized access, use or disclosure of Personal Data, including any loss or unauthorized access, use or disclosure, of EU Personal Data for which notification is required under the GDPR or of Protected Health Information that would constitute a Company Material Adverse Effect. To breach for which notification to individuals, the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policiesmedia, or the applicable terms United States Department of Health and Human Services (“HHS”) is required under 45 C.F.R. Part 164, Subpart D. (c) In addition, to the Company’s Knowledge, the Company does not have any Company Contracts governing privacy, data protection, data security, trans-border data flowinformation security or other technological vulnerabilities that are materially more significant in number or potential for material impact on Company business operations than are typically present in information technology assets of businesses of similar size in Company’s industry. (d) The Company has obligated all third party service providers, data lossoutsourcers, data theftand processors of confidential information on their behalf and all third parties managing IT Assets on their behalf to appropriate contractual terms relating to the Processing of Business Data (as applicable and as required by Data Protection and Security Requirements) and information security and have taken reasonable measures to ensure that such third parties have complied with their contractual obligations. Without limiting the generality of the foregoing, the Company has entered into business associate agreements with vendors and customers in all situations where required by 45 C.F.R. §§ 164.502(e) and 164.504(e) or Article 28 of the GDPR. The Company has taken reasonable measures to ensure that all third parties acting on its behalf have complied with their contractual obligations. (e) The Company has not received any notice of any claims, investigations (including investigations by any Governmental Authorities, including the HHS Office for Civil Rights and any other Data Protection Authority), for alleged violations of Data Protection and Security Requirements with respect to Personal Data Processed by, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or under the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing control of, Personal Information. To the Knowledge of Company, and, to the Company’s Knowledge, there have been are no data security incidents facts or data breaches circumstances that are likely to form the basis for any such claims, investigations or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractallegations.

Privacy and Data Security. The Each Group Company is and that maintains a web site has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or posted on its web site a privacy policy regarding the collection, handlinguse and disclosure of Personal Information that it collects, is in its possession, or in its custody or control. Each Group Company has complied in all material respects with all Information Privacy and Security Laws and material agreements to which it is a party that contain, involve or deal with receipt, collection, compilation, use, maintenancestorage, storageprocessing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, transferor transfer (including cross-border) Personal Information. No Group Company has been notified in writing of any Action or any other claim related to data security or privacy or alleging a violation of any of its privacy policies, or other processing ofany Information Privacy and Security Law, Personal Information (including any such information of individualsnor, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, has any such claim been threatened in writing. Each Group Company has taken commercially reasonable administrative, physical and technical measures designed to protect and maintain the confidentiality, security, integrity and accessibility (as applicable) of: (a) Systems and all data contained therein (including Company Data and Data Sets and other data subject to confidentiality obligations), (ib) all Personal Information and other Sensitive Data collected by or on behalf of the Group Companies in connection with their business, including in each case, in accordance with all Information Privacy and Security Laws and Group Company’s published policies. Each Group Company has implemented and maintains taken commercially reasonable written policies and procedures steps to ensure that all material third party service providers, outsourcers, contractors, or other persons who access, process, store or otherwise handle Personal Information for or on behalf of a Group Company have agreed in writing to materially comply with applicable Information Privacy and Security Laws and are designed taken reasonable steps to protect the privacy and security of secure Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data from loss, data theft, misuse or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingunauthorized access, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractdisclosure.

Privacy and Data Security. (a) The Company has: (i) complied in all material respects with its published privacy policies and internal privacy policies and guidelines (true, correct and complete copies of which have been made available to Buyer), Contracts to which it is party or otherwise bound, and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing relating to data privacy, data protection, protection and data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, including with respect to, or to the collection, handlingstorage, usetransmission, maintenance, storagetransfer (including cross-border transfers), disclosure, transfer, or other processing of, Personal Information (including any such information destruction and use of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) Personally Identifiable Information; and (ii) has complied with such Privacy Policiestaken commercially reasonable measures to ensure that Personally Identifiable Information and is protected against loss, except for such noncompliance as has not haddamage, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingunauthorized access, use, maintenance, storage, disclosure, transfermodification, or other processing ofmisuse, Personal Informationincluding any Personally Identifiable Information created, received, maintained or transmitted on behalf of Company customers. To the Knowledge of the Company, there have There has been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access toloss, damage, or collectionunauthorized access, use, disclosure, modification modification, or destruction of, Personal other misuse of any Personally Identifiable Information or other data in the possession information owned, held or control controlled by Company (collectively, “Information”). No Person has provided any written notice, made any written claim, or commenced any Action with respect to loss, damage, or unauthorized access, use, modification, or other misuse of any such Information by the Company or any service provider acting on behalf of its respective employees or contractors and, there is no reasonable basis for any such notice, claim or Action. Neither the execution of the CompanyTransaction Documents nor the consummation of the Transactions, in each casewith or without notice or lapse of time, where such incidentviolate any privacy policy, breach Contract or event resulted in a notification obligation to any Person under applicable Law or pursuant Laws relating to the terms Information. (b) To the extent that the Company receives, processes, transmits or stores any financial account numbers (such as credit cards, bank accounts, PayPal accounts, debit cards), passwords, CCV data, cardholder data (including as such term is defined in the Payment Card Industry Data Security Standards (“PCI DSS”), as amended from time to time), or other related data (“Cardholder Data”), the Company’s information security procedures, processes and Systems have at all times met or exceeded all applicable Laws, and contractual obligations related to the collection, storage, processing and transmission of Cardholder Data, and all requirements established by applicable governmental regulatory agencies, payment brands, and the Payment Card Industry Standards Council (including the Payment Card Industry Data Security Standard). There has never been a material security breach involving any such Cardholder Data. No material breach, deficiency or non-compliance was identified in the most recent audit (if any) of the Company Contractrelating to its compliance with PCI DSS. For all periods when the Company received, processed, transmitted or stored any Cardholder Data, the Company has implemented and complied with procedures for the regular audit of its Systems related with PCI DSS.

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms (a) Each Group Company, including such Group Company’s Processing of any Company Contracts governing privacyPersonal Information, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation Transactions, complies, and since January 1, 2015, has complied, in all material respects with (i) Applicable Privacy and Security Laws; and (ii) privacy and information security obligations to which it is subject under Contract or privacy policies, applicable terms of use, or any other disclosures or statements posted to websites, applications, facilities, or other media maintained or published by the Company’s businessCompany (collectively, “Privacy Policies”). Upon Closing, excepteach Group Company will own and/or continue to have the right to disclose and use all Personal Information that it (A) owned immediately prior to Closing and/or (B) used prior to Closing and had access to as of Closing, in each casecase on substantially identical terms and conditions as such Group Company enjoyed prior to Closing. (b) No Group Company has received any written notice or any other communication from any Governmental Authority or other party (i) alleging any non-compliance with Applicable Privacy and Security Laws or (ii) notifying such Group Company that a Group Company is under investigation for a violation of any of the Applicable Privacy and Security Laws or otherwise relating to any Group Company’s use of Personal Information. There are no circumstances as of the date hereof that may reasonably give rise to any such notices or communications. (c) All material information technology or computer systems that are used in or necessary for the conduct of the business of any of the Group Companies, for such noncompliance as has not hadincluding Software, firmware, hardware, equipment, databases, networks, interfaces, process automation, telecommunications systems and infrastructure, and would related systems (collectively, the “Business Systems”) perform sufficiently for the needs of the Group Companies’ businesses as currently conducted. There have been no material parts of the Business Systems prone to material malfunction or error for which the Group Companies have not reasonably be expected addressed and remediated any such malfunction or error according to havestandard industry practices. The Group Companies have safeguarded their Business Systems and Company Data with commercially reasonable information security controls, individually including at a minimum any controls required by Contracts, Privacy Policies, or in Applicable Privacy and Security Laws. The Group Companies maintain and comply with commercially reasonable security, disaster recovery, and business continuity plans and procedures and have taken commercially reasonable measures to protect the aggregatesecurity and integrity of the Business Systems, a Company Material Adverse Effect. To Software, Company Data, other data stored or contained therein or transmitted thereby, and, to the extent required by any applicable Contract or Applicable Privacy and Security Laws, Customer Data. (d) Except as set forth on Section 3.22(d) of the Company Disclosure Schedule, to the Knowledge of the Company, the since August 1, 2016, no Group Company has suffered any Information Security Incident that (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed involved the unauthorized access to protect the privacy and security of Personal Information (the “Privacy Policies”) and Business Systems or Company Data; or (ii) has complied with would require under Applicable Privacy and Security Laws that such Privacy PoliciesGroup Company notify any Governmental Authority or individuals or whose information was compromised in such Information Security Incident. (e) In the shorter of (i) each of the past five (5) years or (ii) since the Company’s acquisition of the applicable Group Company, except for such noncompliance as has not hadeach Group Company has, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding performed a security risk assessment and has been asserted either addressed and remediated all material threats and deficiencies or threatened against the Company by any Person alleging has a violation plan for remediation of Privacy Lawsall material threats and deficiencies identified in those security risk assessments. The Group Companies have documented, Privacy Policiesinvestigated, or the applicable terms of any Company Contracts governing privacycontained, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal and remediated each identified Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation Security Incident related to any Person under applicable Law Business Systems or pursuant to the terms of any Company ContractData.

