Privacy and Data Security. (a) Section 5.25(a) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all of the types of Personal Data or highly sensitive information that MTI and its Subsidiaries collects or transmits through: (1) its products or service offerings, and (2) any website or other platforms it maintains, operates or uses in the conduct of its business. (b) Each of MTI and its Subsidiaries is, and at all times has been, in compliance with all: (1) Privacy Laws; (2) PCI Requirements; (3) applicable payment card brand, card association, payment processor and bank rules and requirements; (4) Privacy Agreements; and (5) federal, state, local and foreign Laws, rules and regulations pertaining to sales and marketing practices, including, without limitation, the CAN-SPAM Act, the Telephone Consumer Protection Act, and the Telemarketing Sales Rule. (1) Each of MTI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practices. (2) Each of MTI and its Subsidiaries is in compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business. (3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags. (4) MTI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its Subsidiaries. (5) At all times, each of MTI and its Subsidiaries has been and is in compliance with all of its Privacy and Data Security Policies. (6) Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable Privacy Laws. Each of MTI and its Subsidiaries has delivered to EVI accurate and complete copies of all of the Privacy Agreements. (d) Each of MTI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13. (e) There is no pending, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against any of MTI or its Subsidiaries initiated by any Person or entity, any Governmental Entity, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI or any of its Subsidiaries: (1) violates any applicable Privacy Laws; (2) violates any Privacy Agreements; (3) violates any Privacy and Data Security Policies; or (4) constitutes an unfair, deceptive, or misleading trade practice. (f) At all times, MTI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there has been no unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI or any of its Subsidiaries and any of its contractors with regard to any Personal Data obtained from or on behalf of MTI or any of its Subsidiaries, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its Subsidiaries. (g) Each of MTI and its Subsidiaries contractually requires all third-parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. (h) Section 5.25(h) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data. (i) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States. (1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware. (2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system. (3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks. (1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws. (2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public space, including, without limitation, restrictions relating to the use of monitors in open areas, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods. (l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information. (m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access. (n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 2 contracts
Sources: Merger Agreement (Ei. Ventures, Inc.), Merger Agreement (Mycotopia Therapies, Inc.)
Privacy and Data Security. (a) Section 5.25(aThe Target Company is, and at all times has been, in material compliance with (A) of all federal, state, local and foreign Laws pertaining to (i) data security, cyber security, and e-commerce; (ii) the MTI Disclosure Schedule sets forth as of the date hereof a true collection, storage, use, access, disclosure, processing, security, and complete list of all of the types transfer of Personal Data (referred to collectively in this Agreement as “Data Activities”) ((i) and (ii) together, and together with the Data Protection Laws, “Privacy Laws”); and (B) all Contracts (or highly sensitive information portions thereof) to which the Target Company is a party that MTI and its Subsidiaries collects or transmits through:
are applicable to Data Activities (1) its products or service offeringscollectively, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) Each of MTI and its Subsidiaries “Privacy Agreements”). The Target Company is, and at all times has been, in compliance with all:
(1) Privacy Laws;
(2) the PCI Requirements;
(3) Security Standards Council’s Payment Card Industry Data Security Standard and all other applicable payment rules and requirements by the PCI Security Standards Council, by any member thereof, or by any entity that functions as a card brand, card association, payment processor and processor, acquiring bank, merchant bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations pertaining to sales and marketing practicesor issuing bank, including, without limitation, the CAN-SPAM ActPayment Application Data Security Standards and all audit and filing requirements (collectively, the Telephone Consumer Protection Act, and the Telemarketing Sales Rule“PCI Requirements”).
(1b) Each of MTI and its Subsidiaries The Target Company has implemented written policies relating to Data Activities, including, without limitation, a publicly posted website privacy policy, mobile app privacy policy, and a comprehensive information security program that includes appropriate written information security policies (“Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each of MTI and its Subsidiaries is in compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its Subsidiaries.
(5) Policies”). At all times, each of MTI and its Subsidiaries the Target Company has been and is in compliance with all of its such Privacy and Data Security Policies.
(6) . Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable, Privacy Laws.
(c) The Target Company has collected, used, and disclosed all Personal Data in accordance with applicable Privacy Laws. Each of MTI , Privacy and its Subsidiaries has delivered to EVI accurate and complete copies of all Data Security Policies in effect at the time of the collection of such Personal Data, and Privacy Agreements. Neither applicable Privacy Laws, Privacy and Data Security Policies, nor Privacy Agreements restrict the transfer of any Personal Data to the Acquirer. Assuming Acquirer is not otherwise prohibited by Law or contractually obligated otherwise, Acquirer may use such Personal Data in at least the same manner as the Target Company.
(d) Each To the Knowledge of MTI and its Affiliates/Subsidiaries has notthe Owners, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13.
(e) There there is no pending, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against any of MTI or its Subsidiaries the Target Company initiated by (a) any Person or entity; (b) the United States Federal Trade Commission, any Governmental Entitystate attorney general or similar state official; (c) any other governmental entity, foreign or domestic domestic; or any regulatory or self-regulatory entity – alleging that any Data Activity of MTI or any the Target Company: (i) is in violation of its Subsidiaries:
(1) violates any applicable Privacy Laws;
, (2ii) violates is in violation of any Privacy Agreements;
, (3iii) violates is in violation of any Privacy and Data Security Policies; or
, or (4iv) otherwise constitutes an unfair, deceptive, or misleading trade practice.
