Section 5.40. OFAC. Neither the Company nor any of its Subsidiaries (collectively, the “Entity”), nor any director, officer, employee, agent, Affiliate or representative of the Company, is a Person that is, or is owned or controlled by a Person that is (i) the subject of any sanctions administered or enforced by the Office of Foreign Asset Control (“OFAC”), the United Nations Security Council, the European Union, Her Majesty’s Treasury, or other relevant sanctions authorities, including, without limitation, designation on OFAC’s Specially Designated Nationals and Blocked Persons List or OFAC’s Foreign Sanctions Evaders List or other relevant sanctions authority (collectively, “Sanctions”), nor (ii) located, organized or resident in a country or territory that is the subject of Sanctions that broadly prohibit dealings with that country or territory (including, without limitation, the Crimea region of Ukraine, Cuba, Iran, North Korea, Sudan and Syria (the “Sanctioned Countries”)). The Entity will not, directly or indirectly, use the proceeds from the sale of Shares, or lend, contribute or otherwise make available such proceeds to any subsidiary, joint venture partner or other Person (a) to fund or facilitate any activities or business of or with any Person or in any country or territory that, at the time of such funding or facilitation, is the subject of Sanctions or is a Sanctioned Country, or (b) in any other manner that will result in a violation of Sanctions by any Person (including any Person participating in the transactions contemplated by this Agreement, whether as underwriter, advisor, investor or otherwise). For the past five years, the Entity has not engaged in, and is now not engaged in, any dealings or transactions with any Person, or in any country or territory, that at the time of the dealing or transaction is or was the subject of Sanctions or was a Sanctioned Country.
Section 5.41. Information Technology; Compliance with Data Privacy Laws.
(i) The Company and its Subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company as currently conducted. The Company and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data, including all “Personal Data” (defined below) and all sensitive, confidential or regulated data (“Confidential Data”) used in connection with their businesses. “Personal Data” means (a) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (b) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (c) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) to the extent GDPR is applicable to the Company’s business; (d) any information which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”); (e) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”) to the extent CCPA is applicable to the Company’s business; and (f) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. The Company and its Subsidiaries are presently in material compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems, Confidential Data, and Personal Data and to the protection of such IT Systems, Confidential Data, and Personal Data from unauthorized use, access, misappropriation or modification.
(ii) The Company and its Subsidiaries are, and at all prior times were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA and the GDPR to the extent applicable (collectively, the “Privacy Laws”). To ensure compliance with the Privacy Laws, the Company has in place, complies with, and takes appropriate steps to ensure compliance in all material respects with their policies and procedures relating to data privacy and security and the collection, storage, use, processing, disclosure, handling, and analysis of Personal Data and Confidential Data (the “Policies”). The Company has at all times made all disclosures to users or customers required by applicable laws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have been inaccurate or in violation of any applicable laws and regulatory rules or requirements in any material respect. The Company further certifies that neither it nor any Subsidiary: (a) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no Knowledge of any event or condition that would reasonably be expected to result in any such notice; (b) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (c) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.