Privacy and Data Security. The (i) All non-public personally identifiable information relating to a natural or legal Person, the privacy of whom is protected under Legal Requirements (“Personal Data”), if any, that the Company is and or a Subsidiary has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theftshared, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company will share in connection with the operation Transactions, with Buyer, has been collected, maintained, and used at all times by the Company and the Subsidiaries in compliance, in all material respects, with all applicable Legal Requirements, Contracts of the Company’s business), except, in each case, for such noncompliance as has not hadCompany and the Subsidiaries, and would not reasonably be expected policies and practices relating to havePersonal Data that the Company and the Subsidiaries have communicated to Persons about whom the Personal Data relates. (ii) The Company and each of the Subsidiaries, individually or in the aggregateand, a Company Material Adverse Effect. To to the Knowledge of the CompanySellers, all vendors, processors, or other third parties acting for or on behalf of the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply or the Subsidiaries in connection with applicable Privacy Laws and are designed to protect the privacy and security Processing of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there that otherwise have been no data security incidents or data breaches or other adverse events or incidents that authorized to have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, to Personal Information or other data in the possession or control of the Company or any service provider acting of the Subsidiaries, comply and at all times have complied, in all material respects, with all of the following: (A) Privacy Laws; (B) rules of self-regulatory organizations, including the Payment Card Industry Data Security Standard; (C) the Company Privacy and Data Security Policies; and (D) any contractual requirements or terms of use concerning the Processing of Personal Information to which the Company or any of the Subsidiaries is a party or otherwise bound as of the date hereof (“Privacy Agreements”). (iii) The execution, delivery, and performance of this Agreement and the consummation of the Transactions do not and will not: (A) conflict with or result in a material violation or material breach of any Privacy Laws, Company Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company or any of the Subsidiaries, or Privacy Agreements); or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (iv) At all times, the Company and the Subsidiaries have (A) made all disclosures to users or customers about its activities involving Processing Personal Information as required by applicable Legal Requirements, and none of such disclosures made or contained in any Company Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy Laws (including by containing any material omission); and (B) obtained all necessary consents required under applicable Legal Requirements to Process Personal Information, except in each case where the failure to make such disclosures or obtain such consents would not have a Material Adverse Effect. To the Knowledge of Sellers, all vendors, processors, and other third parties Processing Personal Information for or on behalf of the CompanyCompany or any of the Subsidiaries are, and have been, in each casecompliance, where such incidentin all material respects, with the Company Privacy and Data Security Policies. The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies. (v) (A) no Personal Information in the possession or control of the Company or any of the Subsidiaries, or to the Knowledge of Sellers, held, Processed, or managed by any vendor, processor, or other third party for or on behalf of the Company or any of the Subsidiaries, has been subject to any data breach or event other security incident that has resulted in or presents a notification obligation risk of unauthorized access, disclosure, use, denial of use, alteration, corruption, destruction, compromise, or loss of Personal Information or that has caused or would reasonably be expected to cause a disruption to the conduct of the Company’s and the Subsidiaries’ business (a “Security Incident”), and (B) the Company and the Subsidiaries have not notified and there have been no facts or circumstances that would require the Company or the Subsidiaries to notify, any Governmental Entity or other Person of any Security Incident. (vi) The Company and the Subsidiaries have not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Entity or other Person, and there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action, (A) relating to any Person under applicable Law actual, alleged, or pursuant suspected Security Incident or violation of any Privacy Law, Privacy Agreement, Company Privacy and Data Security Policy, or any Person’s individual privacy rights involving Personal Information in the possession or control of the Company or any of the Subsidiaries, or held or Processed by any vendor, processor, or other third party for or on behalf of the Company or any of the Subsidiaries; (B) requiring or requesting the Company or any of the Subsidiaries to amend, rectify, cease processing, de-combine, permanently anonymize, block, or delete any Personal Information, or to decommission or materially alter the exploitation or operation of the Company’s or any Subsidiaries’ operations, in whole or in part; (C) prohibiting or threatening to prohibit the transfer of Personal Information to any place; or (D) permitting or mandating any Governmental Entity to investigate, requisition information from, or enter the premises of, the Company or any of the Subsidiaries, and there are no facts or circumstances that would reasonably be expected to give rise to any of the foregoing. (vii) The Company and each of the Subsidiaries have at all times implemented and maintained reasonable security measures, plans, procedures, controls, and programs, including written information security programs, to (A) identify and address internal and external risks to the terms privacy and security of Personal Information in their possession or control; (B) implement, monitor, and improve adequate and effective administrative, technical, and physical safeguards to protect such Personal Information and the operation, integrity, and security of its Software, systems, applications, and websites involved in the Processing of Personal Information; and (C) provide notification in compliance with applicable Privacy Laws in the case of any Company ContractSecurity Incident.

Privacy and Data Security. (a) The Company is and, to the Company’s Knowledge, any Person acting for or on the Company’s behalf is, and for the past three years has at all times been been, in compliance with all Privacy Requirements. The Company has implemented and maintained adequate policies, procedures and systems for receiving and appropriately responding to requests from individuals concerning their Personal Information to the extent required under applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation Requirements. None of the Company’s business), except, in each case, for such noncompliance as privacy policies or notices have contained any material omissions or been materially misleading or deceptive. The Company has not hadreceived any written notice (including written from third parties acting on its behalf) of any claims, and would not reasonably be expected charges, investigations, or regulatory inquiries related to have, individually or in alleging the aggregate, a Company Material Adverse Effectviolation of any Privacy Requirements. To the Knowledge Company’s Knowledge, there are no facts or circumstances that could reasonably form the basis of the Companyany such claim, the charge, investigation, or regulatory inquiry. (b) The Company has (i) has implemented and maintains maintained commercially reasonable written policies and procedures that materially appropriate technical and organizational safeguards to reasonably protect all Personal Information and other confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alteration, destruction or disclosure and (ii) obtained contractual commitments to the extent required by applicable Privacy Laws or as otherwise appropriate from all third-party service providers, outsourcers, processors or other third parties who process, store or otherwise handle any Personal Information for or on behalf of the Company have agreed to comply with applicable Privacy Laws and are designed taken reasonable steps to protect maintain the privacy and security confidentiality of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policiesto protect and secure Personal Information from loss, except for such noncompliance as has not hadtheft, and would not reasonably be expected to havemisuse or unauthorized access, individually use, modification, alteration, destruction or in the aggregate, a Company Material Adverse Effectdisclosure. To the Knowledge of the Company’s Knowledge, no Legal Proceeding any third party who has been asserted or threatened against provided any Personal Information to any the Company by any Person alleging a violation of has done so in compliance with applicable Privacy Laws, Privacy Policies, or the applicable terms of including providing any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge notice and obtaining any consent required. (c) Except as set forth on Section 5.15(c) of the CompanyCompany Disclosure Letter, there have been no data material breaches, security incidents incidents, misuse of or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, to or collection, use, disclosure, modification or destruction of, disclosure of any Personal Information or other data in the possession or control of the Company or any service provider acting collected, used or processed by or on behalf of the Company, in each case, where such incident, breach and the Company has not provided or event resulted in a notification obligation been required to provide any notices to any Person under applicable Law or pursuant in connection with any disclosure of any Personal Information. The Company has implemented commercially reasonable disaster recovery and business continuity plans, and taken actions consistent with such plans, to the terms extent required, to safeguard all data and Personal Information in its possession or control. The Company has conducted commercially reasonable privacy and data security testing or audits at reasonable and appropriate intervals and has resolved or remediated any privacy or data security issues or vulnerabilities identified. Neither the Company nor any third party acting at the direction or authorization of the Company has paid any perpetrator of any data breach incident or cyber-attack. (d) The transfer of Personal Information in connection with the transactions contemplated by this Agreement will not violate any Privacy Requirements. The Company Contractis not subject to any Privacy Requirements that, following the Closing, would prohibit the Company from receiving, accessing, storing or using any Personal Information in the manner in which the Company received, accessed, stored and used such Personal Information prior to the Closing. The execution, delivery and performance of this Agreement materially complies with all applicable Privacy Requirements.

