Security Addendum - Enterprise

SECURITY ADDENDUM -- ENTERPRISE

Addendum Effective Date: [__/__/____]

Addendum Number: [________________________________]

PARTIES

Customer ("Customer"):

Provider ("Provider"):

RECITALS

WHEREAS, Customer and Provider have entered into that certain Master Agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Provider delivers certain services (the "Services") to Customer;

WHEREAS, the provision of Services involves Provider's access to, processing of, or storage of Customer Data (as defined herein), and the Parties desire to establish binding security obligations governing Provider's handling of such Customer Data;

WHEREAS, both Parties recognize the importance of maintaining robust information security controls consistent with recognized industry standards, including but not limited to the NIST Cybersecurity Framework (CSF) 2.0, ISO/IEC 27001:2022, and SOC 2 Type II Trust Services Criteria; and

WHEREAS, this Security Addendum supplements and is incorporated into the Master Agreement and any associated Data Processing Addendum.

NOW, THEREFORE, in consideration of the mutual covenants set forth herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Security Program Requirements
4. Access Controls
5. Network Security
6. Encryption Standards
7. Application Security and Secure Development
8. Vulnerability Management
9. Penetration Testing
10. Logging and Monitoring
11. Incident Response and Breach Notification
12. Business Continuity and Disaster Recovery
13. Data Segregation and Residency
14. Personnel Security
15. Physical Security
16. Subprocessor Security Requirements
17. Compliance and Certifications
18. Audit Rights
19. Security SLA Metrics
20. Data Return and Destruction
21. Changes to Security Controls
22. General Provisions
23. Signatures

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This Security Addendum ("Addendum") is entered into pursuant to and supplements the Master Agreement between the Parties dated [__/__/____] (the "Master Agreement"). All capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement or any associated Data Processing Addendum ("DPA").

1.2 In the event of any conflict or inconsistency between this Addendum and the Master Agreement or DPA on matters relating to information security, data protection controls, or incident response, the terms of this Addendum shall prevail to the extent of such conflict. On all other matters, the Master Agreement shall control.

1.3 This Addendum shall remain in effect for the duration of the Master Agreement and for so long thereafter as Provider retains any Customer Data.

2. DEFINITIONS

For purposes of this Addendum, the following definitions apply:

2.1 "Authorized Personnel" means Provider's employees, contractors, or agents who have a demonstrated business need to access Customer Data and who have been vetted and trained in accordance with Section 14.

2.2 "Customer Data" means all data, information, records, files, and materials (in any form or medium) that are provided by or on behalf of Customer to Provider, or that Provider accesses, processes, stores, or transmits in connection with the Services, including Personal Data as defined by applicable law.

2.3 "Data Breach" or "Security Incident" means any confirmed or reasonably suspected unauthorized access to, acquisition of, use of, disclosure of, or loss of Customer Data, or any event that compromises the confidentiality, integrity, or availability of Customer Data or the systems processing such data.

2.4 "Information Security Program" means Provider's documented, comprehensive program of administrative, technical, and physical safeguards designed to protect Customer Data, as described in Section 3.

2.5 "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws, including but not limited to the GDPR, CCPA/CPRA, and state breach notification statutes.

2.6 "Security Standards" means the applicable industry standards and frameworks against which Provider's Information Security Program is measured, including NIST CSF 2.0, ISO/IEC 27001:2022, SOC 2 Type II Trust Services Criteria, and any additional standards specified in Section 17.

2.7 "Subprocessor" means any third party engaged by Provider to process Customer Data on Provider's behalf in connection with the Services.

2.8 "Vulnerability" means a weakness in an information system, security procedure, internal control, or implementation that could be exploited by a threat source, classified by severity using the Common Vulnerability Scoring System (CVSS).

3. SECURITY PROGRAM REQUIREMENTS

3.1 General Obligation. Provider shall establish, implement, and maintain a written Information Security Program that includes administrative, technical, and physical safeguards appropriate to the nature, size, and complexity of Provider's operations and the sensitivity of Customer Data. The Information Security Program shall be designed to:

• (a) Protect the confidentiality, integrity, and availability of Customer Data;
• (b) Protect against reasonably anticipated threats or hazards to the security of Customer Data;
• (c) Protect against unauthorized access to or use of Customer Data; and
• (d) Ensure compliance with applicable laws, regulations, and industry standards.