(fe) At all times, MTI and its Subsidiaries have the Target Company has taken all commercially reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data and Confidential Information in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there There has been no unauthorized access, use, or disclosure of Personal Data or Confidential Information in the possession or control of MTI or the Target Company or, to the Knowledge of the Owners, any of its Subsidiaries and any of its contractors with regard to any entity that processes Personal Data obtained from or on behalf of MTI or any of its Subsidiariesthe Target Company, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its Subsidiariesthe Target Company’s systems.
(gf) Each of MTI and its Subsidiaries The Target Company contractually requires all third-third parties, including including, without limitation, vendors, Affiliates, and other Persons providing services to it the Target Company that have access to or receive Personal Data from or on behalf of it the Target Company to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(hg) Section 5.25(hThe Target Company has provided notifications to, and has obtained consent from, Persons regarding their Data Activities where such notice or consent is required by Privacy Laws. The Target Company’s collection of Personal Data or other information from third parties is in accordance with any requirements from such third parties, including written website terms and conditions. The Target Company has not (i) of received written communication from any website owner or operator that the MTI Disclosure Schedule sets forth as of the date hereof Target Company’s access to such website is unauthorized; (ii) entered into a true and complete list of all Data Centers and the geographic location of each written agreement with any website owner or operator prohibiting scraping activity; (iii) accessed any website’s information through illicitly circumventing a password requirement or similar technological barrier; or (iv) scraped any data from a website that has a clickwrap agreement prohibiting such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Dataactivity.
(ih) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data inThe Target Company is, and no Data Center owned by it at all times has storedbeen in compliance with all Laws pertaining to sales, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environmentsmarketing, and that are no less rigorous than industry best practices electronic and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public spacetelephonic communications, including, without limitation, restrictions relating to the use of monitors in open areasCAN-SPAM Act, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt dataTelephone Consumer Protection Act, and the products Telemarketing Sales Rule, except for such non-compliance that would not reasonably be expected to have, individually or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) yearsaggregate, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit resultsa Material Adverse Effect.
Appears in 2 contracts
Sources: Merger Agreement (Isoray, Inc.), Merger Agreement (Isoray, Inc.)
Privacy and Data Security. (a) Section 5.25(a) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all of the types of Personal Data or highly sensitive information that MTI The Company and its Subsidiaries collects or transmits through:
have a privacy policy regarding the collection and use of personally identifiable information (1) its products or service offerings, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) Each of MTI and its Subsidiaries is, and at all times has been, in compliance with all:
(1) “Company Privacy Laws;
(2) PCI Requirements;
(3) applicable payment card brand, card association, payment processor and bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations pertaining Policy”). Except as would not reasonably be expected to sales and marketing practices, including, without limitationhave a Company Material Adverse Effect, the CAN-SPAM Act, the Telephone Consumer Protection Act, Company and the Telemarketing Sales Rule.
(1) Each each of MTI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each of MTI and its Subsidiaries is in compliance withwith the Company Privacy Policy and all Applicable Laws regarding the collection, use and has always complied withprotection of any personally identifiable or non‑public financial Information (collectively, any statutory and fiduciary obligations to safeguard the privacy of “Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI Information”). The Company and its Subsidiaries have made available customary security measures in place to protect Personal Information stored in their computer systems from unlawful use by any third party or any other use by a truethird party that would violate the Company Privacy Policy (the “Security Programs”). Except as would not reasonably be expected to have a Company Material Adverse Effect, correctthe Company and its Subsidiaries are fully compliant with all applicable requirements of EU General Data Protection Regulation EU/2016/679 and any Laws implementing or supplementing such regulation (collectively, “GDPR”), including that: (i) all processor agreements affecting Personal Information will be in compliance with Article 28 of the GDPR; (ii) all IT systems and complete copy Security Programs will meet the requirements of each Chapter IV, Section 2 of the GDPR; (iii) the Company and its Subsidiaries will be able to fully respond to and fulfil the data subject rights under Chapter III of the GDPR; (iv) the Company and its Subsidiaries will have implemented data protection by design and by default for all of their products in accordance with Article 25 of the GDPR; (v) the Company Privacy Policy will be in compliance with Chapter III, Section 2 of the GDPR; and Data Security (vi) all new and prior consents from data subjects will be in compliance with Article 7 of the GPDR. The execution, delivery and performance of this Agreement and the consummation of the Merger do not violate any Company Privacy Policy in effect as it currently exists or as it existed at any time since during which any Personal Information was collected or obtained by the respective inceptions of MTI and its Subsidiaries.
(5) At all times, each of MTI and its Subsidiaries has been and is in compliance with all of its Privacy and Data Security Policies.
(6) Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable Privacy Laws. Each of MTI and its Subsidiaries has delivered to EVI accurate and complete copies of all of the Privacy Agreements.
(d) Each of MTI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13.
(e) There is no pending, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against any of MTI or its Subsidiaries initiated by any Person or entity, any Governmental Entity, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI or any of its Subsidiaries:
(1) violates any applicable Privacy Laws;
(2) violates any Privacy Agreements;
(3) violates any Privacy and Data Security Policies; or
(4) constitutes an unfair, deceptive, or misleading trade practice.
(f) At all times, MTI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there has been no unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI Company or any of its Subsidiaries and, upon the Closing, the Surviving Corporation will own and any continue to have the right to use all such Personal Information on identical terms and conditions as the Company and its Subsidiaries enjoyed immediately prior to the Closing. No Claims are pending or, to the Knowledge of its contractors with regard to any Personal Data obtained from or on behalf of MTI the Company, threatened against the Company or any of its Subsidiaries, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its Subsidiaries.