Privacy and Data Security. (a) The Company Group Companies’ use, collection, disclosure, access, maintenance, transmission, protection, dissemination, processing and destruction (collectively, “Data Handling”) of any Sensitive Data is and has at all times been in material compliance with all applicable Privacy Laws Legal Requirements, except as provided in Schedule 3.12.8, and the Contracts applicable terms to any Group Company or to which any Group Company is bound, and is, in any event, reasonable. Each Group Company has all necessary authority, consents and authorizations relating to its Data Handling of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, Sensitive Data in its possession or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company under its control in connection with the operation of the such Group Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written The Group Companies maintain policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, regarding data security, transprivacy and the use of data, and maintain administrative, technical, and physical safeguards to protect personally-border data flowidentifiable information in material compliance with all applicable Legal Requirements and Contracts applicable to any Group Company or to which any Group Company is bound. Except as provided in Schedule 3.12.8, data lossall transmission, data theftdisclosure and dissemination of Sensitive Data by the Group Companies occurs in an encrypted manner. Sensitive Data are not transmitted or otherwise provided to a third party by the Group Companies except by a secure, encrypted means and subject to a requirement that the recipient treat any such Sensitive Data securely as required by Legal Requirements. (b) Except as provided in Schedule 3.12.8(b), during the prior six (6) years, Data Handling of Sensitive Data by the Group Companies has not resulted in, and any Sensitive Data in the custody, possession or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge control of the CompanyGroup Companies has not been, lost, inappropriately accessed, misappropriated, misused or compromised. Except as provided in Schedule 3.12.8(b), during the prior six (6) years, there have been no material breaches of or lapses in the security of any software, Systems or facilities of the Group Companies or of any communications means or interface with any products, services or information technology systems of the Group Companies, and those products, services and Systems have not experienced any material unpermitted intrusions or been adversely affected by any denial-of-services attacks. No Actions are pending, or to the Company’s Knowledge, threatened, against any of the Group Companies as of the date hereof with respect to data security incidents or data breaches privacy practices. (c) To the Company’s Knowledge, (i) no Group Company is engaging in or has engaged in unfair competition or trade practices or any false, deceptive, unfair or misleading advertising or promotional practices under the Legal Requirements of any jurisdiction in which such Group Company operates, and (ii) no Group Company has received any notification, or to the Company’s Knowledge, has been subject to any investigation by the United States Federal Trade Commission or any other government authority regarding such Group Company’s services, advertising or promotional practices. (d) Except as set forth on Schedule 3.12.8(d), during the prior six (6) years, none of the Group Companies has been subject to a “Breach” of “Unsecured Protected Health Information” as such terms are defined at 45 C.F.R. § 164.402 or any state data breach notification laws. To the Company’s Knowledge, the Group Companies have not received any written or oral claim or notice from any Governmental Authority, alleging or referencing the investigation of any breach, violation of its Information Systems, as defined under HIPAA, or the improper use, disclosure or access to any personally-identifiable information in its possession, custody or control. Except as set forth on Schedule 3.12.8(d), none of the Group Companies, to the Company’s Knowledge, are under investigation by any Governmental Authority for a violation of Legal Requirements relating to privacy and data security or other adverse events applicable federal or incidents that state personal information privacy and security laws, including receiving any notices from the United States Department of Health and Human Services Office for Civil Rights, relating to any such violations. (e) True and complete copies of all template “Business Associate Agreements” used by any Group Company or Affiliated Practice have resulted been made available to the Buyer Parties along with a list of all of the Group Companies’ Business Associates, as defined under HIPAA. Except as provided on Schedule 3.12.8(e), the Group Companies are not now and have not in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or prior three (3) years been in material breach of any service provider acting on behalf of Business Associate Agreement, and to the Company’s Knowledge, no Business Associate is or has been in each case, where such incident, material breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractBusiness Associate Agreement during the prior three (3) years.

Privacy and Data Security. The Company, the Company is Subsidiaries, and has at all times been in compliance to the Company’s Knowledge, any Person acting for or on the Company’s or any Company Subsidiary’s behalf have since December 31, 2015 materially complied with (i) all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacyLaws, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation ii) all of the Company’s business), except, in each case, for such noncompliance as has not hadand any Company Subsidiary’s policies and notices regarding Personal Information, and would not reasonably be expected (iii) all of the Company’s and any Company Subsidiary’s contractual obligations with respect to havePersonal Information. None of the Company’s or any Company Subsidiary’s privacy policies or notices have contained any material omissions or been misleading or deceptive. The Company and the Company Subsidiaries have implemented and since December 31, individually or 2015 have maintained reasonable safeguards, consistent with practices in the aggregateindustry in which the Company and the Company Subsidiaries operate, a to protect Personal Information and other confidential data in their possession or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure, and the Company Material Adverse Effectand the Company Subsidiaries have taken reasonable steps to ensure that any third party with access to Personal Information collected by or on behalf of the Company or the Company Subsidiaries has implemented and maintained the same. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company’s Knowledge, there have been no data breaches, security incidents incidents, misuse of or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, to or collection, use, disclosure, modification or destruction of, disclosure of any Personal Information or other data in the possession or control of the Company or any service provider acting the Company Subsidiaries or collected, used or processed by or on behalf of the Company, in each case, where such incident, breach Company or event resulted in a notification obligation the Company Subsidiaries. The Company and the Company Subsidiaries have not provided or been legally required to provide any notices to any Person under in connection with a disclosure of Personal Information. The Company has not received any written notice of any claims (including written notice from third parties acting on their behalf), of or been charged with, the violation of, any Privacy Laws, applicable Law privacy policies, or pursuant contractual commitments with respect to Personal Information and to the terms Company’s Knowledge, there are no facts or circumstances that could reasonably form the basis of any Company Contractsuch notice or claim.

Privacy and Data Security. (a) The use and dissemination by the Company of any Personal Data is in compliance in all material respects with the Company’s privacy policies and terms of use, industry standards, all applicable Information Privacy and Security Laws, Personal Data Obligations, and all Contracts to which the Company is bound. No Personal Data is stored or otherwise maintained outside the United States by the Company or any third party. The Company has not engaged in cross-border processing of Personal Data. True and complete copies of all privacy policies that have been used by the Company in the past three (3) years have been provided to Parent. The Company has consistently posted a privacy policy in a clear and conspicuous location on all websites and any mobile applications owned or operated by the Company. (b) The Company does not Collect or Use Personal Data from any Person in any manner other than as described in the Contracts or, to the extent applicable, any privacy policies delivered to Parent. (c) The Company maintains policies and procedures regarding data security and privacy and maintains administrative, technical and physical safeguards that are commercially reasonable and, in any event, in compliance with industry standards, all applicable Information and Privacy and Security Laws and all Contracts to which the Company is bound. True and complete copies of all such policies and procedures have been provided to Parent. The Company has complied at all times been in compliance all material respects with all applicable Privacy Laws and the applicable terms of any all Contracts to which the Company Contracts governing is a party relating to data privacy, data protection, data security, trans-border data flow, data loss, data theft, security or breach notification, data localization, sending solicited notification (including provisions that impose conditions or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or restrictions on the collection, handlinguse, usedisclosure, transmission, destruction, maintenance, storage, or safeguarding of Personal Data). (d) Except as set forth on Schedule 3.15.7(d), at any time during the three (3)-year period preceding the Agreement Date, there have been no security breaches relating to, or violations of any security policy or Information Privacy and Security Law regarding, or any unauthorized access, disclosure, transferor use of, any data or information used by the Company, including Personal Data. No notice has been provided to the Company by a third party vendor or any other person of any security breach relating to Personal Data. The Company has not experienced a loss or unauthorized disclosure, use, or other processing of, breach of privacy or security of any Personal Information Data in the custody or control of the Company that would have required notice to any third Person (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers Governmental Entity or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of parties to any Contract) under any applicable Law. No Person (including any Governmental Authority) has commenced any Action relating to the Company’s business)information privacy or data security practices, except, in each case, for such noncompliance as has not had, and would not reasonably be expected or to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the threatened any such Action or made any complaint, investigation, or inquiry relating to such practices. (e) The Company does not (i) have or solicit any customers in the European Economic Area, or (ii) knowingly process, transmit, or store any Personal Data of any Persons located in the European Economic Area. (f) The Company has implemented taken all required steps to limit access to Personal Data to: (i) those Company personnel and third-party vendors providing services to or on behalf of the Company who have a need to know such Personal Data in the execution of their duties to the Company; and (ii) such other Persons permitted to access such Personal Data in accordance with the privacy policies and terms of use, industry standards, all applicable Information Privacy and Security Laws and all Contracts to which the Company is bound. (g) The Company maintains a commercially reasonable written policies technical information security program that contains administrative, technical and procedures physical safeguards (including encryption) compliant in all material respects with industry standards and applicable Information Privacy and Security Laws (the “Security Program”). The Company’s Security Program is designed to: (i) protect the integrity and confidentiality of Personal Data; (ii) protect against reasonably anticipated threats or hazards to the security of Personal Data; (iii) protect against the unauthorized access, disclosure or use of Personal Data; (iv) address computer and network security; and (v) provide for the secure destruction and disposal of Personal Data. The Security Program has been updated as required by all applicable Information Privacy and Security Laws. All third-party vendors or persons with access to Personal Data have entered into contracts or written agreements with the Company requiring that such vendors or persons maintain a substantially similar security program. (h) The Company is in material compliance with all applicable Information Privacy and Security Laws regarding the Collection and Use of the Personal Data of any individual. (i) The Company controls the access to its computer and information technology networks through the utilization of industry-standard or better security measures that are designed to prevent unauthorized access to such networks. All of the Company’s security measures are designed to be materially comply consistent with or exceed industry standards and the requirements of applicable Privacy Laws and are designed to protect (i) prevent the privacy and security unauthorized disclosure of confidential information (including Personal Information (Data) of the “Privacy Policies”) and Company’s customers, (ii) has complied with prevent access without express authorization (and immediately terminate such Privacy Policies, except for such noncompliance as has not had, unauthorized access) to the networks and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge information system of the Company, no Legal Proceeding has been asserted or threatened against ’s customers through the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control networks of the Company or any service provider acting on behalf and (iii) facilitate the Company’s identification of the Company, in each case, where person making or attempting to make such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractunauthorized access.