3.2 Administrative Safeguards. Provider shall implement the following administrative safeguards:

• (a) Designation of a qualified Chief Information Security Officer (CISO) or equivalent responsible for the Information Security Program;
• (b) Documented information security policies and procedures reviewed and updated at least annually;
• (c) Regular risk assessments conducted at least annually, with documented findings and remediation plans;
• (d) Security awareness training for all personnel with access to Customer Data;
• (e) A documented incident response plan tested at least annually; and
• (f) Vendor and third-party risk management program.

3.3 Technical Safeguards. Provider shall implement technical safeguards as described in Sections 4 through 10 of this Addendum.

3.4 Physical Safeguards. Provider shall implement physical safeguards as described in Section 15 of this Addendum.

3.5 Framework Alignment. Provider's Information Security Program shall be aligned with the following framework(s):

☐ NIST Cybersecurity Framework (CSF) 2.0
☐ ISO/IEC 27001:2022
☐ SOC 2 Type II Trust Services Criteria
☐ NIST SP 800-53 Rev. 5
☐ CIS Controls v8
☐ Other: [________________________________]

4. ACCESS CONTROLS

4.1 General Access Control Requirements. Provider shall implement and maintain access controls that ensure only Authorized Personnel have access to Customer Data on a least-privilege, need-to-know basis.

4.2 Authentication Requirements. Provider shall implement the following authentication controls:

☐ Multi-Factor Authentication (MFA) for all administrative and privileged access to systems processing Customer Data
☐ Multi-Factor Authentication (MFA) for all remote access to Provider's network and systems
☐ Multi-Factor Authentication (MFA) for all user access to Customer Data
☐ Role-Based Access Control (RBAC) enforced across all systems processing Customer Data
☐ Single Sign-On (SSO) integration using SAML 2.0 or OpenID Connect for Customer-facing applications
☐ Encryption at Rest for all stored credentials using AES-256 or equivalent
☐ Encryption in Transit for all credential transmissions using TLS 1.2 or higher

4.3 Password and Credential Policies. Provider shall enforce password policies requiring:

• (a) Minimum password length of [____] characters (minimum 12 recommended);
• (b) Complexity requirements including uppercase, lowercase, numeric, and special characters;
• (c) Password rotation at intervals not to exceed [____] days for privileged accounts;
• (d) Prohibition against the reuse of the previous [____] passwords;
• (e) Account lockout after [____] consecutive failed authentication attempts; and
• (f) Secure storage of passwords using industry-standard hashing algorithms (e.g., bcrypt, Argon2).

4.4 Session Management. Provider shall enforce automatic session timeout after [____] minutes of inactivity for all sessions involving access to Customer Data.

4.5 Access Reviews. Provider shall conduct formal access reviews at least quarterly for privileged accounts and at least semi-annually for all other accounts with access to Customer Data, documenting all reviews and remediating inappropriate access promptly.

4.6 Deprovisioning. Provider shall revoke access to Customer Data and related systems within twenty-four (24) hours of an Authorized Personnel member's termination or role change that eliminates the need for such access.

5. NETWORK SECURITY

5.1 Network Segmentation. Provider shall maintain logical and/or physical segmentation between:

• (a) Production and non-production environments;
• (b) Customer Data processing environments and Provider's corporate network;
• (c) Different customers' data environments (multi-tenant isolation); and
• (d) Internet-facing systems and internal systems.

5.2 Perimeter and Internal Controls. Provider shall deploy and maintain:

• (a) Next-generation firewalls with application-layer filtering at all network boundaries;
• (b) Intrusion Detection and Prevention Systems (IDS/IPS) monitoring network traffic;
• (c) Web Application Firewalls (WAF) protecting internet-facing applications;
• (d) DDoS mitigation and protection services;
• (e) DNS security controls; and
• (f) Network access control (NAC) for endpoint connectivity.

5.3 Wireless Security. Any wireless networks with connectivity to systems processing Customer Data shall use WPA3 or equivalent encryption and shall be segregated from production environments.

5.4 Remote Access. All remote access to systems processing Customer Data shall be conducted through encrypted VPN connections or equivalent secure access solutions with MFA, as specified in Section 4.2.