(g) Each of MTI and its Subsidiaries contractually requires all third-parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
(i) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public space, including, without limitation, restrictions relating to the collection or use of monitors in open areas, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methodsPersonal Information.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract
Privacy and Data Security. (a) Section 5.25(aEach Acquired Company is, and at all times has been, in material compliance with (A) of all applicable federal, state, local and foreign Laws pertaining to (i) data security, cyber security, and e-commerce; (ii) the MTI Disclosure Schedule sets forth as of the date hereof a true collection, storage, use, access, disclosure, processing, security, and complete list of all of the types transfer of Personal Data (referred to collectively in this Agreement as “Data Activities”) ((i) and (ii) together, “Privacy Laws”); and (B) all Contracts (or highly sensitive information portions thereof) to which such Acquired Company is a party that MTI and its Subsidiaries collects or transmits through:
are applicable to Data Activities (1) its products or service offeringscollectively, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) “Privacy Agreements”). Each of MTI and its Subsidiaries Acquired Company is, and at all times has been, in compliance with all:
(1) Privacy Laws;
(2) the PCI Requirements;
(3) Security Standards Council’s Payment Card Industry Data Security Standard and all other applicable payment rules and requirements by the PCI Security Standards Council, by any member thereof, or by any entity that functions as a card brand, card association, payment processor and processor, acquiring bank, merchant bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations pertaining to sales and marketing practicesor issuing bank, including, without limitation, the CAN-SPAM Act, the Telephone Consumer Protection Act, Payment Application Data Security Standards and the Telemarketing Sales Ruleall audit and filing requirements.
(1b) Each of MTI and its Subsidiaries has The Acquired Companies have implemented written policies relating to Data Activities (“Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each of MTI and its Subsidiaries is in compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its Subsidiaries.
(5) Policies”). At all times, each of MTI and its Subsidiaries Acquired Company has been and is in compliance in all material respects with all of its such Privacy and Data Security Policies.
(6) . Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any Policies.
(c) Each Acquired Company has collected, used, and disclosed all Personal Data in accordance with applicable Privacy Laws. Each of MTI , Privacy and its Subsidiaries has delivered to EVI accurate and complete copies of all Data Security Policies in effect at the time of the collection of such Personal Data, and Privacy Agreements. Neither applicable Privacy Laws, Privacy and Data Security Policies, nor Privacy Agreements restrict the transfer of any Personal Data to the Purchaser following the Closing. Assuming Purchaser is not otherwise prohibited by Law or contractually obligated otherwise, Purchaser may use such Personal Data in at least the same manner as the Acquired Company.
(d) Each of MTI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13.
(e) There is no pending, and to the Knowledge of the Sellers, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against any of MTI or its Subsidiaries Acquired Company initiated by (a) any Person or entity; (b) the United States Federal Trade Commission, any Governmental Entitystate attorney general or similar state official; (c) any other governmental entity, foreign or domestic domestic; or any regulatory or self-regulatory entity – alleging that any Data Activity of MTI or any the Acquired Companies: (i) is in violation of its Subsidiaries:
(1) violates any applicable Privacy Laws;
, (2ii) violates is in violation of any Privacy Agreements;
, (3iii) violates is in violation of any Privacy and Data Security Policies; or
, or (4iv) otherwise constitutes an unfair, deceptive, or misleading trade practice.
(fe) At all times, MTI and its Subsidiaries have each Acquired Company has taken all commercially reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data and Confidential Information in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there There has been no unauthorized access, use, or disclosure of Personal Data or Confidential Information in the possession or control of MTI or the Acquired Companies or, to the Knowledge of the Sellers, any of its Subsidiaries and any of its contractors with regard to any entity that processes Personal Data obtained from or on behalf of MTI or any Acquired Company, nor, to the Knowledge of its Subsidiariesthe Sellers, nor has there been any unauthorized intrusions or breaches of security into any systems Acquired Company’s systems.
(f) The Acquired Companies have provided notifications to, and have obtained consent from, Persons regarding their Data Activities where such notice or consent is required by applicable Privacy Laws. The Acquired Companies’ collection of MTI Personal Data from third parties is in accordance with any requirements from such third parties, including written website terms and conditions. No Acquired Company has (i) received written communication from any website owner or operator that the Acquired Company’s access to such website is unauthorized; (ii) entered into a written agreement with any of its Subsidiarieswebsite owner or operator prohibiting scraping activity; (iii) accessed any website’s information through illicitly circumventing a password requirement or similar technological barrier; or (iv) scraped any data from a website that has a clickwrap agreement prohibiting such activity.
(g) Each of MTI and its Subsidiaries contractually requires all third-parties, including vendors, AffiliatesThe Acquired Companies are, and other Persons providing services to it that at all times have access to or receive Personal Data from or on behalf of it to comply been in compliance in all material respects with all applicable Privacy LawsLaws pertaining to sales, marketing, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, electronic and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
(i) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public spacetelephonic communications, including, without limitation, restrictions relating to the use of monitors in open areasCAN-SPAM Act, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt dataTelephone Consumer Protection Act, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized accessTelemarketing Sales Rule.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract
Sources: Membership Interest Purchase Agreement (RumbleOn, Inc.)
Privacy and Data Security. (a) Section 5.25(a4.26(a) of the MTI EVI Disclosure Schedule sets forth as of the date hereof a true and complete list of all of the types of Personal Data or highly highly-sensitive information that MTI EVI and any of its Subsidiaries collects or transmits through:
(1) its products or service offerings, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) Each of MTI EVI and its Subsidiaries is, and at all times has been, in compliance in all material respects with all:
(1) Privacy Laws;
(2) PCI Requirements;
(3) applicable payment card brand, card association, payment processor and bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations Laws pertaining to sales and marketing practices, including, without limitation, the CAN-SPAM Act, the Telephone Consumer Protection Act, and the Telemarketing Sales Rule.
