Use and Disclosure of Data

[Attachment __, Data Management, Privacy, and Security, continued]

C. Use and Disclosure. Provider may access and use Customer Data solely as necessary to provide the System to Customer, and unless it receives Customer’s prior written consent, Provider: (1) shall not access or use Customer Data for any purpose other than to provide the System; and (2) shall not give any third party access to Customer Data, except subcontractors subject to Section M (Employees and Subcontractors) of this Attachment __. Notwithstanding the provisions above of this Section C, Provider may disclose Customer Data as required by applicable law or by proper legal or governmental authority. Provider shall give Customer prompt notice of any such legal or governmental demand and reasonably cooperate with Customer in any effort to seek a protective order or otherwise to contest such required disclosure, at Customer’s expense. For the avoidance of doubt, no revision of Provider’s privacy policy will alter Customer’s rights and remedies in this Attachment __.

D. Aggregate/Anonymized Data. Notwithstanding Section C (Use and Disclosure) of this Attachment __, Customer hereby authorizes Provider: (1) to Anonymize (as defined below) Customer Data and to combine it with data from other customers into a new aggregate dataset; and (2) to use such Anonymized Customer Data as a component of such new aggregate dataset for any legal business purpose, including without limitation for distribution to third parties. Without limiting the generality of the requirements for Anonymized data below, Provider shall: (a) implement technical safeguards that prohibit reversal of Anonymization of Customer Data; (b) implement business processes that specifically prohibit such reversal or recreation; (c) make no attempt to achieve such reversal; and (d) implement reasonable business processes to prevent inadvertent release of Anonymized Customer Data. (“Anonymize” refers to removal of Personal Information and any information reasonably likely to identify a company or other business entity; provided such revised data does not include and is not subject to any key, code, or other mechanism that could be used to restore such information.)

E. Injunction and Enforcement. Provider agrees that: (1) no adequate remedy exists at law if it fails to perform or breaches any of its obligations in this Attachment __; (2) it would be difficult to determine the damages resulting from its breach of this Attachment __, and such breach would cause irreparable harm to Customer; and (3) a grant of injunctive relieve provides the best remedy for any such breach, without any requirement that Customer prove actual damage or post a bond or other security. Provider waives any opposition to such injunctive relief or any right to such proof, bond, or other security. Provider’s obligations in this Attachment __ (without limitation) apply likewise to Provider’s successors, including without limitation to any trustee in bankruptcy. (This Section E does not limit either party’s right to injunctive relief from breaches not listed.)