6. ENCRYPTION STANDARDS

6.1 Encryption in Transit. All Customer Data transmitted over any network shall be encrypted using TLS 1.2 or higher. TLS 1.3 is preferred where supported. Deprecated protocols (SSL, TLS 1.0, TLS 1.1) shall not be used.

6.2 Encryption at Rest. All Customer Data stored by Provider shall be encrypted at rest using AES-256 or equivalent industry-standard encryption algorithms. This includes data stored on:

• (a) Databases and data warehouses;
• (b) File storage systems and object storage;
• (c) Backups and archives;
• (d) Removable media (where authorized); and
• (e) Logs containing Customer Data.

6.3 Key Management. Provider shall implement key management practices including:

• (a) Use of a dedicated Key Management System (KMS) or Hardware Security Module (HSM);
• (b) Separation of duties between key custodians;
• (c) Key rotation at intervals not to exceed [____] days (365 days recommended);
• (d) Secure key storage separate from encrypted data; and
• (e) Key destruction procedures upon expiration or compromise.

7. APPLICATION SECURITY AND SECURE DEVELOPMENT

7.1 Secure Development Lifecycle (SDLC). Provider shall maintain a documented secure development lifecycle incorporating security at each phase of development, including:

• (a) Secure coding standards and guidelines;
• (b) Security requirements definition during design phases;
• (c) Peer code review with security focus;
• (d) Static Application Security Testing (SAST) integrated into CI/CD pipelines;
• (e) Dynamic Application Security Testing (DAST) on pre-production environments;
• (f) Software Composition Analysis (SCA) for open-source dependency scanning;
• (g) Container image scanning for containerized deployments; and
• (h) Security sign-off prior to production deployment.

7.2 Change Management. All changes to production systems processing Customer Data shall be subject to a formal change management process including documented approval, testing, and rollback procedures.

8. VULNERABILITY MANAGEMENT

8.1 Scanning. Provider shall conduct automated vulnerability scanning of all systems processing Customer Data at the following minimum frequencies:

• (a) External-facing systems: at least weekly;
• (b) Internal systems: at least monthly; and
• (c) Web applications: at least monthly, with additional scanning after significant code changes.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines based on CVSS severity scores:

8.3 Emergency Patching. For actively exploited zero-day vulnerabilities affecting systems processing Customer Data, Provider shall apply emergency patches or implement compensating controls within twenty-four (24) hours of patch availability or threat identification.

8.4 Patch Management. Provider shall maintain a documented patch management process that includes patch testing, staged rollout, and verification procedures.

9. PENETRATION TESTING

9.1 Independent Testing. Provider shall engage a qualified, independent third-party penetration testing firm to conduct comprehensive penetration tests of the systems and applications used to process Customer Data at least annually. Testing scope shall include:

• (a) External network penetration testing;
• (b) Internal network penetration testing;
• (c) Web application penetration testing;
• (d) API security testing;
• (e) Social engineering testing (if agreed upon); and
• (f) Cloud configuration review (if applicable).

9.2 Reporting. Provider shall make executive summary reports of penetration test results available to Customer under confidentiality obligations within thirty (30) days of test completion. Reports shall include findings, risk ratings, and remediation plans.

9.3 Remediation. Critical and high findings from penetration tests shall be remediated or mitigated in accordance with the timelines set forth in Section 8.2.

9.4 Customer-Initiated Testing. Customer may conduct or commission its own penetration testing of Provider's systems upon [____] days' prior written notice, subject to:

• (a) Mutual agreement on scope and testing methodology;
• (b) Testing during agreed-upon windows to minimize operational disruption;
• (c) Customer's assumption of responsibility for damages caused by testing; and
• (d) Confidentiality obligations regarding test results.

10. LOGGING AND MONITORING

10.1 Logging Requirements. Provider shall maintain comprehensive, tamper-evident logs of all security-relevant events on systems processing Customer Data, including but not limited to:

• (a) Authentication events (successful and failed login attempts);
• (b) Authorization events (access grants, denials, privilege changes);
• (c) Administrative and privileged user actions;
• (d) Data access, modification, and deletion events;
• (e) System and application configuration changes;
• (f) Network connection events and firewall logs; and
• (g) Security alerts and incident-related events.