(1) Each of MTI EVI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practicespractices for similarly situated companies.
(2) Each of MTI EVI and its Subsidiaries is in compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI EVI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI EVI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its SubsidiariesJuly 1, 2020.
(5) At all timestimes since July 1, 2020, each of MTI EVI and its Subsidiaries has been and is in compliance with all of its Privacy and Data Security Policies.
(6) Neither the execution, delivery, delivery or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable Privacy Laws. Each of MTI EVI and its Subsidiaries has delivered to EVI MTI accurate and complete copies of all of the their material Privacy Agreements.
(d) Each of MTI EVI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI EVI nor any of its Subsidiaries knowingly collects collect Personal Data from any Persons under the age of 13.
(e) There is no pending, nor to EVI’s Knowledge, has there ever been any, complaint, audit, proceeding, investigation, or claim against EVI or any of MTI or its Subsidiaries initiated by any Person or entity, any Governmental Entity, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI EVI or any of its Subsidiaries:
(1) violates any applicable Privacy Laws;
, (2) violates 2)violates any Privacy Agreements;,
(3) violates any Privacy and Data Security Policies; , or
(4) constitutes an unfair, deceptive, or misleading trade practice.
(f) At all times, MTI EVI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTIEVI, there has been no (i) unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI EVI or any of its Subsidiaries and any of its contractors with regard to any Personal Data obtained from or on behalf of MTI EVI or any of its Subsidiaries, nor has there been any Subsidiaries or (ii) unauthorized intrusions or breaches of security into any systems of MTI EVI or any of its Subsidiaries.
(g) Each of MTI EVI and its Subsidiaries contractually requires all third-third parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h4.26(h) of the MTI EVI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI EVI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
(i) Neither MTI EVI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI EVI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI EVI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its EVI’s internal network and systems, including its software and hardware.
(2) Each of MTI EVI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI EVI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices for similarly situated companies to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1k) Each of MTI EVI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices for similarly situated companies and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public space, including, without limitation, restrictions relating to the use of monitors in open areas, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI EVI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI EVI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices for similarly situated companies to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The To EVI’s Knowledge, the products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The To EVI’s Knowledge, the products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n4.26(n) of the MTI EVI Disclosure Schedule sets forth as of the date hereof a true and complete list of all information technology audits or checks that each of MTI the EVI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) two years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI EVI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices for similarly situated companies to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer MTI with complete and accurate records of the audit results.
Appears in 1 contract
Privacy and Data Security. (a) Section 5.25(a) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all of the types of Personal Data or highly sensitive information that MTI The Company and its Subsidiaries collects or transmits through:
have a privacy policy regarding the collection and use of personally identifiable information (1) its products or service offerings, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) Each of MTI and its Subsidiaries is, and at all times has been, in compliance with all:
(1) “Company Privacy Laws;
(2) PCI Requirements;
(3) applicable payment card brand, card association, payment processor and bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations pertaining Policy”). Except as would not reasonably be expected to sales and marketing practices, including, without limitationhave a Company Material Adverse Effect, the CAN-SPAM Act, the Telephone Consumer Protection Act, Company and the Telemarketing Sales Rule.
(1) Each each of MTI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each of MTI and its Subsidiaries is in compliance withwith the Company Privacy Policy and all Applicable Laws regarding the collection, use and has always complied withprotection of any personally identifiable or non-public financial Information (collectively, any statutory and fiduciary obligations to safeguard the privacy of “Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI Information”). The Company and its Subsidiaries have made available customary security measures in place to protect Personal Information stored in their computer systems from unlawful use by any third party or any other use by a truethird party that would violate the Company Privacy Policy (the “Security Programs”). Except as would not reasonably be expected to have a Company Material Adverse Effect, correctthe Company and its Subsidiaries are fully compliant with all applicable requirements of EU General Data Protection Regulation EU/2016/679 and any Laws implementing or supplementing such regulation (collectively, “GDPR”), including that: (i) all processor agreements affecting Personal Information will be in compliance with Article 28 of the GDPR; (ii) all IT systems and complete copy Security Programs will meet the requirements of each Chapter IV, Section 2 of the GDPR; (iii) the Company and its Subsidiaries will be able to fully respond to and fulfil the data subject rights under Chapter III of the GDPR; (iv) the Company and its Subsidiaries will have implemented data protection by design and by default for all of their products in accordance with Article 25 of the GDPR; (v) the Company Privacy Policy will be in compliance with Chapter III, Section 2 of the GDPR; and Data Security (vi) all new and prior consents from data subjects will be in compliance with Article 7 of the GPDR. The execution, delivery and performance of this Agreement and the consummation of the Merger do not violate any Company Privacy Policy in effect as it currently exists or as it existed at any time since during which any Personal Information was collected or obtained by the respective inceptions of MTI and its Subsidiaries.
(5) At all times, each of MTI and its Subsidiaries has been and is in compliance with all of its Privacy and Data Security Policies.
(6) Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable Privacy Laws. Each of MTI and its Subsidiaries has delivered to EVI accurate and complete copies of all of the Privacy Agreements.
(d) Each of MTI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13.
(e) There is no pending, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against any of MTI or its Subsidiaries initiated by any Person or entity, any Governmental Entity, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI or any of its Subsidiaries:
(1) violates any applicable Privacy Laws;
(2) violates any Privacy Agreements;
(3) violates any Privacy and Data Security Policies; or
(4) constitutes an unfair, deceptive, or misleading trade practice.
