Security Addendum - Enterprise (Arkansas)

SECURITY ADDENDUM -- ENTERPRISE (ARKANSAS)

Addendum Effective Date: [__/__/____]

Addendum Number: [________________________________]

PARTIES

Customer ("Customer"):

Provider ("Provider"):

RECITALS

WHEREAS, Customer and Provider have entered into that certain Master Agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Provider delivers certain services (the "Services") to Customer;

WHEREAS, the provision of Services involves Provider's access to, processing of, or storage of Customer Data, and the Parties desire to establish binding security obligations governing Provider's handling of such data;

WHEREAS, the Parties acknowledge that the handling of personal information of Arkansas residents is subject to the Arkansas Personal Information Protection Act, Ark. Code Ann. § 4-110-101 et seq., including the breach notification requirements of Ark. Code Ann. § 4-110-105;

WHEREAS, this Security Addendum supplements and is incorporated into the Master Agreement and is governed by Arkansas law; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Security Program Requirements
4. Access Controls
5. Network Security
6. Encryption Standards
7. Application Security and Secure Development
8. Vulnerability Management
9. Penetration Testing
10. Logging and Monitoring
11. Incident Response and Breach Notification
12. Business Continuity and Disaster Recovery
13. Data Segregation and Residency
14. Personnel Security
15. Physical Security
16. Subprocessor Security Requirements
17. Compliance and Certifications
18. Audit Rights
19. Security SLA Metrics
20. Data Return and Destruction
21. Arkansas-Specific Provisions
22. General Provisions
23. Signatures

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This Security Addendum ("Addendum") supplements the Master Agreement between the Parties dated [__/__/____]. All capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement or any associated Data Processing Addendum ("DPA").

1.2 In the event of conflict between this Addendum and the Master Agreement on matters relating to information security, data protection, or incident response, this Addendum shall prevail to the extent of such conflict.

1.3 This Addendum shall remain in effect for the duration of the Master Agreement and for so long thereafter as Provider retains any Customer Data.

2. DEFINITIONS

2.1 "Authorized Personnel" means Provider's employees, contractors, or agents who have a demonstrated business need to access Customer Data and who have been vetted and trained in accordance with Section 14.

2.2 "Customer Data" means all data, information, records, files, and materials provided by or on behalf of Customer to Provider, or that Provider accesses, processes, stores, or transmits in connection with the Services, including Personal Information as defined by Arkansas law.

2.3 "Data Breach" or "Security Incident" means any confirmed or reasonably suspected unauthorized access to, acquisition of, use of, disclosure of, or loss of Customer Data, or any event that compromises the confidentiality, integrity, or availability of Customer Data or the systems processing such data.

2.4 "Personal Information" means, consistent with Ark. Code Ann. § 4-110-103(7), an individual's first name or first initial and last name in combination with any one or more of the following data elements when the data elements are not encrypted or redacted: (a) Social Security number; (b) driver's license number or Arkansas identification card number; (c) account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (d) medical information as defined by law.

2.5 "Information Security Program" means Provider's documented program of administrative, technical, and physical safeguards designed to protect Customer Data.

2.6 "Subprocessor" means any third party engaged by Provider to process Customer Data on Provider's behalf.

3. SECURITY PROGRAM REQUIREMENTS

3.1 General Obligation. Provider shall establish, implement, and maintain a written Information Security Program that includes administrative, technical, and physical safeguards appropriate to the nature, size, and complexity of Provider's operations and the sensitivity of Customer Data. The program shall be designed to:

• (a) Protect the confidentiality, integrity, and availability of Customer Data;
• (b) Protect against reasonably anticipated threats or hazards;
• (c) Protect against unauthorized access to or use of Customer Data; and
• (d) Ensure compliance with the Arkansas Personal Information Protection Act and other applicable laws.

3.2 Administrative Safeguards.

• (a) Designation of a qualified Chief Information Security Officer (CISO) or equivalent;
• (b) Documented information security policies reviewed and updated at least annually;
• (c) Regular risk assessments conducted at least annually;
• (d) Security awareness training for all personnel with access to Customer Data;
• (e) Documented incident response plan tested at least annually; and
• (f) Vendor and third-party risk management program.

