Data Security. (i) Except as would not, individually or in the aggregate, have or may reasonably be expected to have a Material Adverse Effect, Company and each of its Subsidiaries have complied and are presently in compliance with all internal and external privacy policies, contractual obligations, industry standards, applicable laws, statutes, judgments, orders, rules and regulations of any court or arbitrator or other Governmental or Regulatory Agency and any other legal obligations, in each case, relating to the collection, use, transfer, import, export, storage, protection, disposal and disclosure by Company or any of its Subsidiaries of personal, personally identifiable, household, sensitive, confidential or regulated data (“Data Security Obligations,” and such data, “Data”); # Company and its Subsidiaries have not received any notification of or complaint regarding and are unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with any Data Security Obligation; and # there is no action, suit or proceeding by or before any court or Governmental Agency pending or, to the knowledge of Company and its Subsidiaries, threatened against Company or any of its Subsidiaries alleging non-compliance with any Data Security Obligation.

Data Security. During the Term of this Agreement, each Party will maintain (and, as applicable, cause its Affiliates to maintain) reasonable environmental, safety and facility procedures, data security procedures and other safeguards against the disclosure, destruction, loss, or alteration of the other Party’s Confidential Information in the possession of such Party or its Affiliates, which efforts shall in any event be no less rigorous than those maintained by such Party for its own Confidential Information of a similar nature.

#Compliance with Data Security Laws. Provider will comply with all Provider Laws, as well as the written security procedures set forth in [Exhibit D], with respect to the security of BFA Data.

The Company and each Company Subsidiary (and, to the Knowledge of the Company, all vendors, processors, service providers, or other third parties with access to Personal Information in the Company’s control), comply and at all times have complied in all material respects with: # the Privacy and Security Laws; # the rules of self-regulatory organizations and other industry standards, including the Payment Card Industry Data Security Standard; # the US-DOCS\131312541.20

Data Security. Consultant will implement and maintain reasonable and appropriate administrative, physical, organizational, and technical security measures and safeguards (“Safeguards”) to prevent any unauthorized collection, use or disclosure of, destruction, loss or alteration of or access to any data managed, transmitted, accessed, stored or otherwise processed in any way by Consultant to perform the Services or any data provided by or on behalf of Trevi

Consultant will maintain (and, as applicable, cause any subcontractors permitted in accordance with Section 6 to maintain) data security procedures and other safeguards that are compliant with applicable Privacy Laws and consistent with industry standards, against the accidental, unlawful or unauthorized access to or acquisition, use, disclosure, destruction, loss, or alteration of Akebia’s Confidential Information (a “Data Breach”). In the event that Consultant, in the course of providing Services to Akebia, receives, creates, stores, maintains, processes or otherwise has access to “Personal Information” (meaning any information relating to an identified or identifiable natural person that is protected by applicable Privacy Laws, including, but not limited to, an individual’s name and social security number, driver’s license number or financial number, health information, and personal data, as further defined in such Privacy Laws), then Consultant shall implement and maintain appropriate technical and organizational measures, reflected in written security policies, to protect such Personal Information against a Data Breach and otherwise safeguard this information in accordance with these laws, and to the extent that Consultant experiences, becomes aware of, or suspects a Data Breach with respect to Personal Information in connection with this Agreement or any Statement of Work or amendment hereto, Consultant shall: # notify Akebia in writing without undue delay, and in any event, within twenty-four (24) hours of becoming aware of such Data Breach (such notification to include, at minimum, a description of the nature of the Data Breach including the categories of Personal Information and approximate number of individuals affected and records concerned; the likely consequences of the Data Breach; and any measures taken or proposed by Consultant to mitigate or otherwise address the Data Breach); # use Consultant’s best endeavors to mitigate the effects and to minimize any damage resulting from the Data Breach; and # to the extent permitted by applicable law, reasonably assist and co-operate with Akebia in investigating, resolving and remediating the Data Breach, including providing Akebia with such further information as may be reasonably requested and coordinating with Akebia any public communication, communication to affected individuals, or response to any regulatory or supervisory authority in respect of the Data Breach.

“Authorized Employees” means our employees who have a need to know or otherwise access Participant-level Information to enable us to perform our obligations under this Agreement.

Data Security. Medidata utilizes administrative, physical and technical safeguards to protect Customer Data that are no less rigorous than accepted industry practices. Medidata verifies such physical and technical safeguards as described at https://www.medidata.com/en/trust-and-transparency/.

Data Security Breaches. Provider will monitor and record security related events on all systems and log such events. If Provider discovers or become aware of an actual Data Security Breach, Provider shall, except to the extent instructed by legal or regulatory authorities not to do so:

Data Privacy and Security. The Company represents and warrants that it has undertaken commercially reasonable efforts to materially comply with all Laws and contractual and fiduciary obligations as to protection and security of personally identifiable information or personal data (“Personal Data”) to which it is subject. The Company has not received any written inquiries from or been subject to any audit or Proceeding by any Governmental Authority regarding Personal Data. The Company has in place policies and procedures as to collection, use, processing, storage and transfer of Personal Data designed to comply with its legal obligations with respect thereto. No Legal Proceeding alleging # a material violation of any Person’s privacy rights or # unauthorized access, use or disclosure of Personal Data has been asserted or threatened to Target. Since January 1, 2019, there has not been a material violation by the Company of any Person’s privacy rights or any unauthorized access, use or disclosure by the Company of Personal Data. The Company further represents and warrants that the information technology equipment and related systems owned, used or held for use by the Company (“Systems”) are reasonably sufficient for the Company’s immediate needs. Since January 1, 2019, to the Company’s Knowledge, there has been no unauthorized access, use, intrusion, or breach of security, or material failure, breakdown, performance reduction or other adverse event affecting any Systems that has caused or would reasonably be expected to cause any substantial disruption to the use of such Systems or the Company or any material loss or harm to the Company or its personnel, property, or other assets.