SECURITY ADDENDUM (ENTERPRISE SAAS)

Alaska Jurisdictional Version

TABLE OF CONTENTS

1. Scope and Order of Precedence
2. Security Program
3. Access Controls and Authentication
4. Encryption
5. Network and Infrastructure Security
6. Application Security and SDLC
7. Vulnerability Management
8. Logging and Monitoring
9. Business Continuity and Disaster Recovery
10. Data Segregation and Residency
11. Penetration Testing and Assessments
12. Incident Response and Notification
13. Audit and Compliance Reports
14. Third-Party Subprocessors
15. Physical Security
16. Personnel Security and Training
17. Data Return and Deletion
18. Changes to Security Controls
19. Alaska-Specific Data Protection Requirements
20. Governing Law and Dispute Resolution

1. SCOPE AND ORDER OF PRECEDENCE

• Applies to the Services under the [SaaS Agreement name/date].
• If conflict with the SaaS Agreement/DPA on security matters, this Addendum governs; otherwise, SaaS Agreement controls.

2. SECURITY PROGRAM

• Provider maintains a written information security program with administrative, technical, and physical safeguards appropriate to risk, aligned to [ISO 27001/SOC 2/other].
• Provider's security program shall comply with the Alaska Personal Information Protection Act (AS 45.48.010 et seq.) and all applicable federal and state data protection requirements.
• Provider shall implement reasonable security procedures and practices appropriate to the nature of the personal information being protected.

3. ACCESS CONTROLS AND AUTHENTICATION

• Role-based access; least privilege; MFA for administrative access; strong password/secret policies; session management; timely deprovisioning.

4. ENCRYPTION

• In transit: TLS [1.2/1.3] or better; at rest: industry-standard encryption for Customer Data stores.
• Key management: [KMS/HSM], separation of duties, rotation policies.

5. NETWORK AND INFRASTRUCTURE SECURITY

• Segmentation of environments (prod/non-prod); firewalls/security groups; DDoS protections; hardened images; configuration management and baselines.

6. APPLICATION SECURITY AND SDLC

• Secure development lifecycle with code review, dependency scanning, SAST/DAST for relevant components; change management with approvals and rollback plans.

7. VULNERABILITY MANAGEMENT

• Regular scanning; prioritization/remediation targets:
• Critical: [X] hours/days; High: [Y] days; Medium: [Z] days; Low: [define].
• Patch management process; emergency patching for exploited vulnerabilities.

8. LOGGING AND MONITORING

• Centralized logging for auth, access, admin actions, and security events; time-synchronized; retention [X] days/months; alerting for anomalous events.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

• Documented BC/DR plan; tested [annually/semi-annually]; RPO [X hours], RTO [Y hours]; backups encrypted and tested for restoration.

10. DATA SEGREGATION AND RESIDENCY

• Logical/tenant isolation; data residency options [Regions] if offered; no relocation without notice and updated transfer mechanisms.

11. PENETRATION TESTING AND ASSESSMENTS

• Independent penetration tests [annually/semi-annually]; summary reports available under NDA; remediation tracked to closure.
• Customer-sourced testing requires prior written approval and coordinated scope.

12. INCIDENT RESPONSE AND NOTIFICATION

• Incident response plan with roles, runbooks, and communications.
• Notification to Customer without undue delay and within [X] hours of confirming a Security Incident affecting Customer Data; include nature, scope, mitigations, and recommended actions.
• In compliance with the Alaska Personal Information Protection Act (AS 45.48.010 et seq.), Provider shall notify Customer of any breach of security involving personal information in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and restore reasonable integrity of the data system.
• Written notification shall include: (1) description of the incident; (2) type of personal information involved; (3) contact information for further inquiries; (4) toll-free numbers for consumer reporting agencies; and (5) advice to remain vigilant for unauthorized transactions.
• Post-incident report for material incidents within [Y] business days.

13. AUDIT AND COMPLIANCE REPORTS

• Provide current SOC 2 / ISO 27001 certificate and summary upon request; significant exceptions disclosed with remediation plans.
• Onsite/customer audits: [once per year] with reasonable notice; subject to confidentiality and limited to security controls; time/materials fees if onsite.