(f) At all times, MTI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there has been no unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI Company or any of its Subsidiaries and, upon the Closing, the Surviving Corporation will own and any continue to have the right to use all such Personal Information on identical terms and conditions as the Company and its Subsidiaries enjoyed immediately prior to the Closing. No Claims are pending or, to the Knowledge of its contractors with regard to any Personal Data obtained from or on behalf of MTI the Company, threatened against the Company or any of its Subsidiaries, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its Subsidiaries.
(g) Each of MTI and its Subsidiaries contractually requires all third-parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
(i) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public space, including, without limitation, restrictions relating to the collection or use of monitors in open areas, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methodsPersonal Information.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract
Sources: Merger Agreement (Investment Technology Group, Inc.)
Privacy and Data Security. (a) Section 5.25(aEach Acquired Company is, and at all times has been, in material compliance with (A) of all federal, state, local and foreign Laws pertaining to (i) data security, cyber security, and e-commerce; (ii) the MTI Disclosure Schedule sets forth as of the date hereof a true collection, storage, use, access, disclosure, processing, security, and complete list of all of the types transfer of Personal Data (referred to collectively in this Agreement as “Data Activities”) ((i) and (ii) together, “Privacy Laws”); and (B) all Contracts (or highly sensitive information portions thereof) to which such Acquired Company is a party that MTI and its Subsidiaries collects or transmits through:
are applicable to Data Activities (1) its products or service offeringscollectively, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) “Privacy Agreements”). Each of MTI and its Subsidiaries Acquired Company is, and at all times has been, in compliance with all:
(1) Privacy Laws;
(2) the PCI Requirements;
(3) Security Standards Council’s Payment Card Industry Data Security Standard and all other applicable payment rules and requirements by the PCI Security Standards Council, by any member thereof, or by any entity that functions as a card brand, card association, payment processor and processor, acquiring bank, merchant bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations pertaining to sales and marketing practicesor issuing bank, including, without limitation, the CAN-SPAM ActPayment Application Data Security Standards and all audit and filing requirements (collectively, the Telephone Consumer Protection Act, and the Telemarketing Sales Rule“PCI Requirements”).
(1b) Each of MTI The Acquired Companies have implemented written policies relating to Data Activities, including, without limitation, a publicly posted website privacy policy, mobile app privacy policy, and its Subsidiaries has implemented a comprehensive information security program that includes appropriate written information security policies (“Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each of MTI and its Subsidiaries is in compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its Subsidiaries.
(5) Policies”). At all times, each of MTI and its Subsidiaries Acquired Company has been and is in compliance with all of its such Privacy and Data Security Policies.
(6) . Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable, Privacy Laws.
(c) Each Acquired Company has collected, used, and disclosed all Personal Data in accordance with applicable Privacy Laws. Each of MTI , Privacy and its Subsidiaries has delivered to EVI accurate and complete copies of all Data Security Policies in effect at the time of the collection of such Personal Data, and Privacy Agreements. Neither applicable Privacy Laws, Privacy and Data Security Policies, nor Privacy Agreements restrict the transfer of any Personal Data to the Purchaser. Assuming Purchaser is not otherwise prohibited by Law or contractually obligated otherwise, Purchaser may use such Personal Data in at least the same manner as the Acquired Company.
(d) Each To the Knowledge of MTI and its Affiliates/Subsidiaries has notthe Sellers, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13.
(e) There there is no pending, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against any of MTI or its Subsidiaries Acquired Company initiated by (a) any Person or entity; (b) the United States Federal Trade Commission, any Governmental Entitystate attorney general or similar state official; (c) any other governmental entity, foreign or domestic domestic; or any regulatory or self-regulatory entity – alleging that any Data Activity of MTI or any the Acquired Companies: (i) is in violation of its Subsidiaries:
(1) violates any applicable Privacy Laws;
, (2ii) violates is in violation of any Privacy Agreements;
, (3iii) violates is in violation of any Privacy and Data Security Policies; or
, or (4iv) otherwise constitutes an unfair, deceptive, or misleading trade practice.
(fe) At all times, MTI and its Subsidiaries have each Acquired Company has taken all commercially reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data and Confidential Information in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there There has been no unauthorized access, use, or disclosure of Personal Data or Confidential Information in the possession or control of MTI or the Acquired Companies or, to the Knowledge of the Sellers, any of its Subsidiaries and any of its contractors with regard to any entity that processes Personal Data obtained from or on behalf of MTI or any of its SubsidiariesAcquired Company, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its SubsidiariesAcquired Company’s systems.
(gf) Each of MTI and its Subsidiaries Acquired Company contractually requires all third-third parties, including including, without limitation, vendors, Affiliates, and other Persons providing services to it such Acquired Company that have access to or receive Personal Data from or on behalf of it such Acquired Company to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(hg) Section 5.25(hThe Acquired Companies have provided notifications to, and have obtained consent from, Persons regarding their Data Activities where such notice or consent is required by Privacy Laws. The Acquired Companies’ collection of Personal Data or other information from third parties is in accordance with any requirements from such third parties, including written website terms and conditions. No Acquired Company has (i) of received written communication from any website owner or operator that the MTI Disclosure Schedule sets forth as of the date hereof Acquired Company’s access to such website is unauthorized; (ii) entered into a true and complete list of all Data Centers and the geographic location of each written agreement with any website owner or operator prohibiting scraping activity; (iii) accessed any website’s information through illicitly circumventing a password requirement or similar technological barrier; or (iv) scraped any data from a website that has a clickwrap agreement prohibiting such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Dataactivity.