Privacy and Data Security. The (a) Except as set forth in Section 3.16(a)(i) of the Company Disclosure Schedule, the Company Group’s Processing of Personal Information is and has at all times been in compliance in all material respects with (i) any agreement to which the Company Group is a party or by which any of their respective assets or properties are bound that governs the Processing of Personal Information, (ii) applicable Information Privacy and Security Laws, (iii) the Payment Card Industry Data Security Standard (“PCI DSS”), and (iv) Company Group Privacy Policies. Except as set forth in Section 3.16(a)(ii) of the Company Disclosure Schedule, the Company Group has all applicable Privacy Laws authority, consents, and authorizations to Process the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with in the Company Group’s possession or under their control in connection with the operation of the Companybusiness as required by applicable Information Privacy and Security Laws. The Company Group has at all times since January 1, 2020 complied in all material respects with all of the Company Group’s business)then-current internal or public-facing written rules, exceptstatements, in each casepolicies, for such noncompliance as has not hadnotices, and would not reasonably be expected procedures updated from time to havetime with respect to privacy, individually data protection, electronic communication or Processing of Personal Information gathered or accessed in the aggregatecourse of the business and the operations of the Company Group with respect to the business (collectively, the “Company Group Privacy Policies”). Since January 1, 2020, each member of the Company Group has posted to each of its websites, and otherwise has available to the public, a Company Material Adverse EffectGroup Privacy Policy. To Except as would not be material to the Company Group, no disclosure or representation made or contained in any Company Group Privacy Policy has been inaccurate, misleading, deceptive, or in material violation of any Information Privacy and Security Laws (including by containing any material omission), and the practices of the Company Group with respect to the Processing of Personal Information conform, and at all times have conformed, to the Company Group Privacy Policies in all material respects. (b) Since January 1, 2020, no claims have been asserted in writing or, to the Company Group’s Knowledge, threatened in writing against the Company Group or the Sellers by any Person alleging any actual, alleged, or suspected violation of such Person’s, or any other Person’s, privacy, personal or confidentiality rights under applicable Laws, or a breach or other violation of any of the Company Group Privacy Policies. (c) Since January 1, 2020, the Company Group (i) has not received written notice of having been under investigation, audit, enforcement action by any Governmental Authority for any actual, alleged, or suspected violation of any Information Privacy and Security Laws; and (ii) have not received any written notices or audit requests from a Governmental Authority, or the Attorney General of any state or any comparable Governmental Authority in any foreign jurisdiction relating to any such violations. (d) All IT Systems used by the Company Group in the conduct of its business are either (i) owned by, (ii) licensed or leased to, or (iii) provided to, the Company Group. The IT Systems constitute the material information technology systems reasonably necessary to carry on the operation of the business of the Company Group immediately after the Closing in substantially the same manner as conducted as of the date hereof. Company Group, since January 1, 2020, has not received any written notice from a third party alleging the Company Group is in default under licenses or leases relating to the IT Systems. No Company Group has received written notice of or, to the Knowledge of the CompanyCompany Group, is aware of any material circumstances which would enable any third party to terminate any agreements or arrangements of a Company Group relating to the IT Systems (including maintenance and support), and such IT Systems are free from any Liens (other than Permitted Liens). (e) The Company Group has taken commercially reasonable steps (including implementing and monitoring compliance with adequate measures with respect to technical and physical security) designed to ensure that the IT Systems of the Company Group that are used in connection with the business, including the relevant Software and hardware: (i) are adequate for the business as currently conducted; (ii) have not suffered any material failure or disruption since January 1, 2020; and (iii) are reasonably secure against unauthorized intrusion. Except as set forth in Section 3.16(e) of the Company Disclosure Schedule, since January 1, 2020, to the Knowledge of the Company Group, the Company Group has not suffered or experienced any security incident or breach resulting in the unauthorized access, use or intrusion, encryption of, or extortion attempts relating to any IT System or any data contained therein, any confidential information of the Company Group with respect to the business or any customer or supplier of the business or any Personal Information Processed by or on behalf of the business (“Security Incident”). No Company Group member has notified and, to the Company Group’s Knowledge, there are no facts or circumstances that would require any Company Group member to notify, any Governmental Authority or other Person of any Security Incident. (f) The Company Group has taken reasonable steps designed to safeguard the internal and external integrity of the IT Systems and the data that the IT Systems contain, including, without limitation, procedures designed to prevent unauthorized access, the introduction of a virus and the taking and storing on-site and off-site of back-up copies of critical data. (g) Except as set forth in Section 3.16(g) of the Company Group Disclosure Schedule, the Company Group has not completed a security risk assessment nor obtained an independent vulnerability assessment completed by a recognized third-party audit firm. The Company Group is in the process of conducting a security risk assessment by a recognized third-party audit firm and such firm has not notified the Company Group of any critical or high threats as of the date hereof. (h) Except for disclosures of Personal Information permitted by applicable Information Privacy and Security Laws and in accordance with all applicable Contracts, the Company Group has not and does not sell, rent, or otherwise make available any Personal Information to third Persons for compensation of any form. (i) The Company Group has at all times since January 1, 2020 implemented and maintains maintained, commercially reasonable and at a minimum industry standard security measures, plans, procedures, controls, and programs, including a written policies information security programs, to (i) identify and procedures that materially comply with applicable Privacy Laws address internal and are designed external risks to protect the privacy and security of Personal Information (the “Privacy Policies”) and in their possession or control; (ii) has complied with such Privacy Policiesimplement, except for such noncompliance as has not hadmonitor, and would not reasonably be expected improve adequate and effective administrative, technical, and physical safeguards to haveprotect such Personal Information and the operation, individually or integrity, and security of its software, systems, applications, and websites involved in the aggregateProcessing of Personal Information; and (iii) provide notification in compliance in all material respects with applicable Information Privacy and Security Laws and Company Group Privacy Policies in the case of any Security Incident. (j) Since January 1, a 2020, the Company Material Adverse Effect. To Group has implemented reasonable business continuity, back-up and disaster recovery technology, plans, procedures and facilities for its business and IT Systems consistent with generally accepted industry practices with respect to the Knowledge confidential information and to the IT Systems and has taken reasonable steps to safeguard the security and the integrity of its IT Systems included in the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractOwned Intellectual Property.

Privacy and Data Security. (i) The Collection and Use and dissemination by the Company of any Personal Data is in compliance in all respects with the Company’s privacy policies and terms of use, all applicable Information Privacy and Security Laws, all Personal Data Obligations, and all Contracts to which the Company is bound. Except as disclosed on Section 3.15(g) of the Disclosure Schedule, (i) no Personal Data is stored or otherwise maintained outside the United States by the Company or any third party and (ii) the Company has not engaged in cross-border processing of Personal Data. True and complete copies of all current privacy policies used by the Company have been provided or made available to Parent. The Company is has consistently posted a privacy policy in a clear and has at conspicuous location on all times been websites and any mobile applications owned or operated by the Company. (ii) The Company does not Collect or Use Personal Data from any Person in any manner other than as described in the Contracts or, to the extent applicable, any privacy policies delivered or made available to Parent. (iii) The Company maintains policies and procedures regarding data security and privacy and maintains administrative, technical and physical safeguards that are commercially reasonable and, in any event, to the Company’s Knowledge, in compliance with all applicable Information and Privacy and Security Laws and the applicable terms of any Company all Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with to which the Company in connection with the operation is bound. True and complete copies of the Company’s business), except, in each case, for all such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed have been provided or made available to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) Parent. The Company has complied at all times in all respects with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected the terms of all Contracts to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against which the Company by any Person alleging is a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing party relating to data privacy, data protection, data security, trans-border data flow, data loss, data theft, security or breach notification, data localization, sending solicited notification (including provisions that impose conditions or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or restrictions on the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification transmission, destruction, maintenance, storage, or destruction safeguarding of Personal Data). (iv) At any time since the Reference Date, there have been no security breaches relating to, or violations of any security policy or Information Privacy and Security Law regarding, or any unauthorized access, disclosure, or use of, any data or information used by the Company, including Personal Information Data. No written notice has been provided to the Company by a third party vendor or any other data person of any security breach relating to Personal Data. The Company has not experienced a loss or unauthorized disclosure, use, or breach of privacy or security of any Personal Data in the possession custody or control of the Company that would have required notice to any third Person (including any Governmental Entity or parties to any service provider acting Contract) under any applicable Law. No Person (including any Governmental Authority) has commenced or, to the Company’s Knowledge, threatened, any Action relating to the Company’s information privacy or data security practices. (v) The Company does not knowingly (x) have or actively solicit any customers in the European Economic Area, or (y) process, transmit, or store any Personal Data of any Persons located in the European Economic Area. (vi) The Company has taken all required steps to limit access to Personal Data to: (x) those Company personnel and third-party vendors providing services to or on behalf of the Company, Company who have a need to know such Personal Data in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant the execution of their duties to the Company; and (y) such other Persons permitted to access such Personal Data in accordance with the privacy policies and terms of any use, all applicable Information Privacy and Security Laws and all Contracts to which the Company Contractis bound. (vii) The Company maintains a written technical information security program that contains administrative, technical and physical safeguards (including encryption) compliant in all respects with industry standards and applicable Information Privacy and Security Laws (the “Security Program”). The Company’s Security Program is designed to: (v) protect the integrity and confidentiality of Personal Data; (w) protect against reasonably anticipated threats or hazards to the security of Personal Data; (x) protect against the unauthorized access, disclosure or use of Personal Data; (y) address computer and network security; and (z) provide for the secure destruction and disposal of Personal Data. The Security Program has been updated as required by all applicable Information Privacy and Security Laws. All third party vendors or persons with access to Personal Data have entered into contracts or written agreements with the Company requiring that such vendors or persons maintain a substantially similar security program. (viii) The Company controls the access to its computer and information technology networks through the utilization of standard security measures that are designed to prevent unauthorized access to such networks. All of the Company’s security measures are designed to be consistent with or exceed the requirements of applicable Laws and are designed to (x) prevent the unauthorized disclosure of confidential information (including Personal Data) of the Company,