14. THIRD-PARTY SUBPROCESSORS

• Subprocessors must meet equivalent security standards; list available at [URL/Annex]; notice of new subprocessors with [X] days to object on reasonable grounds; Provider remains liable.
• Subprocessors processing personal information of Alaska residents must comply with Alaska data protection requirements.

15. PHYSICAL SECURITY

• Data centers with industry-standard controls: access badges/biometrics, CCTV, visitor logging, environmental controls, and redundant power/cooling.

16. PERSONNEL SECURITY AND TRAINING

• Background checks where lawful for personnel with Customer Data access; confidentiality agreements; security and privacy training at onboarding and [annual] refreshers.

17. DATA RETURN AND DELETION

• Upon termination/expiry, Customer Data returned or deleted per Agreement/DPA within [X] days; secure deletion methods; backups aged out on standard cycles unless legal hold applies.
• Data deletion shall comply with Alaska data protection requirements, including verification of deletion and notification upon completion.

18. CHANGES TO SECURITY CONTROLS

• Material reductions not permitted without Customer consent; non-material updates allowed to improve or maintain security posture.
• Notice of material changes to contact [security contact].

19. ALASKA-SPECIFIC DATA PROTECTION REQUIREMENTS

19.1 Alaska Personal Information Protection Act Compliance

• Provider shall comply with the Alaska Personal Information Protection Act (AS 45.48.010 et seq.), including:
• Implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal information;
• Providing timely breach notification as required by AS 45.48.010;
• Properly disposing of records containing personal information as required by AS 45.48.500.

19.2 Personal Information Definition

• "Personal information" under Alaska law means an individual's first name or first initial and last name, in combination with any one or more of the following data elements when either the name or the data elements are not encrypted or redacted:
• Social security number;
• Driver's license number or state identification card number;
• Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

19.3 Alaska Trade Secret Protection

• Provider acknowledges that Customer's Confidential Information may include trade secrets as defined under the Alaska Uniform Trade Secrets Act (AS 45.50.910 et seq.) and the federal Defend Trade Secrets Act (18 U.S.C. section 1836 et seq.), and shall protect such information accordingly.

19.4 Alaska E-Signatures

• Electronic signatures under this Addendum shall be valid and enforceable pursuant to the Alaska Uniform Electronic Transactions Act (AS 09.80.010 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

20. GOVERNING LAW AND DISPUTE RESOLUTION

20.1 Governing Law

This Addendum and any dispute arising out of or relating hereto shall be governed by and construed in accordance with the laws of the State of Alaska, without regard to its conflict of laws rules.

20.2 Forum Selection

Subject to any arbitration provisions in the Master Agreement, the Parties consent to the exclusive jurisdiction of the state and federal courts located in Anchorage, Alaska, for any litigation arising out of or relating to this Addendum, and waive any objection to venue or forum non conveniens.

20.3 Jury Trial Waiver

EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM, TO THE EXTENT SUCH WAIVER IS ENFORCEABLE UNDER ALASKA LAW.

20.4 Injunctive Relief

Each Party acknowledges that a breach of the security obligations herein would cause irreparable harm for which monetary damages are an inadequate remedy. Accordingly, in the event of any such breach, the non-breaching Party may seek injunctive relief in addition to any other remedy available at law or equity, without posting bond or other security.

20.5 Late Payment Interest

Late payments under this Addendum shall accrue interest at the rate specified in the Master Agreement, or if not specified, at a reasonable commercial rate agreed by the parties (note: Alaska does not have a general usury statute for commercial transactions).

CHECKLIST FOR EXECUTION

☐ All [PLACEHOLDER] values have been completed
☐ Master SaaS Agreement referenced in Section 1
☐ Security program framework identified (Section 2)
☐ Incident notification timeline specified (Section 12)
☐ Data residency requirements confirmed (Section 10)
☐ Document reviewed by Alaska-licensed legal counsel
☐ Both Parties have signed and dated