(ih) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data inThe Acquired Companies are, and no Data Center owned by it has storedat all times have been in compliance with all Laws pertaining to sales, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environmentsmarketing, and that are no less rigorous than industry best practices electronic and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public spacetelephonic communications, including, without limitation, restrictions relating to the use of monitors in open areasCAN-SPAM Act, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt dataTelephone Consumer Protection Act, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized accessTelemarketing Sales Rule.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract
Sources: Plan of Merger and Equity Purchase Agreement (RumbleON, Inc.)
Privacy and Data Security. (a) Section 5.25(a) of the MTI Disclosure Schedule sets forth as of the date hereof Seller has disclosed to Buyer a true and complete list of all of the types of Personal Data or highly highly-sensitive information that MTI the Company and its Subsidiaries collects collect or transmits through:
transmit through (1i) its their products or service offerings, and
and (2ii) any website or other platforms it maintainsthey maintain, operates operate or uses use in the conduct of its their business.
(b) Each The Company and each of MTI its subsidiaries is and its Subsidiaries is, and has at all times has been, been in material compliance with all:
(1) all Privacy Laws;
(2) , PCI Requirements;
(3) , applicable payment card brand, card association, payment processor processor, and bank rules and requirements;
(4) , Privacy Agreements; and
(5) , and federal, state, local and foreign Lawslaws, rules and regulations pertaining to sales and marketing practices, including, without limitation, the CAN-SPAM Act, the Telephone Consumer Protection Act, and the Telemarketing Sales Rule.
(1c) Each The Company and each of MTI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each . The Company and each of MTI and its Subsidiaries is in material compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it the Company or such Subsidiary collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each . The Company and each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have it has to provide notice to its website visitors or obtain consent for their its or a third party’s use of monitoring features such as cookies or tags.
(4) MTI and its Subsidiaries have . The Company has made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect for the Company and each Subsidiary at any time since the respective inceptions inception of MTI the Company or such Subsidiary. The Company and its Subsidiaries.
(5) At each Subsidiary has at all times, each of MTI and its Subsidiaries has times been and is in material compliance with all of its Privacy and Data Security Policies.
(6) . Neither the execution, delivery, delivery or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement hereby will violate any of the Privacy AgreementsAgreement, Privacy and Data Security Policies Policy or any Privacy Law applicable Privacy Lawsto the Company or any of its Subsidiaries. Each of MTI and its Subsidiaries The Company has delivered to EVI Buyer accurate and complete copies of all of the Privacy Agreements.
(d) Each of MTI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI nor any of its Subsidiaries knowingly collects Personal Data from any Persons under the age of 13.
(e) There is no pending, nor has there ever been any, complaint, audit, proceeding, investigation, or claim against the Company or any of MTI or its Subsidiaries Subsidiary initiated by any Person person or entity, any Governmental EntityAuthority, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI the Company or any of its Subsidiaries:
Subsidiary (1i) violates any applicable Privacy Laws;
, (2ii) violates any Privacy Agreements;
, (3iii) violates any Privacy and Data Security Policies; or
Policy, or (4iv) constitutes an unfair, deceptive, or misleading trade practice.
(f) At all times, MTI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there has been no unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI or any of its Subsidiaries and any of its contractors with regard to any Personal Data obtained from or on behalf of MTI or any of its Subsidiaries, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its Subsidiaries.
(g) Each of MTI and its Subsidiaries contractually requires all third-parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
(i) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public space, including, without limitation, restrictions relating to the use of monitors in open areas, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract
Sources: Stock Purchase Agreement (Future FinTech Group Inc.)
Privacy and Data Security. (a) Section 5.25(a) of Except as set out in Schedule 3.1(35), the MTI Disclosure Schedule sets forth Vendor has, as of at the date hereof a true Execution Date, the Corporation will have, as at the Effective Date, and complete list of ▇▇ ▇▇▇▇▇ will have, as at the Closing Date, complied at all of times with all Privacy Laws in connection with the types Vendor’s, the Corporation’s and ▇▇ ▇▇▇▇▇’▇ collection, use and disclosure of Personal Data or highly sensitive information that MTI and its Subsidiaries collects or transmits through:
(1) its products or service offerings, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its businessInformation.
(b) Each The Vendor, the Corporation and ▇▇ ▇▇▇▇▇ have had in place since the respective dates of MTI their incorporation a privacy policy or policies governing the collection, use, disclosure and its Subsidiaries protection of Personal Information by the Vendor, the Corporation and ▇▇ ▇▇▇▇▇, and have collected, used, disclosed and protected Personal Information in accordance with such policy or policies.
(c) The Vendor is, at the Execution Date, the Corporation will be, as at the Effective Date, and ▇▇ ▇▇▇▇▇ will be, as at all times has beenthe Closing Date, in compliance with all:
(1) Privacy Laws;
(2) PCI Requirements;
(3) applicable payment card brand, card association, payment processor and bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations pertaining the terms of all Contracts to sales and marketing practices, including, without limitationwhich the Vendor, the CAN-SPAM ActCorporation and ▇▇ ▇▇▇▇▇ are a party, and all industry standards to which the Vendor, the Telephone Consumer Protection ActCorporation and ▇▇ ▇▇▇▇▇ are subject, and the Telemarketing Sales Rule.
(1) Each of MTI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practices.
(2) Each of MTI and its Subsidiaries is in compliance withrelating to privacy, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits data security or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its Subsidiaries.
(5) At all times, each of MTI and its Subsidiaries has been and is in compliance with all of its Privacy and Data Security Policies.
(6) Neither the execution, delivery, or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable Privacy Laws. Each of MTI and its Subsidiaries has delivered to EVI accurate and complete copies of all of the Privacy Agreementsbreach notification.