Privacy and Data Security. (i) The Collection and Use and dissemination by each member of the Company Group of any Personal Data is in compliance in all respects with all Information Privacy and Security Laws, all applicable Personal Data Obligations and all Contracts that pertain to the Collection and Use of Personal Data to which such member of the Company Group is bound. Except as disclosed on Section 3.15(g) of the Disclosure Schedule, (x) no Personal Data is stored or otherwise maintained outside the United States by any member of the Company Group or any third party and (y) no member of the Company Group has at all times been engaged in cross-border processing of Personal Data; except to the extent permitted under and in compliance with Information Privacy and Security Laws. True and complete copies of all applicable privacy policies that have been used by any member of the Company Group since the Reference Date have been provided or made available to Parent. Each member of the Company Group has since the Reference Date consistently posted a privacy policy in conformance with all Information Privacy and Security Laws on all websites and any mobile applications owned or operated by such member. (ii) Each member of the Company Group maintains policies and procedures regarding data security and privacy and maintains administrative, technical and physical safeguards that are commercially reasonable and, in any event, comply in material respects with all Information Privacy and Security Laws and all Contracts to which such member of the applicable terms of any Company Contracts governing privacyGroup is bound. (iii) Since the Reference Date, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect (w) there have been no security breaches relating to, or the collection, handling, use, maintenance, storageviolations of any security policy or Information Privacy and Security Law resulting in any unauthorized access, disclosure, transfer, or other processing use of, any Personal Information Data maintained by or on behalf of the Company (including any such information incident, a “Security Breach”), (x) no notice has been provided to any member of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business)Group by a third party vendor or, except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, any 58 other Person of a Security Breach, (y) the Company has not provided notice to any Governmental Authority or parties to any Contract under any applicable Law of a Security Breach since the Reference Date, and (iz) no Person (including any Governmental Authority) has implemented commenced any Action alleging in writing that the Company’s information privacy or data security practices are not compliant with Information Privacy and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed Security Laws, or to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted threatened any such Action or threatened against the Company by made any Person alleging a violation of Privacy Lawscomplaint, Privacy Policiesinvestigation, or the applicable terms of any Company Contracts governing privacy, data protection, data security, transinquiry alleging non-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, compliance with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control Privacy and Security Laws. (iv) No member of the Company Group (x) has or solicits any service provider acting customers in the European Economic Area, or (y) processes, transmits, or stores any Personal Data of any Persons that reside in the European Economic Area. (v) Each member of the Company Group takes commercially reasonable steps to limit access to Personal Data to: (x) those Company Group personnel and third-party vendors providing services to or on behalf of the Company Group who are authorized based on principles of least privilege and (y) such other Persons permitted to access such Personal Data in accordance with the privacy policies and terms of use, all Information Privacy and Security Laws, and all Contracts to which such member of the Company Group is bound. (vi) The Company’s information security program is comprised of administrative, technical and physical safeguards compliant in each caseall respects with all Information Privacy and Security Laws (collectively, where such incident, breach the “Security Program”). The Security Program employs commercially reasonable measures designed to: (v) protect the integrity and confidentiality of Personal Data; (w) protect against reasonably anticipated threats or event resulted in a notification obligation to any Person under applicable Law or pursuant hazards to the terms security of any Personal Data; (x) protect against the unauthorized access, disclosure or use of Personal Data; (y) address computer and network security; and (z) provide for the secure destruction and disposal of Personal Data. The Security Program is regularly reviewed and, as needed, updated in accordance with all Information Privacy and Security Laws. With respect to third party vendors or persons with access to Personal Data, an applicable member of the Company ContractGroup has entered into contracts or written agreements with such parties requiring that such vendors or persons maintain an appropriate security program. (vii) Each member of the Company Group controls the access to its computer and information technology networks through the utilization of commercially reasonable measures that are designed to prevent unauthorized access to such networks. All of the Company Group’s security measures are designed to be consistent with or exceed industry standards and the requirements of applicable Laws and are designed to (x) prevent the unauthorized disclosure of confidential information (including Personal Data) of the applicable member of the Company Group, (y) prevent access without express authorization (and immediately terminate such unauthorized access) to the networks and information system of the applicable member of the Company Group and (z) facilitate the applicable member of the Company Group’s identification of the person making or attempting to make such unauthorized access.

Privacy and Data Security. The Each member of the Company is Group has, since January 1, 2016, (a) complied in all material respects with such Company Group member’s privacy policies and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts Legal Requirements governing privacy, privacy or data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, protection with respect to, or the to such Company Group member’s collection, handling, use, maintenance, storage, disclosureprocessing, transfersharing, security, disclosure or other processing of, transfer of Personal Information (including any that is possessed by or otherwise subject to the control of such information member of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not hadGroup, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (ib) has implemented and maintains used commercially reasonable written policies and procedures that materially comply with applicable Privacy Laws and are measures designed to protect the privacy and security of secure such Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policiesfrom security breaches resulting in loss, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policiesdamage, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collectionaccess, use, disclosure, modification modification, or destruction ofother misuse of such Personal Information. Each member of the Company Group has undertaken surveys, audits, inventories, reviews, analyses and/or assessments to the extent required by applicable privacy and data protection Legal Requirements and remediated any deficiencies identified thereby, to the extent required by applicable privacy and data protection Legal Requirements, has provided training to its employees with respect to compliance with such Legal Requirements, and has adopted commercially reasonable information security policies and practices designed to safeguard Personal Information in such Company Group member’s possession or control. Since January 1, 2016, (i) to the Knowledge of Seller, there has been no security breach resulting in any loss, damage, or unauthorized access, use, disclosure, modification, or other data misuse of any Personal Information while in the possession of, or subject to the control of, any member of the Company Group, and (ii) the Company Group has not received written notice of any actual or threatened proceedings against any service provider acting on behalf member of the CompanyCompany Group with respect to such Company Group member’s privacy or data security practices with regard to any such Personal Information. The execution of this Agreement and the other Transaction Documents, in each casecase on the part of the members of the Company Group, where such incidentand the consummation of the transactions contemplated hereby and thereby do not cause any member of the Company Group to violate, breach any privacy policy of the applicable member of the Company Group or event resulted in a notification obligation any applicable Legal Requirements relating to privacy or data security with respect to any Person under applicable Law or pursuant to the terms of any Company ContractPersonal Information.

Privacy and Data Security. The (a) Except as would not, individually or in the aggregate, reasonably be expected to have a Company is Material Adverse Effect, the Company complies and has at all times been in compliance for the past three (3) years complied with all applicable Privacy Laws and Laws, its Privacy Policies, the applicable terms of any Company Contracts governing relating to privacy, data protection, data security, trans-border collection or use of Personal Information and all applicable requirements of industry standards or codes of conduct that concern the privacy or security of Personal Information and that are binding upon the Company (all of the foregoing, collectively, “Privacy Requirements”). The Company has, for the past three (3) years, used commercially reasonable methods and technology to secure Company IT Systems, all Personal Information and other material Company data flow, data and information from loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingunauthorized access, use, maintenanceacquisition of, storagedisclosure of, disclosure, transfer, or other processing of, or modification, which methods and technology comply in all material respects with applicable Privacy Requirements. To the extent required under applicable Privacy Laws, the Company has contractually obligated third parties that process Personal Information (including any such information on behalf of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company to comply in connection all material respects with applicable Privacy Laws and to protect the operation privacy, security and confidentiality of all Personal Information. To the Knowledge of the Company’s business), exceptsuch third parties, in each casetheir provision of services to Company, for such noncompliance have not failed to comply in any material respect with relevant contracts. In the past three (3) years, no claims have been asserted or threatened against the Company by any Person alleging a violation of any Privacy Requirements, except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To In the Knowledge of the Company, the Company past three (i3) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Companyyears, there have been no data security incidents or data breaches affecting the Company IT Systems or other adverse events any Personal Information that has been collected, maintained, processed or incidents stored by or on behalf of the Company that have resulted would require notification of individuals, law enforcement, or any Governmental Authority under any applicable Privacy Law. Neither the execution of this Agreement nor the performance of the Company’s obligations under this Agreement will violate any applicable Privacy Requirements in any material respect. (b) To the Knowledge of the Company, no Company IT System contains any “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus,” “worm,” “spyware” or “adware” (as such terms are commonly understood in the software industry) or any other code designed or intended to have or capable of performing or facilitating, any of the following functions: (i) disrupting, disabling, harming or otherwise impeding in any manner the operation of, or providing unauthorized access to, a computer system or collection, use, disclosure, modification or destruction of, Personal Information network or other device on which such code is stored or installed; or (ii) compromising the privacy or data in security of a user or damaging or destroying any data or file without the possession or control of user’s consent (collectively, “Malicious Code”). The Company has implemented, and the Company or any service provider acting on behalf maintains, commercially reasonable measures to prevent the introduction of Malicious Code into the CompanyCompany IT Systems, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms including firewall protections and regular virus scans and for taking and storing on-site and off-site back-up copies of any Company Contractsoftware and critical data.

