Templates Contracts Agreements Security Addendum (Enterprise SaaS)
Alabama Contracts Agreements
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Ready to Edit
Security Addendum (Enterprise SaaS) - Free Editor

SECURITY ADDENDUM (ENTERPRISE SAAS)

Alabama Jurisdictional Version

TABLE OF CONTENTS

  1. Scope and Order of Precedence
  2. Security Program
  3. Access Controls and Authentication
  4. Encryption
  5. Network and Infrastructure Security
  6. Application Security and SDLC
  7. Vulnerability Management
  8. Logging and Monitoring
  9. Business Continuity and Disaster Recovery
  10. Data Segregation and Residency
  11. Penetration Testing and Assessments
  12. Incident Response and Notification
  13. Audit and Compliance Reports
  14. Third-Party Subprocessors
  15. Physical Security
  16. Personnel Security and Training
  17. Data Return and Deletion
  18. Changes to Security Controls
  19. Alabama-Specific Data Protection Requirements
  20. Governing Law and Dispute Resolution

1. SCOPE AND ORDER OF PRECEDENCE

  • Applies to the Services under the [SaaS Agreement name/date].
  • If conflict with the SaaS Agreement/DPA on security matters, this Addendum governs; otherwise, SaaS Agreement controls.

2. SECURITY PROGRAM

  • Provider maintains a written information security program with administrative, technical, and physical safeguards appropriate to risk, aligned to [ISO 27001/SOC 2/other].
  • Provider's security program shall comply with the Alabama Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.) and all applicable federal and state data protection requirements.
  • Provider shall implement reasonable security measures to protect sensitive personally identifying information from unauthorized access, acquisition, destruction, use, modification, or disclosure.

3. ACCESS CONTROLS AND AUTHENTICATION

  • Role-based access; least privilege; MFA for administrative access; strong password/secret policies; session management; timely deprovisioning.

4. ENCRYPTION

  • In transit: TLS [1.2/1.3] or better; at rest: industry-standard encryption for Customer Data stores.
  • Key management: [KMS/HSM], separation of duties, rotation policies.

5. NETWORK AND INFRASTRUCTURE SECURITY

  • Segmentation of environments (prod/non-prod); firewalls/security groups; DDoS protections; hardened images; configuration management and baselines.

6. APPLICATION SECURITY AND SDLC

  • Secure development lifecycle with code review, dependency scanning, SAST/DAST for relevant components; change management with approvals and rollback plans.

7. VULNERABILITY MANAGEMENT

  • Regular scanning; prioritization/remediation targets:
  • Critical: [X] hours/days; High: [Y] days; Medium: [Z] days; Low: [define].
  • Patch management process; emergency patching for exploited vulnerabilities.

8. LOGGING AND MONITORING

  • Centralized logging for auth, access, admin actions, and security events; time-synchronized; retention [X] days/months; alerting for anomalous events.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

  • Documented BC/DR plan; tested [annually/semi-annually]; RPO [X hours], RTO [Y hours]; backups encrypted and tested for restoration.

10. DATA SEGREGATION AND RESIDENCY

  • Logical/tenant isolation; data residency options [Regions] if offered; no relocation without notice and updated transfer mechanisms.

11. PENETRATION TESTING AND ASSESSMENTS

  • Independent penetration tests [annually/semi-annually]; summary reports available under NDA; remediation tracked to closure.
  • Customer-sourced testing requires prior written approval and coordinated scope.

12. INCIDENT RESPONSE AND NOTIFICATION

  • Incident response plan with roles, runbooks, and communications.
  • Notification to Customer without undue delay and within [X] hours of confirming a Security Incident affecting Customer Data; include nature, scope, mitigations, and recommended actions.
  • In compliance with the Alabama Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.), Provider shall notify Customer of any breach of security involving sensitive personally identifying information as expeditiously as possible and no later than 45 days following the determination that a breach has or is reasonably believed to have occurred, unless a shorter time is required under the circumstances.
  • Notification shall include: (1) date, estimated date, or date range of the breach; (2) description of the sensitive personally identifying information that was or is reasonably believed to have been acquired by an unauthorized person; (3) a general description of the breach; and (4) contact information for the covered entity.
  • Post-incident report for material incidents within [Y] business days.

13. AUDIT AND COMPLIANCE REPORTS

  • Provide current SOC 2 / ISO 27001 certificate and summary upon request; significant exceptions disclosed with remediation plans.
  • Onsite/customer audits: [once per year] with reasonable notice; subject to confidentiality and limited to security controls; time/materials fees if onsite.

14. THIRD-PARTY SUBPROCESSORS

  • Subprocessors must meet equivalent security standards; list available at [URL/Annex]; notice of new subprocessors with [X] days to object on reasonable grounds; Provider remains liable.
  • Subprocessors processing sensitive personally identifying information of Alabama residents must comply with Alabama Data Breach Notification Act requirements.