3.3 Technical Safeguards. As described in Sections 4 through 10.

3.4 Physical Safeguards. As described in Section 15.

3.5 Framework Alignment. Provider's Information Security Program shall be aligned with:

☐ NIST Cybersecurity Framework (CSF) 2.0
☐ ISO/IEC 27001:2022
☐ SOC 2 Type II Trust Services Criteria
☐ NIST SP 800-53 Rev. 5
☐ CIS Controls v8
☐ Other: [________________________________]

4. ACCESS CONTROLS

4.1 General. Provider shall implement access controls ensuring only Authorized Personnel have access to Customer Data on a least-privilege, need-to-know basis.

4.2 Authentication Requirements.

☐ Multi-Factor Authentication (MFA) for all administrative and privileged access
☐ Multi-Factor Authentication (MFA) for all remote access
☐ Multi-Factor Authentication (MFA) for all user access to Customer Data
☐ Role-Based Access Control (RBAC) enforced across all systems
☐ Single Sign-On (SSO) integration using SAML 2.0 or OpenID Connect
☐ Encryption at Rest for all stored credentials using AES-256 or equivalent
☐ Encryption in Transit for all credential transmissions using TLS 1.2 or higher

4.3 Password Policies. Provider shall enforce password policies requiring:

• (a) Minimum length of [____] characters (minimum 12 recommended);
• (b) Complexity requirements (uppercase, lowercase, numeric, special characters);
• (c) Rotation at intervals not to exceed [____] days for privileged accounts;
• (d) Prohibition against reuse of the previous [____] passwords;
• (e) Account lockout after [____] consecutive failed attempts; and
• (f) Secure storage using industry-standard hashing algorithms.

4.4 Session Management. Automatic session timeout after [____] minutes of inactivity.

4.5 Access Reviews. Quarterly reviews for privileged accounts; semi-annual reviews for all other accounts.

4.6 Deprovisioning. Access revoked within twenty-four (24) hours of termination or role change.

5. NETWORK SECURITY

5.1 Segmentation. Provider shall maintain segmentation between production and non-production environments, between Customer Data environments and corporate networks, and between different customers' data.

5.2 Controls. Provider shall deploy next-generation firewalls, IDS/IPS, WAF for internet-facing applications, DDoS protection, and network access control.

5.3 Remote Access. All remote access via encrypted VPN or equivalent with MFA.

6. ENCRYPTION STANDARDS

6.1 In Transit. TLS 1.2 or higher for all Customer Data in transit; TLS 1.3 preferred.

6.2 At Rest. AES-256 or equivalent for all Customer Data at rest, including databases, file storage, backups, and logs.

6.3 Key Management. Dedicated KMS or HSM; separation of duties; key rotation not to exceed [____] days; secure key storage separate from encrypted data.

7. APPLICATION SECURITY AND SECURE DEVELOPMENT

7.1 Provider shall maintain a secure development lifecycle incorporating SAST, DAST, SCA, peer code review, and security sign-off prior to production deployment.

7.2 All production changes subject to formal change management with documented approval, testing, and rollback procedures.

8. VULNERABILITY MANAGEMENT

8.1 Scanning. External systems: weekly; internal systems: monthly; web applications: monthly.

8.2 Remediation Timelines.

8.3 Emergency Patching. Emergency patches or compensating controls for actively exploited zero-day vulnerabilities within twenty-four (24) hours.

9. PENETRATION TESTING

9.1 Independent third-party penetration testing at least annually, including external network, internal network, web application, and API testing.

9.2 Executive summary reports available to Customer under NDA within thirty (30) days of completion.

9.3 Critical and high findings remediated per Section 8.2 timelines.

9.4 Customer-initiated testing permitted with [____] days' prior written notice and agreed scope.

10. LOGGING AND MONITORING

10.1 Comprehensive logging of authentication events, authorization events, administrative actions, data access and modification, configuration changes, and security alerts.

10.2 Logs centralized in SIEM, time-synchronized, retained for minimum [____] days (365 recommended), and protected against tampering.

10.3 24/7/365 security monitoring with automated alerting.

11. INCIDENT RESPONSE AND BREACH NOTIFICATION

11.1 Incident Response Plan. Provider shall maintain a documented plan with designated team, severity classifications, escalation procedures, containment and recovery procedures, evidence preservation, and annual tabletop exercises.

11.2 Notification to Customer. Provider shall notify Customer of any confirmed or reasonably suspected Security Incident without undue delay and in no event later than [____] hours (48 hours recommended) after confirmation, including:

• (a) Nature and scope of the incident;
• (b) Types of Customer Data affected;
• (c) Estimated number of affected data subjects;
• (d) Steps taken to contain and remediate;
• (e) Recommended protective actions; and
• (f) Contact information for Provider's incident response lead.