10.2 Log Management. Logs shall be:

• (a) Centralized in a Security Information and Event Management (SIEM) system;
• (b) Time-synchronized using NTP or equivalent;
• (c) Retained for a minimum of [____] days (365 days recommended);
• (d) Protected against unauthorized modification or deletion; and
• (e) Available to Customer upon reasonable request for incident investigation purposes.

10.3 Monitoring and Alerting. Provider shall implement 24/7/365 security monitoring with automated alerting for anomalous or suspicious activity, including but not limited to unusual access patterns, privilege escalation attempts, and indicators of compromise.

11. INCIDENT RESPONSE AND BREACH NOTIFICATION

11.1 Incident Response Plan. Provider shall maintain a documented Incident Response Plan that includes:

• (a) Designated incident response team with defined roles and responsibilities;
• (b) Incident classification and severity levels;
• (c) Escalation procedures and communication protocols;
• (d) Containment, eradication, and recovery procedures;
• (e) Evidence preservation and forensic investigation procedures;
• (f) Post-incident review and lessons-learned processes; and
• (g) Annual tabletop exercises and plan testing.

11.2 Notification to Customer. Provider shall notify Customer of any confirmed or reasonably suspected Security Incident affecting Customer Data without undue delay and in no event later than [____] hours (48 hours recommended) after confirmation. Initial notification shall include, to the extent then known:

• (a) The nature and scope of the Security Incident;
• (b) The type of Customer Data affected;
• (c) The estimated number of affected data subjects;
• (d) The date and time of discovery;
• (e) Steps taken to contain and remediate the incident;
• (f) Recommended protective actions for Customer; and
• (g) Identity and contact information for Provider's incident response lead.

11.3 Ongoing Communication. Provider shall provide regular updates to Customer regarding the investigation and remediation of any Security Incident and shall cooperate fully with Customer's own investigation.

11.4 Breach Notification Compliance. Provider acknowledges that Customer may be subject to breach notification requirements under various federal, state, and international laws. Provider shall cooperate with Customer to ensure compliance with all applicable notification obligations, including but not limited to:

• (a) Federal: HIPAA/HITECH (45 C.F.R. §§ 164.400-414), Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), SEC Regulation S-P;
• (b) State: Applicable state breach notification statutes (all 50 states and U.S. territories have enacted breach notification laws); and
• (c) International: GDPR Article 33 (72-hour notification to supervisory authority), UK GDPR, and other applicable international data protection laws.

11.5 Post-Incident Report. Provider shall deliver a written post-incident report for any material Security Incident within [____] business days (15 business days recommended) of incident closure, including root cause analysis, timeline, impact assessment, remediation actions taken, and measures implemented to prevent recurrence.

11.6 Costs. Unless the Security Incident resulted from Customer's sole negligence, Provider shall bear all costs associated with investigating and remediating Security Incidents caused by Provider's breach of this Addendum, including reasonable costs of forensic investigation, notification, credit monitoring, and regulatory engagement.

12. BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 BC/DR Plan. Provider shall maintain documented Business Continuity and Disaster Recovery plans that address the Services and systems used to process Customer Data.

12.2 Recovery Objectives. Provider shall maintain the following recovery objectives for the Services:

12.3 Backups. Provider shall maintain encrypted backups of Customer Data at geographically separate locations from primary production systems, tested for restoration integrity at least quarterly.

12.4 Testing. Provider shall test its BC/DR plans at least [annually / semi-annually] and shall provide test results and a summary of lessons learned to Customer upon request.

13. DATA SEGREGATION AND RESIDENCY

13.1 Tenant Isolation. In multi-tenant environments, Provider shall implement logical separation controls to ensure that Customer Data is isolated from other customers' data and that cross-tenant access is not possible.

13.2 Environment Segregation. Customer Data shall not be used in non-production environments unless anonymized, pseudonymized, or with Customer's prior written consent and equivalent security controls.

13.3 Data Residency. Customer Data shall be stored and processed only in the following approved regions:

☐ United States
☐ European Economic Area (EEA)
☐ United Kingdom
☐ Canada
☐ Other: [________________________________]

Provider shall not relocate Customer Data to another jurisdiction without Customer's prior written consent and implementation of appropriate transfer mechanisms.