15. PHYSICAL SECURITY

  • Data centers with industry-standard controls: access badges/biometrics, CCTV, visitor logging, environmental controls, and redundant power/cooling.

16. PERSONNEL SECURITY AND TRAINING

  • Background checks where lawful for personnel with Customer Data access; confidentiality agreements; security and privacy training at onboarding and [annual] refreshers.

17. DATA RETURN AND DELETION

  • Upon termination/expiry, Customer Data returned or deleted per Agreement/DPA within [X] days; secure deletion methods; backups aged out on standard cycles unless legal hold applies.
  • Data destruction shall include notification upon completion and reasonable documentation of destruction method used.

18. CHANGES TO SECURITY CONTROLS

  • Material reductions not permitted without Customer consent; non-material updates allowed to improve or maintain security posture.
  • Notice of material changes to contact [security contact].

19. ALABAMA-SPECIFIC DATA PROTECTION REQUIREMENTS

19.1 Alabama Data Breach Notification Act Compliance

  • Provider shall comply with the Alabama Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.), including:
  • Implementing and maintaining reasonable security measures to protect sensitive personally identifying information;
  • Conducting good faith and prompt investigation upon learning of a potential breach;
  • Providing timely notification within 45 days of determining a breach has occurred;
  • Notifying the Alabama Attorney General if more than 1,000 Alabama residents are affected.

19.2 Sensitive Personally Identifying Information Definition

  • "Sensitive personally identifying information" under Alabama law includes an Alabama resident's first name or first initial and last name, in combination with one or more of the following:
  • Non-truncated Social Security number or tax identification number;
  • Non-truncated driver's license number, state-issued ID number, passport number, military ID number, or other unique ID number issued on a government document used to verify identity;
  • Financial account number, including bank account number, credit card number, or debit card number, combined with any security code, access code, password, expiration date, or PIN needed to access the account or conduct a transaction;
  • Medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • Health insurance policy number or subscriber identification number combined with unique identifier used by insurer;
  • User name or email address combined with password or security question and answer permitting access to an online account.

19.3 Alabama Trade Secret Protection

  • Provider acknowledges that Customer's Confidential Information may include trade secrets as defined under the Alabama Trade Secrets Act (Ala. Code Section 8-27-1 et seq.) and the federal Defend Trade Secrets Act (18 U.S.C. section 1836 et seq.), and shall protect such information accordingly.

19.4 Alabama E-Signatures

  • Electronic signatures under this Addendum shall be valid and enforceable pursuant to the Alabama Uniform Electronic Transactions Act (Ala. Code Section 8-1A-1 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

20. GOVERNING LAW AND DISPUTE RESOLUTION

20.1 Governing Law

This Addendum and any dispute arising out of or relating hereto shall be governed by and construed in accordance with the laws of the State of Alabama, without regard to its conflict of laws rules.

20.2 Forum Selection

Subject to any arbitration provisions in the Master Agreement, the Parties consent to the exclusive jurisdiction of the state and federal courts located in Montgomery County / Jefferson County, Alabama, for any litigation arising out of or relating to this Addendum, and waive any objection to venue or forum non conveniens.

20.3 Jury Trial Waiver

EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM, TO THE EXTENT SUCH WAIVER IS ENFORCEABLE UNDER ALABAMA LAW.

20.4 Injunctive Relief

Each Party acknowledges that a breach of the security obligations herein would cause irreparable harm for which monetary damages are an inadequate remedy. Accordingly, in the event of any such breach, the non-breaching Party may seek injunctive relief in addition to any other remedy available at law or equity, without posting bond or other security.

20.5 Late Payment Interest

Late payments under this Addendum shall accrue interest at the rate specified in the Master Agreement, or if not specified, at 8% per annum (the default rate under Ala. Code Section 8-8-1), or such other rate as agreed by the parties not exceeding the maximum permitted by applicable law.

CHECKLIST FOR EXECUTION

☐ All [PLACEHOLDER] values have been completed
☐ Master SaaS Agreement referenced in Section 1
☐ Security program framework identified (Section 2)
☐ Incident notification timeline specified (Section 12)
☐ Data residency requirements confirmed (Section 10)
☐ Document reviewed by Alabama-licensed legal counsel
☐ Both Parties have signed and dated

AI Legal Assistant

Security Addendum (Enterprise SaaS)

Download this template free, or draft it 10x faster with Ezel.

Stop spending hours on:

  • Searching for the right case law
  • Manually tracking changes in Word
  • Checking citations one by one
  • Hunting through emails for client documents

Ezel is the complete legal workspace:

  • Case Law Search — All 50 states + federal, natural language
  • Document Editor — Word-compatible track changes
  • Citation Checking — Verify every case before you file
  • Matters — Organize everything by client or case