(d) Each of MTI and its Affiliates/Subsidiaries has notThe Vendor has, as at the Execution Date, the Corporation will have, as at the Effective Date, and currently does not▇▇ ▇▇▇▇▇ will have, market its products as at the Closing Date, a written information security program in place, consistent with current industry standards and services practices, to any Persons under the age of 13ensure that (i) Personal Information, Data, and neither MTI nor all IT Systems are adequately safeguarded and (ii) all IT Systems will be continuously available and functioning normally in the event of any malfunction of, any suspension or cessation in the operation of, or other form of its Subsidiaries knowingly collects Personal Data from any Persons under disaster affecting, the age IT Systems. Such program includes, at minimum, policies, procedures and systems addressing information security, cybersecurity risk management, vendor management, employee training, business continuity and disaster recovery, data and system backup and data breach response, including the recording and reporting of 13data breaches.
(e) There is no pendinghas been no: (i) loss or theft of, nor has there ever been anyor unauthorized access, complaintuse or disclosure of, auditPersonal Information or Data, proceeding(ii) unauthorized access to or use of the IT Systems; (iii) complaints or claims regarding the Vendor’s, the Corporation’s or ▇▇ ▇▇▇▇▇’▇ collection, use or disclosure of Personal Information or the actual or alleged violation of any Privacy Law, Contract or industry standard to which the Vendor, the Corporation or ▇▇ ▇▇▇▇▇ are subject; or (iv) investigation, audit or claim against any other inquiry from a Governmental Authority regarding the Vendor’s, the Corporation’s or ▇▇ ▇▇▇▇▇’▇ collection, use, disclosure or protection of MTI or its Subsidiaries initiated by any Person or entity, any Governmental Entity, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI or any of its Subsidiaries:
(1) violates any applicable Privacy Laws;
(2) violates any Privacy Agreements;
(3) violates any Privacy and Data Security Policies; or
(4) constitutes an unfair, deceptive, or misleading trade practicePersonal Information.
(f) At all times, MTI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTI, there has been no unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI or any of its Subsidiaries and any of its contractors with regard to any Personal Data obtained from or on behalf of MTI or any of its Subsidiaries, nor has there been any unauthorized intrusions or breaches of security into any systems of MTI or any of its Subsidiaries.
(g) Each of MTI and its Subsidiaries contractually requires all third-parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h) The consummation of the MTI Disclosure Schedule sets forth as of the date hereof transactions contemplated by this Agreement will not result in a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
violation of: (i) Neither MTI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws.
; (2ii) Each of MTI and its Subsidiaries has secured and maintained control of all physical access pointsContracts to which the Vendor, maintained effective identification proceduresas at the Execution Date, ensured visibility in all high-risk areasthe Corporation, and has adopted policies that ensure as at the adequate treatment of sensitive information in public spaceEffective Date, includingor ▇▇ ▇▇▇▇▇, without limitationas at the Closing Date, restrictions is a party, or industry standards to which the Vendor, the Corporation or ▇▇ ▇▇▇▇▇ is subject, relating to privacy, data security or breach notification; or (iii) the use of monitors in open areasVendor’s, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methodsthe Corporation’s or ▇▇ ▇▇▇▇▇’▇ own privacy policies.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract
Sources: Share Purchase Agreement (Viad Corp)
Privacy and Data Security. (a) Section 5.25(a4.26(a) of the MTI EVI Disclosure Schedule sets forth as of the date hereof a true and complete list of all of the types of Personal Data or highly highly-sensitive information that MTI EVI and any of its Subsidiaries collects or transmits through:
(1) its products or service offerings, and
(2) any website or other platforms it maintains, operates or uses in the conduct of its business.
(b) Each of MTI EVI and its Subsidiaries is, and at all times has been, in compliance in all material respects with all:
(1) Privacy Laws;
(2) PCI Requirements;
(3) applicable payment card brand, card association, payment processor and bank rules and requirements;
(4) Privacy Agreements; and
(5) federal, state, local and foreign Laws, rules and regulations Laws pertaining to sales and marketing practices, including, without limitation, the CAN-SPAM Act, the Telephone Consumer Protection Act, and the Telemarketing Sales Rule.
(1) Each of MTI EVI and its Subsidiaries has implemented Privacy and Data Security Policies that are no less rigorous than industry best practicespractices for similarly situated companies.
(2) Each of MTI EVI and its Subsidiaries is in compliance with, and has always complied with, any statutory and fiduciary obligations to safeguard the privacy of Personal Data that it collects, uses, transmits or processes through its products or service offerings, including its websites or platforms that it maintains, operates or uses in the ordinary conduct of its business.
(3) Each of MTI EVI and its Subsidiaries satisfies any statutory and fiduciary obligations they have to provide notice to website visitors or obtain consent for their or a third party’s use of monitoring features such as cookies or tags.
(4) MTI EVI and its Subsidiaries have made available a true, correct, and complete copy of each Privacy and Data Security Policy in effect at any time since the respective inceptions of MTI and its SubsidiariesJuly 1, 2020.
(5) At all timestimes since July 1, 2020, each of MTI EVI and its Subsidiaries has been and is in compliance with all of its Privacy and Data Security Policies.
(6) Neither the execution, delivery, delivery or performance of this Agreement, nor the consummation of any of the transactions contemplated under this Agreement will violate any of the Privacy Agreements, Privacy and Data Security Policies or any applicable Privacy Laws. Each of MTI EVI and its Subsidiaries has delivered to EVI MTI accurate and complete copies of all of the their material Privacy Agreements.