Privacy and Data Security. The Company (a) A privacy policy regarding the Company’s collection, storage, use and distribution of the Personal Information of visitors to the Company’s websites and users of the Customer Offerings, is and has been posted and accessible to individuals at all relevant times been in compliance with on each Company website and/or through the Customer Offerings and all applicable Privacy Laws such posted policies are accurate and the applicable terms of have not contained any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation material omissions of the Company’s business)privacy practices or practices concerning the collection, exceptuse, storage, registration and disclosure of Personal Information. The Company is in each case, for such noncompliance as has not hadcompliance in all material respects with its stated privacy policies, and would not reasonably be expected has in all past time periods over the last five years been in compliance in all material respects with its respective stated privacy policies applicable to such past time periods. Neither this Agreement nor the Ancillary Agreements, nor the Transactions will violate any of the Company’s applicable privacy policies. Except as set forth on Section 2.15(a) of the Disclosure Schedule, there has been no unauthorized access to or other misuse of any Personal Information collected or otherwise obtained by the Company. There has been no unlawful disclosure by the Company, or, to the Company’s Knowledge, by any other Person to whom the Company has provided any Personal Information, of electronic communications or Personal Information collected or otherwise obtained by the Company to any third party, including any Governmental Entity. (b) None of the Company Products contains any “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus” or “worm” (as such terms are commonly understood in the software industry) or any other code designed or intended to have, individually or in the aggregatecapable of performing or without user intent will cause, a Company Material Adverse Effect. To the Knowledge any of the Company, the Company following functions: (i) disrupting, disabling, harming or otherwise impeding in any manner the operation of, or providing unauthorized access to, a computer system or network or other device on which such code is stored or installed; (ii) damaging or destroying any data or file without the user’s consent or (iii) sending information to the Company or any third party. None of the Customer Offerings have been discovered to contain any such malicious code in the past five (5) years. (c) The Company has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy appropriate disaster recovery and security plans, procedures and facilities, consistent with industry practices of Personal Information companies offering similar services to preserve the availability, security, and integrity of the Company’s Internal Systems, and the data and information stored thereon, including data maintained on behalf of customers or users in connection with the Company’s password and data management services. Except as set forth in Section 2.15(c) of the Disclosure Schedule, and other than the Network Intrusion Matters, there has been no breach of security or unauthorized access by third parties to (i) the “Privacy Policies”) and Company’s Internal Systems, (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company’s trade secrets, no Legal Proceeding has been asserted or threatened against (iii) the Company by any Person alleging a violation of Privacy Laws, Privacy PoliciesCompany’s user data, or the applicable terms of (iv) any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession login credentials collected, held, or control of the Company otherwise managed by or any service provider acting on behalf of the Company. To the Company’s Knowledge, and except as would not have a material impact on the Company’s business, the Company’s Internal Systems operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required by the Company’s business. (d) Except as set forth in Section 2.15(d) of the Disclosure Schedule, there is no claim or Legal Proceeding of any nature pending or, to the Company’s Knowledge, threatened by the Company or against the Company or any of its properties or assets (including Company Intellectual Property), in each casecase relating to (i) any actual or alleged violation of the Company’s current or former privacy policies or any Person’s privacy, where such incidentpersonal, breach or event resulted confidentiality rights thereunder, or (ii) any actual or alleged violation of any Laws relating to the Company’s collection, storage, use and distribution of the Personal Information of visitors to the Company’s websites and users of the Customer Offerings. Except as set forth in a notification obligation Section 2.15(d) of the Disclosure Schedule, the Company has not received notice from any Governmental Entity asserting any violation of, or indicating an intention to commence any Legal Proceeding (including any investigation) with respect to any Person under applicable Law Laws (or pursuant any actual or alleged violation thereof) relating to the terms Company’s collection, storage, use and distribution of any Company Contractthe Personal Information of visitors to the Company’s websites and users of the Customer Offerings.

Privacy and Data Security. (a) The Company is and has at all times been in compliance in all material respects with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacyData Security Requirements and, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding facts or circumstances exist that could reasonably be expected to give rise to any material breach of any Data Security Requirements. (b) The Company has been asserted or threatened against at all times complied in all material respects with: (i) all applicable privacy policies of the Company by any Person alleging a violation of Company, (ii) all applicable Data Privacy Laws, Privacy Policies, or and (iii) all applicable contractual commitments of the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, that the Company has entered into with respect toto the receipt, or the collection, handlingcompilation, use, maintenance, storage, disclosureprocessing, transfersharing, safeguarding, security, disposal, destruction, disclosure or other processing oftransfer of Business Data by the Company. The Company has at all times provided an accurate and complete disclosure with respect to the applicable privacy policies and privacy and data security practices of the Company. (c) The Company has not made any use of Business Data collected by or on behalf of the Company in violation of Data Security Requirements, Personal Information. To and, to the Knowledge of the Company, in the last five (5) years there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in information security incident (including any unauthorized access toand/or introduction of any virus, worm, malware, ▇▇▇▇▇▇ ▇▇▇▇, Trojan horse or other unauthorized disabling code or program) involving any Business Data handled by or on behalf of the Company. (d) The Company contractually requires all third parties, including vendors, Affiliates and other Persons providing services to the Company who have access to or receive Business Data from the Company, to comply with all applicable Data Security Requirements regarding the use of such Business Data, and to use commercially reasonable efforts consistent with applicable Data Security Requirements to store and secure all Business Data to protect against unauthorized access to or use of the Business Data. The Company has taken reasonable measures designed to ensure that all such third-party service providers, outsourcers and processors of such Business Data have complied with their obligations to the Company. (e) The Company has not previously been and is not currently under investigation by any Governmental Authority regarding its protection, storage, collection, use, disclosure, modification or destruction ofprocessing and transfer of Personal Information. The Company has not received any oral, Personal Information written or other data claim, complaint, inquiry or notice from any Governmental Authority or any other Person related to whether the Company’s collection, processing, use, storage, security and/or disclosure of Business Data (i) is in violation of any applicable Data Security Requirements or (ii) otherwise constitutes an unfair, deceptive or misleading trade practice. (f) The execution, delivery and performance of this Agreement and the possession or control consummation of the transactions contemplated hereby complies with all Data Security Requirements applicable to the Company. (g) The Company owns or has a valid right to access and/or use all Company IT Systems. There has been no (i) failure or systematic malfunction of any service provider acting on behalf Company IT Systems which has caused any material disruption to the business of the Company, in each case(ii) material unplanned downtime or service interruption with respect to any Company IT Systems, where such incident, (iii) security breach or intrusion into the Company IT Systems or unauthorized access or use of the Company IT Systems or Business Data, (iv) actual or reasonably suspected unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration or use of the Company IT Systems or any Business Data, or (v) action or circumstance requiring the Company to notify a Governmental Authority of a data security breach or violation of any Data Security Requirements. The Company has not received written notice of any vulnerability in the Company IT Systems that could reasonably be expected to compromise any of the Company IT Systems or Business Data or result in the loss of availability and/or integrity of the Company IT Systems or Business Data. The Company has implemented firewall protections, implemented virus scans and has taken all steps in accordance with industry standards designed to protect the integrity and security of the Company IT Systems and the information stored therein (including all Business Data and Intellectual Property owned, collected, protected or maintained by the Company) from misuse or unauthorized use, access, disclosure or modification by any Person and to ensure the continued, uninterrupted and error-free operation of the Company IT Systems. The Company has in effect industry standard disaster recovery plans and procedures in the event resulted in a notification obligation of any malfunction of or unauthorized access to any Person under applicable Law or pursuant Company IT Systems. The Company IT Systems (i) are adequate for the operation of the business of the Company as currently conducted, and (ii) with respect to the terms Company IT Systems owned by the Company or under the Company’s control, perform in material conformance with their documentation and are free from any material defect. The consummation of the transactions contemplated hereby will not result in any material liabilities or obligations in connection with any Data Security Requirements or impair any right, title or interest of the Company in or to any Company ContractIT Systems or Business Data.

Privacy and Data Security. The All information or data of any kind possessed by the Company, including but not limited to, personally identifiable information collected from any source, including consumers (“PII”), aggregate or anonymous information collected from any source, including consumers (“Non-PII”) and Employee data, whether collected online or offline (collectively, “Data”), has been collected, by the Company or any other Person, and is being maintained, stored, processed and has at all times been used by the Company in compliance with all applicable laws. The Company has at all times presented a privacy policy (“Privacy Laws Policy”) to consumers prior to the collection of any PII or Non-PII online. The Privacy Policy, and any other representations, marketing materials and advertisements that address privacy issues and the applicable terms treatment of Data, accurately and completely describe the Company’s information collection and use practices, and no such notices or disclosures have been inaccurate, misleading or deceptive. The Company has stored and maintained all Data in a secure manner, using commercially reasonable physical and technical measures, to ensure the integrity and security of the Data and to prevent loss, alteration, corruption, misuse and unauthorized access to such Data. There has been no unauthorized use, access to or disclosure of any Data. The Company Contracts governing privacyhas not received any claims, data protectionnotices or complaints regarding its information practices or use of Data. The Company has not received any written notice from a Governmental Authority or consumer advocacy organization challenging, data questioning or inquiring about the Company’s Data collection or usage practices. To the Knowledge of the Sellers, neither the Company nor any of its subcontractors has experienced any (a) breach of security, trans-border data flowas defined by the Privacy Laws, data loss, data theft(b) Breach of Unsecured Protected Health Information as “Breach,” “Unsecured Protected Health Information,” and “Protected Health Information” are defined by HIPAA, or breach notification(c) any Security Incident as “Security Incident” is defined by HIPAA, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technologyexcept, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information to (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s businessc), except, in each case, for such noncompliance as has not had, and those Security Incidents which would not reasonably be expected to havenot, individually or in the aggregate, reasonably be likely to have a Company Material Adverse Effect. To The Company is in compliance with all guidelines and policies that relate to the Knowledge Company’s business and which are set forth by applicable industry associations and self-regulatory guidelines. The Company has only used Data received from its customers in accordance with its contractual agreements with such customers. The consummation of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has transactions contemplated herein will not had, and would not reasonably be expected to have, individually result in any loss or in the aggregate, a Company Material Adverse Effect. To the Knowledge impairment of the Companyrights to own or use any Data, no Legal Proceeding has been asserted or threatened against nor will such consummation require the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms consent of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with third party in respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractData.

