SECURITY ADDENDUM (ENTERPRISE SAAS)

Arkansas Jurisdictional Version

1. SCOPE

Applies to Services under [SaaS Agreement name/date].

2. SECURITY PROGRAM

Provider maintains written information security program aligned to [ISO 27001/SOC 2], complying with Arkansas Personal Information Protection Act (Ark. Code Ann. Section 4-110-101 et seq.).

3. ACCESS CONTROLS

Role-based access; MFA for admin; least privilege; timely deprovisioning.

4. ENCRYPTION

TLS 1.2+ in transit; industry-standard encryption at rest.

5. NETWORK SECURITY

Environment segmentation; firewalls; DDoS protection.

6. APPLICATION SECURITY

Secure SDLC; code review; SAST/DAST.

7. VULNERABILITY MANAGEMENT

Regular scanning; Critical: [X] hours; High: [Y] days; Medium: [Z] days.

8. LOGGING AND MONITORING

Centralized logging; [X] days retention; anomaly alerting.

9. BC/DR

Documented plan; RPO [X hours]; RTO [Y hours]; tested [annually].

10. DATA SEGREGATION

Logical tenant isolation; data residency per [Regions].

11. PENETRATION TESTING

Independent tests [annually]; reports under NDA.

12. INCIDENT RESPONSE

12.1 Notification

Per Arkansas Personal Information Protection Act (Ark. Code Ann. Section 4-110-105), Provider shall notify Customer of any breach without unreasonable delay after determination that personal information was or is reasonably believed to have been acquired by unauthorized person.

12.2 Content

Notification shall include: (1) description of incident; (2) type of information involved; (3) steps to protect from potential harm; (4) contact information; (5) toll-free numbers for credit reporting agencies.

13. AUDIT REPORTS

SOC 2/ISO 27001 upon request; onsite audits [once per year].

14. SUBPROCESSORS

Equivalent security standards required; [X] days notice for new subprocessors.

15. PHYSICAL SECURITY

Data centers with badges/biometrics, CCTV, environmental controls.

16. PERSONNEL SECURITY

Background checks where lawful; confidentiality agreements; annual training.

17. DATA RETURN/DELETION

Within [X] days of termination; secure deletion methods.

18. CHANGES TO CONTROLS

Material reductions require Customer consent.

19. ARKANSAS-SPECIFIC REQUIREMENTS

19.1 Personal Information Definition

Under Arkansas law: first name/initial and last name with SSN, driver's license, financial account number, or medical information.

19.2 Trade Secret Protection

Per Arkansas Trade Secrets Act (Ark. Code Ann. Section 4-75-601 et seq.).

19.3 E-Signatures

Per Arkansas UETA (Ark. Code Ann. Section 25-32-101 et seq.).

20. GOVERNING LAW

20.1 Law

Arkansas law without conflict-of-laws principles.

20.2 Forum

State and federal courts in Pulaski County, Arkansas.

20.3 Jury Waiver

PARTIES WAIVE JURY TRIAL TO FULLEST EXTENT PERMITTED.

20.4 Late Payment Interest

Per Master Agreement or 17% per annum maximum (Ark. Code Ann. Section 4-57-104).

CHECKLIST

☐ Master Agreement referenced
☐ Security framework identified
☐ Notification timeline specified
☐ Arkansas-licensed counsel review