(d) Each of MTI EVI and its Affiliates/Subsidiaries has not, and currently does not, market its products and services to any Persons under the age of 13, and neither MTI EVI nor any of its Subsidiaries knowingly collects collect Personal Data from any Persons under the age of 13.
(e) There is no pending, nor to EVI’s Knowledge, has there ever been any, complaint, audit, proceeding, investigation, or claim against EVI or any of MTI or its Subsidiaries initiated by any Person or entity, any Governmental Entity, foreign or domestic or any regulatory or self-regulatory entity alleging that any Data Activity of MTI EVI or any of its Subsidiaries:
(1) violates any applicable Privacy Laws;,
(2) violates any Privacy Agreements;,
(3) violates any Privacy and Data Security Policies; , or
(4) constitutes an unfair, deceptive, or misleading trade practice.
(f) At all times, MTI EVI and its Subsidiaries have taken all reasonable steps (including, without limitation, implementing, maintaining, and monitoring compliance with government-issued or industry standard measures with respect to administrative, technical and physical security) to ensure that all Personal Data in its possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse. To the Knowledge of MTIEVI, there has been no (i) unauthorized access, use, or disclosure of Personal Data in the possession or control of MTI EVI or any of its Subsidiaries and any of its contractors with regard to any Personal Data obtained from or on behalf of MTI EVI or any of its Subsidiaries, nor has there been any Subsidiaries or (ii) unauthorized intrusions or breaches of security into any systems of MTI EVI or any of its Subsidiaries.
(g) Each of MTI EVI and its Subsidiaries contractually requires all third-third parties, including vendors, Affiliates, and other Persons providing services to it that have access to or receive Personal Data from or on behalf of it to comply with all applicable Privacy Laws, and to take all reasonable steps to ensure that all Personal Data in such third parties’ possession or control is protected against damage, loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse.
(h) Section 5.25(h4.26(h) of the MTI EVI Disclosure Schedule sets forth as of the date hereof a true and complete list of all Data Centers and the geographic location of each such Data Center. Neither MTI EVI nor any of its Subsidiaries has, nor currently does, use any third-party Data Centers or hosting-providers to store or process any Personal Data.
(i) Neither MTI EVI nor any of its Subsidiaries has offered any services that store, transmit or process Personal Data in, and no Data Center owned by it has stored, transmitted or processed Personal Data in, a geographical location that is outside of the continental United States. Neither MTI EVI nor any of its Affiliates or Subsidiaries has previously stored, transmitted, processed or made available any Personal Data to a party in any jurisdiction located outside of the continental United States.
(1) Each of MTI EVI and its Subsidiaries has established administrative safeguards that set forth the specific individuals who can access its EVI’s internal network and systems, including its software and hardware.
(2) Each of MTI and its Subsidiaries has implemented a password protection process for its internal network and systems that utilizes strong, complex passwords that are routinely changed and are combined with one or more verification methods to create a multi-factor authentication system.
(3) Each of MTI and its Subsidiaries has utilized data encryption methods that are no less rigorous than industry best practices to secure its network and systems from unauthorized access, including encryption of Personal Data and any other nonpublic information stored on mobile media or transmitted over any public networks or wireless networks.
(1) Each of MTI and its Subsidiaries has adopted in the ordinary conduct of its business, policies, procedures and risk management processes to ensure the physical security of its facilities and computing environments, and that are no less rigorous than industry best practices and applicable Privacy Laws.
(2) Each of MTI and its Subsidiaries has secured and maintained control of all physical access points, maintained effective identification procedures, ensured visibility in all high-risk areas, and has adopted policies that ensure the adequate treatment of sensitive information in public space, including, without limitation, restrictions relating to the use of monitors in open areas, keeping laptops and other retrievable items out of accessible spaces, printing in secure areas, effective mail center screening and distribution procedures, and secure trash and electronic equipment disposal methods.
(l) Each of MTI and its Subsidiaries has adopted policies to identify Personal Data, or any other nonpublic information that are subject to a system backup, and to specify the frequency of such backups. Each of MTI and its Subsidiaries has backed up its sensitive information using secure data backup storage systems and has limited access to the backed-up information to only such authorized Persons or employees who are identified in its respective policies as having the authority to access such backed-up information.
(m) The products or service offerings of each of MTI and its Subsidiaries contain mechanisms such as firewall, antivirus protection, web filtering or other functions that are no less rigorous than industry best practices to lower the risk of infection from viruses or malicious routines and codes that can destroy, modify or diminish, or cause a similar effect on, its respective products or services, including its programs, equipment and devices, any part of its internal networks or systems, Personal Data or any other nonpublic information. The products or service offerings contain no disabling code, “time bombs,” time-out or deactivation functions that may terminate operations, diminish the product or services, or result in them performing in an impaired manner. The products or service offerings are free of any “viruses” including, but not limited to, “trojan horses” or “worms” that may destroy or corrupt data, and the products or service offerings do not contain any unknown code, scripts or tags, or “back doors” that could enable unauthorized access.
(n) Section 5.25(n) of the MTI Disclosure Schedule sets forth as of the date hereof a true and complete list of all audits or checks that each of MTI and its Subsidiaries, or any third party on behalf of any of them, has performed in the prior five (5) years, any individuals or parties who conducted the audits, and results of any such audits. Each of MTI and its Subsidiaries, in the ordinary conduct of its business, has performed regular audits of its information security controls, system and procedures that are no less rigorous than industry best practices to assess its compliance with its Privacy and Data Security Policies, and has provided Buyer with complete and accurate records of the audit results.
Appears in 1 contract