Privacy and Data Security. The Company is and has at all times been in compliance each of its Subsidiaries and, to the Knowledge of the Company with respect to the Processing of Company Data, their Data Processors, comply and have complied with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), exceptRequirements, in each case, for such noncompliance case except as has not had, and would not reasonably be expected to havebe, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a Company Material Adverse Effectwhole. To the extent required by Privacy Requirements or Company Privacy Policies, Personal Data is securely deleted or destroyed by Company and each of its Subsidiaries. Neither the execution, delivery or performance of this Agreement nor any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements violate any Privacy Requirements or Company Privacy Policies. Where the Company or its Subsidiaries use a Data Processor to Process Personal Data, the Data Processor has provided guarantees, warranties or covenants in relation to Processing of Personal Data, confidentiality, and security measures, and has agreed to comply with those obligations in a manner sufficient for the Company’s and each of its Subsidiaries’ compliance in all material respects with Privacy Requirements. Since December 31, 2018, the Company and its Subsidiaries have not: (i) experienced any Security Incident; or (ii) been subject to or received any notice (including any enforcement notice) of any audit, investigation, complaint, or other legal action by any Governmental Entity or other Person concerning the Company’s or any of its Subsidiaries’ collection, use, processing, storage, transfer, or protection of personal information or actual, alleged, or suspected violation of any Privacy Requirement, and to the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures there are no facts or circumstances that materially comply with applicable Privacy Laws and are designed could reasonably be expected to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with give rise to any such Privacy Policieslegal action, in each case except for such noncompliance as has not had, and would could not reasonably be expected to havebe, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against material to the Company by and its Subsidiaries, taken as a whole. The Company and each of its Subsidiaries are not in material breach of any Person alleging a violation of Contracts relating to the Company IT Systems or to Company Data and do not transfer Personal Data internationally except where such transfers comply with Privacy Laws, Requirements and Company Privacy Policies. The Company and each of its Subsidiaries maintain, or and have maintained for the applicable terms of any Company Contracts governing privacylast five (5) years, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, cyber liability insurance with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractreasonable coverage limits.

Privacy and Data Security. (a) The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or a privacy policy regarding the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such and disclosure of personal information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of its business that is in the Company's possession, custody, or control, or otherwise held or processed on its behalf and is and in the past six years has been in compliance in all material respects with its privacy policy. A complete copy of all privacy policies that have been used by the Company during the past two (2) years have been provided to TheMaven. The Company has during the past six years posted a privacy policy in a clear and conspicuous location on all websites and any mobile applications owned or operated by the Company. (b) The Company has complied at all times in all material respects with all applicable Federal and state laws, rules and regulations regarding the collection, use, storage, transfer, or disposal of personal information applicable to the business of the Company. (c) The Company is in compliance in all material respects with the terms of all Contracts to which the Company is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer, or disposal of personal information). (d) No Person (including any Governmental Body) has commenced any action relating to the Company’s business)information privacy or data security practices, exceptincluding with respect to the collection, in each caseuse, for transfer, storage, or disposal of personal information maintained by or on behalf of the Company, or, to the Knowledge of the Company, threatened any such noncompliance action, or made any complaint, investigation, or inquiry relating to such practices, except as has not had, and would not reasonably be expected to havenot, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. (e) The execution, delivery, and performance of this Agreement and the consummation of the contemplated transactions, including any transfer of personal information resulting from such transactions, will not violate any applicable law or the privacy policy of the Company as it currently exists or as it existed at any time during which any personal information was collected or obtained by or on behalf of Company or other privacy and data security requirements imposed on Company or any party acting on its behalf under any Contracts, except in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Upon the Closing, theMaven will continue to have the right to use such personal information on identical terms and conditions as the Company enjoyed immediately prior to the Closing. (f) The Company has established and implemented policies, programs, and procedures that are commercially reasonable for a company of its size and designed to be in compliance with applicable industry practices/necessary and appropriate to protect the confidentiality, integrity, and security of personal information in its possession, custody, or control against unauthorized access, use, modification, disclosure, or other misuse. (g) To the Knowledge of the Company, in the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policiespast six years, except for such noncompliance as it has not hadexperienced any material loss, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policiesdamage, or the applicable terms of any Company Contracts governing privacyunauthorized access, data protectiondisclosure, data security, trans-border data flow, data loss, data theftuse, or breach notificationof security of any personal information in the Company's possession, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect tocustody, or the collection, handling, use, maintenance, storage, disclosure, transfercontrol, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents otherwise held or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting processed on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contractits behalf.

Privacy and Data Security. The (a) Since January 1, 2021, the Company is and has at its Subsidiaries have complied in all times been in compliance material respects with all applicable Privacy Laws and the applicable terms of any Company Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, use of Personal Information of any individuals (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists pharmacists) that interact with the Company and/or any of its Subsidiaries in connection with the operation of the Company’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, . The Company and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has its Subsidiaries have implemented and maintains maintain reasonable written policies and procedures that materially comply with procedures, satisfying the requirements of applicable Privacy Laws and are designed to protect Contracts, concerning the privacy privacy, security, collection and security use of Personal Information (the “Company Privacy Policies”) and (ii) has have materially complied with such Privacy Policiesthe same. As of the date hereof, except for such noncompliance as has not hadsince January 1, and would not reasonably be expected 2021, no claims have been asserted or, to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Company Privacy Policies, or Policies and/or the applicable terms of any Company Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or use of Personal Information of any individuals and the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge Company has not received written notice of any of the Company, there same. There have been no data security incidents or incidents, personal data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, related to Personal Information or other data in the possession custody or control of the Company or Company, its Subsidiaries and/or any service provider acting on behalf of the Company such that Privacy Laws require or required the Company to notify Governmental Entities, affected individuals or other parties of such occurrence. (b) The information technology assets and equipment of Company and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of Company and its Subsidiaries as currently conducted, free and clear, to the knowledge of the Company, of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. The Company and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of the Company and its Subsidiaries, any other material confidential information and the integrity and security of the IT Systems used in each caseconnection with their businesses, where such incidentand during the past three years, breach there have been no breaches, violations, outages or event resulted unauthorized uses of or accesses to the same that would reasonably be expected to result in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractMaterial Adverse Effect.

Privacy and Data Security. The Company (a) Except as is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to haveto, be individually or in the aggregate, material to the Company Group, taken as a whole, the Company Material Adverse EffectGroup and to the Knowledge of the Company, any Person acting for or on the Company Group’s behalf have at all times since May 13, 2016 complied with (i) all applicable Privacy Laws (to the extent applicable to the Company Group with respect to Persons acting for or on behalf of the Company Group), (ii) all of the Company Group’s written policies and notices regarding Personal Information, and (iii) all of the Company Group’s contractual obligations with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information. The Company Group has not received in the past twelve (12) months prior to the date of this Agreement any written notice of any claims (including notice from third parties acting on its behalf) of, or been charged with, the violation of, any Privacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Information. Since May 13, 2016 none of the Company Group’s privacy policies or notices have contained any material omissions or been misleading or deceptive in a manner that is not in compliance in all material respect with applicable Privacy Laws. (b) The Company Group has (i) implemented and at all times since May 13, 2016 maintained reasonable safeguards to protect Personal Information in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification or disclosure; and (ii) when engaging third-party service providers, outsourcers, processors or other third parties who process, store or otherwise handle Personal Information for or on behalf of the Company Group, made commercially reasonable efforts to ensure that such third parties have (A) agreed to comply with applicable Privacy Laws and (B) have taken reasonable steps to protect and secure the Personal Information from loss, theft, misuse or unauthorized access, use, modification or disclosure in connection with their performance of services for the benefit of the Company Group. Since May 13, 2016, to the Knowledge of the Company, any third party who has provided Personal Information to the Company has done so in compliance in all material respects with applicable Privacy Laws, including providing any notice and obtaining any consent required. (c) To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policiessince May 13, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, 2016 there have been no data breaches, security incidents incidents, misuse of or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, to or collection, use, disclosure, modification or destruction of, disclosure of any Personal Information or other data in the possession or control of the Company Group or any service provider acting collected, used or processed by or on behalf of the Company, in each case, where such incident, breach Company Group and the Company Group has not provided or event resulted in a notification obligation been required to provide any notices to any Person under applicable Law in connection with a disclosure of Personal Information. The Company Group has implemented reasonable disaster recovery and business continuity plans, and taken actions consistent with such plans, to the extent required, to safeguard the data and Personal Information in its possession or control. Since May 13, 2016 the Company Group has undertaken commercially reasonable privacy and data security testing or audits at reasonable and appropriate intervals. In the six (6) months prior to the date of this Agreement, the Company Group has conducted a reasonable external penetration test using a qualified independent consulting firm, which did not identify any uncontained privacy or data security breaches, material issues, vulnerabilities or threats. Neither the Company Group nor any third party acting at the direction or authorization of the Company Group has paid (i) any unlawful perpetrator of any data breach incident or cyber-attack or (ii) any third party with actual or alleged information about a data breach incident or cyber-attack, pursuant to the terms a request for payment from or on behalf of any Company Contractsuch perpetrator or other third party with respect to such data breach incident or cyber-attack.

