Information Security and Data Protection. [[Trust Company:Organization]] shall comply with the provisions of [Schedules 9] and 10 of the Side Agreement.

The Sellers have established, and the Business is in compliance with, a written information security program or programs covering the Business that # includes safeguards for the security, confidentiality, and integrity of transactions and confidential or proprietary data, # is designed to protect against unauthorized access to the Sellers’ technology and computer systems and infrastructure and proprietary data, and # is adequate for the conduct of the Business. To the Knowledge of the Sellers, the Business has not suffered a security breach with respect to any proprietary data or trade secrets in the last eighteen (18) months.

We shall implement reasonable administrative, physical and technical safeguards to help protect Non-Public Participant-level Information as prescribed by applicable Data Protection Laws and accepted industry practices such as the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF).

Massachusetts Information Security Regulations Compliance. Massachusetts Information Security Regulations, 201 Code of Mass. Regs. 17.00 et seq. (the “IS Regulations”) mandate procedures to safeguard the “Personal Information,” as defined in the IS Regulations, of Massachusetts residents. Because Consultant may have access to the Personal Information of Constellation’s employees, contractors, business associates, or customers who are Massachusetts residents (“Protected Information”), the IS Regulations require Consultant to certify compliance with the IS Regulations. Accordingly, Consultant agrees that, as long as Consultant has access to or maintains copies of Protected Information Consultant will: # comply with the IS Regulations with respect to the Protected Information, # promptly notify Constellation of any suspected or actual data breach involving Protected Information, and # cooperate with Constellation to investigate and remediate any suspected or actual data breach involving Protected Information.

Information Security. Client understands and agrees that use of telecommunications and data communications networks and the Internet may not be secure and that connection to and transmission of data and information over the Internet and such facilities provides the opportunity for unauthorized access to wallets, computer systems, networks, and all data stored therein. Information and data transmitted through the Internet or stored on any equipment through which Internet information is transmitted may not remain confidential, and Host does not make any representation or warranty regarding privacy, security, authenticity, and non-corruption or destruction of any such information. Host does not warrant that the Services or Client’s use will be uninterrupted, error-free, or secure. Host shall not be responsible for any adverse consequence or loss whatsoever to Client’s (or its users‟ or subscribers‟) use of the Services or the Internet. Use of any information transmitted or obtained by Client from Host is at Client’s own risk. Host is not responsible for the accuracy or quality of information obtained through its network, including as a result of failure of performance, error, omission, interruption, corruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction or

Information and Physical Security. RUS represents and warrants to AssetMark that RUS shall establish and maintain safeguards against the destruction, loss, or alteration of Client Materials in the possession or control of RUS and its agents that are # no less rigorous than those maintained by RUS for its other customers’ information of a similar nature; # in compliance with the requirements of [Exhibit E] and # it will not transmit or make available any AssetMark client personal data outside the United States. RUS further represents and warrants to AssetMark with respect to information and physical security as follows:

Information Privacy and Data Security. The Company Group’s practices concerning collection, use, analysis, retention, storage, protection, security, transfer, disclosure, and disposal of Personal Information comply in all material respects with, and have not, since January 1, 2017, violated in any material respect, any # Contract with a client, # Privacy Laws, or # written policy or privacy statement of the Company Group. The Company Group has posted to their website and each of their online sites and services, including all mobile applications, terms of use or service and a privacy policy that complies with Privacy Laws and that accurately reflects in all material respects the Company Group’s practices concerning the collection, use, and disclosure of Personal Information in such online sites, services, and mobile applications. The Company Group has commercially reasonable controls in place designed to address the information security risks and vulnerabilities of the Company Group in light of each member of the Company Group’s business, technology, information systems, and the sensitivity of the Personal Information processed by the Company Group.

Information Security. Client understands and agrees that use of telecommunications and data communications networks and the Internet may not be secure and that connection to and transmission of data and information over the Internet and such facilities provides the opportunity for unauthorized access to wallets, computer systems, networks, and all data stored therein. Information and data transmitted through the Internet or stored on any equipment through which Internet information is transmitted may not remain confidential, and Host does not make any representation or warranty regarding privacy, security, authenticity, and non-corruption or destruction of any such information. Host does not warrant that the Services or Client’s use will be uninterrupted, error-free, or secure. Host shall not be responsible for any adverse consequence or loss whatsoever to Client’s (or its users‟ or subscribers‟) use of the Services or the Internet. Use of any information transmitted or obtained by Client from Host is at Client’s own risk. Host is not responsible for the accuracy or quality of information obtained through its network, including as a result of failure of performance, error, omission, interruption, corruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction or

Each Party shall adopt technical and organizational measures to guarantee reasonable protection of the other Party’s Confidential Information, including the measures listed in [Exhibit 12.2].2.1.

Provider’s Information Security Policies. Without limiting the generality of the foregoing, Provider’s information security policies shall provide for # continual assessment and re-assessment of the risks to the security of BFA Data and systems acquired or maintained by Provider and its agents and contractors in connection with the Services, including # identification of internal and external threats that could result in a Data Security Breach, # assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of BFA Data, and # assessment of the sufficiency of policies, procedures, effectiveness of controls, and information systems of Provider and its agents and contractors, and other arrangements in place, to control risks; and # appropriate protection against such risks.