14. PERSONNEL SECURITY

14.1 Background Checks. Provider shall conduct background checks (to the extent permitted by applicable law) on all personnel who will have access to Customer Data prior to granting such access. Background checks shall include, at minimum, criminal history, identity verification, and employment history verification.

14.2 Confidentiality Agreements. All Provider personnel with access to Customer Data shall execute written confidentiality or non-disclosure agreements prior to being granted access.

14.3 Security Training. Provider shall require all personnel with access to Customer Data to complete:

• (a) Security awareness training at onboarding and at least annually thereafter;
• (b) Phishing simulation exercises at least quarterly;
• (c) Role-specific security training for personnel in security-sensitive roles; and
• (d) Training on this Addendum's requirements where relevant to their role.

14.4 Acceptable Use. Provider shall maintain and enforce acceptable use policies governing the use of systems, devices, and networks used to access or process Customer Data.

15. PHYSICAL SECURITY

15.1 Data Center Controls. All data centers and facilities where Customer Data is stored or processed shall maintain the following physical security controls:

• (a) Perimeter security with controlled entry points;
• (b) Multi-factor access control (badge/card plus biometric) for server rooms and data halls;
• (c) 24/7 video surveillance (CCTV) with a minimum of [____] days of recording retention;
• (d) Visitor access logging and escort requirements;
• (e) Environmental controls including fire suppression, climate control, and water detection;
• (f) Redundant power supply and uninterruptible power systems (UPS); and
• (g) Redundant network connectivity.

16. SUBPROCESSOR SECURITY REQUIREMENTS

16.1 Equivalent Obligations. Provider shall ensure that all Subprocessors that access, process, or store Customer Data are contractually bound to security obligations no less protective than those set forth in this Addendum.

16.2 Due Diligence. Provider shall conduct security due diligence on all Subprocessors prior to engagement and at least annually thereafter, including review of security certifications, policies, and incident history.

16.3 Subprocessor List. Provider shall maintain a current list of all Subprocessors that access Customer Data, including entity name, location, services performed, and data types accessed, and shall make such list available to Customer upon request.

16.4 New Subprocessors. Provider shall provide Customer with at least [____] days (30 days recommended) prior written notice before engaging a new Subprocessor that will access Customer Data, during which time Customer may object on reasonable, documented security grounds.

16.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors in connection with Customer Data.

17. COMPLIANCE AND CERTIFICATIONS

17.1 Required Certifications and Attestations. Provider shall obtain and maintain the following certifications and/or attestation reports:

☐ SOC 2 Type II Report (Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy -- select applicable)
☐ ISO/IEC 27001:2022 Certification
☐ HITRUST CSF Certification
☐ FedRAMP Authorization (indicate level: Low / Moderate / High)
☐ PCI DSS Compliance (indicate level and version: [________________________________])
☐ ISO/IEC 27701:2019 (Privacy Information Management)
☐ CSA STAR Certification (Cloud Security Alliance)
☐ Other: [________________________________]

17.2 Report Availability. Provider shall make current copies of all applicable certification reports and audit summaries available to Customer under confidentiality obligations within [____] business days of request. Provider shall promptly disclose any material exceptions, qualifications, or findings identified in such reports, together with remediation plans and timelines.

17.3 Regulatory Compliance. Provider shall comply with all applicable laws, regulations, and industry standards relating to information security, including but not limited to those referenced in the statutory authority section of this Addendum.

18. AUDIT RIGHTS

18.1 Customer Audit Rights. Customer (or its designated independent third-party auditor, subject to reasonable confidentiality obligations) shall have the right to audit Provider's compliance with this Addendum:

• (a) Up to [____] time(s) per year (once per year minimum) with [____] business days' prior written notice;
• (b) Audits shall be conducted during normal business hours and shall be limited to the scope of this Addendum;
• (c) Provider shall cooperate fully with such audits, including providing access to facilities, systems, personnel, and documentation relevant to Provider's processing of Customer Data; and
• (d) Provider shall remediate any material findings within a timeframe mutually agreed upon by the Parties.

18.2 Regulatory Audits. Provider shall cooperate with any audit or investigation by a governmental or regulatory authority relating to Customer Data or Provider's Information Security Program.