11.3 Arkansas Breach Notification Requirements. Provider acknowledges and agrees that Customer's notification obligations under Arkansas law include the following:

(a) Individual Notification (Ark. Code Ann. § 4-110-105(a)). Any person or business that acquires, owns, or licenses computerized data including Personal Information shall disclose any breach of the security of the system to any resident of Arkansas whose unencrypted Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person. Disclosure must be made in the most expedient time and manner possible and without unreasonable delay.

(b) Third-Party Agent Notification (Ark. Code Ann. § 4-110-105(c)). A third party that maintains computerized data including Personal Information that the person or business does not own shall notify the owner or licensee of any breach immediately following discovery if the Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person. Provider, when acting as a third-party agent, shall comply with this requirement by notifying Customer immediately following discovery.

(c) Attorney General Notification (Ark. Code Ann. § 4-110-105(d)). If a breach affects the Personal Information of more than one thousand (1,000) individuals, disclosure must be made to the Arkansas Attorney General at the same time the breach is disclosed to affected individuals or within forty-five (45) days after the determination that there is a reasonable likelihood of harm to customers, whichever occurs first. Provider shall cooperate with Customer in fulfilling this obligation.

(d) Law Enforcement Delay (Ark. Code Ann. § 4-110-105(b)). Notification may be delayed if a law enforcement agency determines the notification will impede a criminal investigation, and shall be made after law enforcement determines it will not compromise the investigation.

(e) Notification Content. Notification shall include: (i) description of the incident; (ii) type of information involved; (iii) steps individuals can take to protect themselves; (iv) contact information for the notifying entity; and (v) toll-free numbers for consumer credit reporting agencies.

11.4 Post-Incident Report. Written post-incident report within [____] business days (15 recommended) of closure, including root cause analysis, timeline, remediation actions, and prevention measures.

11.5 Costs. Unless caused by Customer's sole negligence, Provider shall bear costs of investigating and remediating Security Incidents caused by Provider's breach of this Addendum.

12. BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Documented BC/DR plans for Services and Customer Data processing systems.

12.2 Recovery Objectives.

12.3 Encrypted backups at geographically separate locations, tested quarterly.

12.4 BC/DR plans tested at least [annually / semi-annually]; results available to Customer.

13. DATA SEGREGATION AND RESIDENCY

13.1 Logical tenant isolation in multi-tenant environments.

13.2 Customer Data not used in non-production environments without anonymization or Customer consent.

13.3 Data Residency.

☐ United States
☐ Arkansas-only (if required by Customer)
☐ Other: [________________________________]

No relocation without Customer's prior written consent.

14. PERSONNEL SECURITY

14.1 Background checks (to the extent permitted by Arkansas law) on all personnel with Customer Data access.

14.2 Written confidentiality or NDA agreements before access is granted.

14.3 Security awareness training at onboarding and annually; quarterly phishing simulations; role-specific training.

14.4 Acceptable use policies enforced.

15. PHYSICAL SECURITY

15.1 Data centers with controlled entry, multi-factor access (badge plus biometric), 24/7 CCTV with [____] days retention, visitor logging, environmental controls, redundant power and network.

16. SUBPROCESSOR SECURITY REQUIREMENTS

16.1 Subprocessors bound to security obligations no less protective than this Addendum.

16.2 Security due diligence on all Subprocessors prior to engagement and annually thereafter.

16.3 Maintained current Subprocessor list available to Customer on request.

16.4 At least [____] days (30 recommended) prior written notice before engaging new Subprocessors.

16.5 Provider remains fully liable for Subprocessors' acts and omissions.

17. COMPLIANCE AND CERTIFICATIONS

17.1 Required Certifications.

☐ SOC 2 Type II Report
☐ ISO/IEC 27001:2022 Certification
☐ HITRUST CSF Certification
☐ FedRAMP Authorization (Level: [________________________________])
☐ PCI DSS Compliance (Version/Level: [________________________________])
☐ ISO/IEC 27701:2019
☐ CSA STAR Certification
☐ Other: [________________________________]

17.2 Current certification reports available to Customer under NDA within [____] business days of request.

17.3 Compliance with all applicable Arkansas and federal laws.

18. AUDIT RIGHTS

18.1 Customer audit rights up to [____] time(s) per year with [____] business days' notice. Provider shall cooperate fully. Material findings remediated within agreed timeframes.