Privacy and Data Security. (a) The Company use, storage, sharing, disclosure, dissemination, Processing and disposal of any personally identifiable information and Personal Data of the Business (including, as applicable, customers and employees) is and has at all times been in compliance in all material respects with all applicable Privacy Laws and the applicable privacy policies, terms of any Company Contracts governing privacyuse, contractual obligations and applicable Laws. (b) Seller and its Subsidiaries maintain complete, accurate and up to data protectionrecords of their Personal Data Processing activities in relation to the Business in accordance in all material respects with applicable data protection and privacy Laws. (c) Seller and each Subsidiary has, data securityin relation to the Business, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect issued privacy notices to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information and (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (iwhen necessary) has implemented and maintains reasonable written policies and procedures that materially obtained consents from, all relevant Data Subjects which comply in all material respects with applicable Privacy Laws data protection and are designed to protect the privacy and security of Personal Information Laws. (the “Privacy Policies”d) and (ii) has complied with such Privacy PoliciesSince July 3, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company2018, there have been no data security incidents breaches relating to, or data breaches violations of any security policy regarding, or other adverse events or incidents that have resulted in any unauthorized access of, any Personal Data used by or on behalf of Seller or its Subsidiaries in connection with the Business, other than those that were resolved without material cost, material liability or the duty to notify any Person. Further, Seller and its Subsidiaries have: (i) implemented appropriate technical and organizational measures designed to protect against the unauthorized or unlawful Processing of, and accidental loss of or damage to, Personal Data relating to the Business which is Processed by or on behalf of Seller and its Subsidiaries; (ii) put in place appropriate agreements, as required by applicable data protection and privacy Laws, with all third parties Processing Personal Data on their behalf relating to the Business; and (iii) undertaken reasonably appropriate privacy and information security due diligence on all such third parties in accordance with, applicable data protection and privacy Laws. (e) Seller and its Subsidiaries are, and have since July 3, 2018 been, in compliance with the Payment Card Industry Data Security Standard requirements in all material respects. (f) There is no, and there has been no, written complaint to, or collectionany audit, useproceeding, disclosureclaim or, modification to the knowledge of Seller, investigation (formal or destruction ofinformal) against, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the CompanySelling Entity, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant case with respect to the terms Business by: (i) any private party; or (ii) the Federal Trade Commission, any state attorney general or similar state official, or any other governmental authority, foreign or domestic, in each case with respect to the security, confidentiality, availability or integrity of information technology assets, Personal Data, or other data, information or Intellectual Property, except for any Company Contractof the foregoing that arose prior to the date of this Agreement and have been fully resolved.

Privacy and Data Security. (a) The Company is complies, and has at all times been in compliance the past three (3) years has complied, in all material respects with all applicable of the following: (A) Privacy Laws Laws; (B) the Company Privacy and Data Security Policies; and (C) all obligations or restrictions concerning the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security Processing of Personal Information under any Contract to which the Company is a party or otherwise bound as of the date hereof. (b) The execution, delivery, and performance of this Agreement and the “consummation of the transactions contemplated hereby, do not and will not: (A) conflict with or result in a violation or breach of any Privacy Policies”Laws or Company Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company); or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) The Company has delivered or made available to Buyer true, complete, and (ii) correct copies of all Company Privacy and Data Security Policies that are currently in effect, and the Company has complied in all material respects with such Company Privacy and Data Security Policies. (d) In the past three (3) years, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company(A) to, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company has been subject to any data or security breach or unauthorized access, disclosure, use, loss, denial or loss of use, alteration, destruction, compromise, or Processing (a “Security Incident”), and (B) the Company has not notified and, to Sellers’ Knowledge, there have been no facts or circumstances that would require the Company to notify, any service provider acting Governmental Authority or other Person of any Security Incident. (e) In the past three (3) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other third party for or on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract.

Privacy and Data Security. (a) The Company is in material compliance with and has at all times been in compliance materially complied with all applicable Privacy Laws and the applicable terms Company’s internal privacy policies. (b) With respect to all Personal Information and user data gathered or accessed in the course of any the operation of the Business, the Company Contracts governing privacy, has at all times taken all reasonable measures to ensure that such data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingis protected against loss and unauthorized access, use, maintenancemodification, storagedisclosure or other misuse, disclosureincluding by implementing, transfermaintaining and executing, as necessary, a security plan that is designed to (i) identify, mitigate and resolve internal and external risks to the security of any proprietary or confidential information in its possession, including Personal Information, (ii) implement and monitor adequate and effective administrative, technical and physical safeguards to control those risks and (iii) maintain notification procedures in compliance with applicable Laws in the case of any breach of security compromising unencrypted data containing Personal Information. Except as set forth on Section 2.21(b) of the Disclosure Schedule, no Person has gained unauthorized access to or engaged in unauthorized Processing of Personal Information in the custody or control of the Company or any databases, computers, servers, storage media (e.g., backup tapes), network devices, or other processing ofdevices or systems of the Company or the Business that Processes Personal Information. (c) The Company has in place reasonable security measures, controls, technologies, polices and safeguards designed to protect Personal Information. The Company has all necessary authority, consents and authorizations to Process the Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers in its possession or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company under their control in connection with the operation of the Company’s its business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of any of the CompanySellers, none of the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregatepossession, a Company Material Adverse Effect. To the Knowledge custody or control of the Company, no Legal Proceeding or otherwise used or disclosed by the Company, has been asserted provided to the Company by a third party in violation of applicable Law, including Privacy Laws or in a manner inconsistent with such third party’s own privacy policies. The Company has taken all commercially reasonable steps necessary to confirm that each third party that provides it with Personal Information has and will provide such Personal Information in accordance with applicable Laws (including Privacy Laws), contracts or other terms to which the Company bound and that those third parties have all necessary authority, consents and other rights to provide such Personal Information to the Company. Without limiting the generality of the foregoing, the Company has conducted diligence on all third parties that provide Personal Information to the Company regarding such third parties’ data collection methods and data sharing practices as necessary to ensure such collection and sharing complies with all applicable Laws (including Privacy Laws), contracts or other terms to which the Company is bound. (d) There is no, and never has been, any Action pending or, to the any of the Seller’s Knowledge, threatened against the Company by any Person with respect to the Company’s privacy or data protection practices, including alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing Person’s data privacy, data protectionprotection or data security rights, data securitynor has there been any court order affecting the Company’s use, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies disclosure or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Processing of any Personal Information. To the Knowledge of any of the CompanySellers, there have been are no data security incidents facts or circumstances that constitute a reasonable basis for such proceeding relating to privacy or data breaches or other adverse events or incidents that have resulted in protection. The Company has not received any unauthorized access tocommunications from, or collectionto the Knowledge of any of the Sellers, usehas been the subject of any investigation by, the Federal Trade Commission, a data protection authority or any other Governmental Entity regarding its Processing of any Personal Information. (e) The conduct and operation of the Business currently materially complies, and at all times has materially complied, with all applicable laws relating to the transmission of unsolicited commercial emails, phone calls, faxes and mail and marketing campaigns. No solicitation, statement, disclosure, modification or destruction ofmarketing, Personal Information promotional or other data advertising material included in any email marketing campaigns or mail marketing campaigns initiated by the possession Company have been materially inaccurate, misleading, or control deceptive, or in violation of any Privacy Law. The execution, delivery, performance and consummation of the Company or any service provider acting on behalf Transactions (including the Processing of Personally Identifiable Information in connection therewith complies with all Privacy Laws and the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under ’s applicable Law or pursuant to the terms of any Company Contractprivacy notices and policies.

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance a) Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or and the Company Subsidiaries and their respective independent contractors and service providers are and have been in compliance with all applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or Laws (including the Fair Credit Reporting Act and other tracking technology, with respect to, or Laws relating to the collection, handling, use, maintenanceprocessing, and disclosure of credit reports and similar data files, and Laws relating to email, text messaging, telemarketing, and other communications to and from consumers), all applicable contractual obligations, the Company’s and the Company Subsidiaries’ policies, notices, and public statements, and the Payment Card Industry Data Security Standard (collectively “Privacy Obligations”), in each case in connection with the collection, storage, disclosure, protection, transfer (including cross-border data transfer) and use of any personally identifiable information regarding any individuals, including any customers, prospective customers, employees and other third parties (collectively, “Personal Information”), (ii) the Company and the Company Subsidiaries have, and at all times have maintained, physical, technical, organizational and administrative security measures and policies reasonably designed to protect all Personal Information collected, processed, or other processing ofmaintained by or for any of them from and against loss, Personal Informationtheft and unauthorized access, use and disclosure and (iii) the Company and the Company Subsidiaries are and have been in compliance with all applicable Laws relating to data loss, theft and breach of security notification obligations. To the Knowledge of the Company, there have has been no data security incidents actual or data breaches alleged loss or other adverse events theft or incidents that have resulted unauthorized collection, storage, acquisition, transfer, disclosure or use by any Person of Personal Information collected, processed or used by the Company and the Company Subsidiaries or on their behalf. The execution and delivery of this Agreement by the Company, the performance by the Company of its covenants and obligations hereunder and the consummation of the transactions contemplated hereby do not and will not violate or conflict with any Privacy Obligation in any unauthorized access tomaterial respect. Neither the Company nor any of the Company Subsidiaries has received any claim or notice (whether written or oral) (i) from any Governmental Entity of any actual, alleged, possible or potential violation of, or collectionfailure to comply with, useany Privacy Obligation, disclosure, modification or destruction of, Personal Information or other data in the possession or control of (ii) that the Company or any service provider acting on behalf of the Company, Company Subsidiaries are or were not in each case, where such incident, breach or event resulted compliance with any Privacy Obligation. (b) The representations and warranties in a notification obligation to any Person under applicable Law or pursuant to this Section 4.20 and Section 4.21 are the terms sole and exclusive representations and warranties of any the Company Contractand the Company Subsidiaries concerning Privacy and Data Security and IT Systems matters of the Company and the Company Subsidiaries.