18.3 Audit Costs. Each Party shall bear its own costs in connection with audits conducted under this Section, except that if an audit reveals a material breach of this Addendum by Provider, Provider shall bear all reasonable audit costs.

19. SECURITY SLA METRICS

19.1 Security Service Level Targets. Provider shall measure and report on the following security metrics on a quarterly basis (or as otherwise agreed):

19.2 Reporting. Provider shall deliver security metrics reports to Customer on a [monthly / quarterly] basis at Customer's designated security contact.

19.3 Failure to Meet SLAs. Persistent failure to meet the security SLA targets set forth above shall constitute a material breach of this Addendum, subject to the cure provisions of the Master Agreement.

20. DATA RETURN AND DESTRUCTION

20.1 Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request, Provider shall return all Customer Data to Customer in a commonly used, machine-readable format within [____] days (30 days recommended).

20.2 Destruction. Following confirmation of successful data return (or upon Customer's written instruction to destroy in lieu of return), Provider shall securely destroy all copies of Customer Data in its possession or control, including backups, using methods consistent with NIST SP 800-88 Guidelines for Media Sanitization, within [____] days (60 days recommended for backup rotation).

20.3 Certification. Provider shall provide written certification of data destruction within [____] business days of completion.

20.4 Legal Hold. The obligations of this Section shall not apply to the extent Provider is required by applicable law to retain copies of Customer Data, provided Provider notifies Customer of such requirement and continues to protect any retained data in accordance with this Addendum.

21. CHANGES TO SECURITY CONTROLS

21.1 Material Changes. Provider shall not materially reduce or diminish the security protections provided under this Addendum without Customer's prior written consent.

21.2 Improvements. Provider may implement changes that improve or enhance its security posture without Customer's prior consent, provided such changes do not materially alter the scope or nature of the security controls described herein.

21.3 Notice. Provider shall provide Customer with at least [____] days' prior written notice of any material changes to its Information Security Program that may affect the security of Customer Data.

22. GENERAL PROVISIONS

22.1 Entire Agreement. This Addendum, together with the Master Agreement and any DPA, constitutes the entire agreement of the Parties with respect to the subject matter hereof and supersedes all prior agreements and understandings relating to information security.

22.2 Amendments. This Addendum may be amended only by a written instrument signed by authorized representatives of both Parties.

22.3 Severability. If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

22.4 Survival. Sections 2 (Definitions), 11 (Incident Response and Breach Notification), 18 (Audit Rights), 20 (Data Return and Destruction), and any other provisions that by their nature should survive, shall survive the expiration or termination of this Addendum.

23. SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Security Addendum as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced and attached
☐ Security framework(s) selected in Section 3.5
☐ Authentication requirements confirmed in Section 4.2
☐ Data residency regions selected in Section 13.3
☐ Required certifications selected in Section 17.1
☐ All bracketed fields completed with agreed values
☐ Vulnerability remediation timelines agreed in Section 8.2
☐ Incident notification timeline agreed in Section 11.2
☐ Security SLA metrics and targets agreed in Section 19.1
☐ Subprocessor notice period agreed in Section 16.4
☐ Audit frequency and notice period agreed in Section 18.1
☐ Data return and destruction timelines agreed in Section 20
☐ Reviewed by qualified legal counsel
☐ Reviewed by qualified information security professionals
☐ Signed by authorized representatives of both Parties

SOURCES AND REFERENCES

• NIST Cybersecurity Framework (CSF) 2.0 -- https://www.nist.gov/cyberframework
• NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization -- https://csrc.nist.gov/pubs/sp/800/88/r1/final
• ISO/IEC 27001:2022 Information Security Management Systems -- https://www.iso.org/standard/27001
• AICPA SOC 2 Trust Services Criteria -- https://www.aicpa.org/soc2
• GDPR Article 32 Security of Processing -- https://gdpr-info.eu/art-32-gdpr/
• CCPA/CPRA Cal. Civ. Code § 1798.100 et seq. -- https://leginfo.legislature.ca.gov/
• HIPAA Security Rule 45 C.F.R. Part 164 Subpart C -- https://www.hhs.gov/hipaa/
• PCI DSS v4.0 -- https://www.pcisecuritystandards.org/