18.2 Provider shall cooperate with governmental or regulatory audits.

18.3 Each Party bears its own audit costs unless audit reveals material breach by Provider.

19. SECURITY SLA METRICS

Quarterly reporting to Customer. Persistent failure constitutes material breach.

20. DATA RETURN AND DESTRUCTION

20.1 Return all Customer Data in machine-readable format within [____] days (30 recommended) of termination.

20.2 Secure destruction per NIST SP 800-88 within [____] days (60 recommended for backup rotation).

20.3 Written certification of destruction within [____] business days.

20.4 Legal hold exception with notice to Customer and continued protection.

21. ARKANSAS-SPECIFIC PROVISIONS

21.1 Personal Information Protection. Provider acknowledges its obligations under the Arkansas Personal Information Protection Act (Ark. Code Ann. § 4-110-101 et seq.) and shall implement safeguards consistent with the requirements of that Act, including restrictions on the use of Personal Information as defined in Ark. Code Ann. § 4-110-103(7).

21.2 Social Security Number Protection. In compliance with Ark. Code Ann. § 4-110-104, Provider shall not:

• (a) Intentionally communicate or make available an individual's Social Security number to the general public;
• (b) Print an individual's Social Security number on any card required for the individual to access products or services;
• (c) Require an individual to transmit their Social Security number over the internet unless the connection is secure or the number is encrypted; or
• (d) Require an individual to use their Social Security number to access a website unless a password or unique personal identification number is also required.

21.3 Arkansas Trade Secrets Act. Provider shall protect Customer's trade secrets and proprietary information in accordance with the Arkansas Trade Secrets Act (Ark. Code Ann. § 4-75-601 et seq.), implementing reasonable measures to maintain the secrecy of such information.

21.4 Electronic Signatures. To the extent this Addendum is executed electronically, the Parties acknowledge compliance with the Arkansas Uniform Electronic Transactions Act (Ark. Code Ann. § 25-32-101 et seq.).

21.5 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of Arkansas without regard to conflict-of-laws principles.

21.6 Forum. Any dispute arising under this Addendum shall be brought exclusively in the state or federal courts located in Pulaski County, Arkansas, and the Parties consent to the exclusive jurisdiction of such courts.

21.7 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY ARKANSAS LAW, THE PARTIES HEREBY IRREVOCABLY WAIVE ANY RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING OUT OF OR RELATING TO THIS ADDENDUM.

21.8 Interest on Late Payments. Any amounts due under this Addendum that are not paid when due shall accrue interest at the rate specified in the Master Agreement, not to exceed the maximum rate permitted under Arkansas law (Ark. Code Ann. § 4-57-104).

22. GENERAL PROVISIONS

22.1 Entire Agreement. This Addendum, together with the Master Agreement and any DPA, constitutes the entire agreement regarding information security.

22.2 Amendments. Amendments only by written instrument signed by both Parties.

22.3 Severability. Invalid provisions severed; remainder continues.

22.4 Survival. Sections 2, 11, 18, 20, and 21 survive expiration or termination.

23. SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Security Addendum as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced and attached
☐ Security framework(s) selected in Section 3.5
☐ Authentication requirements confirmed in Section 4.2
☐ Data residency selected in Section 13.3
☐ Required certifications selected in Section 17.1
☐ All bracketed fields completed
☐ Vulnerability remediation timelines agreed in Section 8.2
☐ Incident notification timeline agreed in Section 11.2
☐ Security SLA targets agreed in Section 19
☐ Arkansas breach notification obligations reviewed (Section 11.3)
☐ SSN protection obligations confirmed (Section 21.2)
☐ Reviewed by attorney licensed in Arkansas
☐ Reviewed by qualified information security professionals
☐ Signed by authorized representatives of both Parties

SOURCES AND REFERENCES

• Arkansas Personal Information Protection Act, Ark. Code Ann. § 4-110-101 et seq. -- https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/
• Arkansas Attorney General Data Breach Reporting -- https://arkansasag.gov/divisions/public-protection/identity/security-or-data-breach/
• Arkansas Trade Secrets Act, Ark. Code Ann. § 4-75-601 et seq. -- https://law.justia.com/codes/arkansas/title-4/subtitle-5/chapter-75/
• NIST Cybersecurity Framework (CSF) 2.0 -- https://www.nist.gov/cyberframework
• ISO/IEC 27001:2022 -- https://www.iso.org/standard/27001