Security Addendum (Enterprise SaaS)

ENTERPRISE SECURITY ADDENDUM

Arizona Jurisdictional Version

Addendum Reference No.: [________________________________]
Master Agreement Reference: [________________________________]
Effective Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]") and the entity identified as "Provider" ("[________________________________]") have entered into that certain Master Services Agreement, SaaS Subscription Agreement, or equivalent agreement dated [__/__/____] (the "Master Agreement");

WHEREAS, the Provider will Process, store, transmit, or otherwise access Customer Data, including Personal Information of Arizona residents, in the course of performing the Services;

WHEREAS, the State of Arizona requires notification of data breaches under A.R.S. § 18-552 within forty-five (45) days of breach determination, with notification to the Arizona Attorney General and the Arizona Department of Homeland Security when more than one thousand (1,000) individuals are affected, and civil penalties of up to five hundred thousand dollars ($500,000);

WHEREAS, Arizona does not currently have a comprehensive consumer data privacy act, but the Parties desire to establish contractual security and data protection standards that meet or exceed industry best practices and comply with all existing Arizona data protection statutes;

WHEREAS, the Parties desire to establish minimum security standards, breach notification obligations, and data protection requirements that comply with Arizona law, anticipate potential future privacy legislation, and align with recognized security frameworks;

NOW, THEREFORE, in consideration of the mutual covenants and obligations contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized Personnel" means individuals who have been granted access to Customer Data through formal authorization procedures, including employees, contractors, and agents of Provider who have a legitimate business need for such access and who have completed all required background checks and security training.

1.2 "Biometric Data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, retina or iris image, or other unique biological patterns used to authenticate an individual, as referenced in the definition of Personal Information under A.R.S. § 18-551.

1.3 "Breach" or "Security System Breach" means an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of Personal Information maintained by or on behalf of a person as part of a database of Personal Information regarding multiple individuals, and that causes or is reasonably likely to cause substantial economic loss to an affected individual, as defined under A.R.S. § 18-551.

1.4 "Critical System" means any system, application, database, or infrastructure component that stores, processes, or transmits Customer Data, or that, if compromised, could result in unauthorized access to Customer Data.

1.5 "Customer Data" means all data, information, records, files, and materials provided by or on behalf of Customer to Provider, or collected, generated, or processed by Provider on behalf of Customer in connection with the Services, including but not limited to Personal Information, Confidential Information, and proprietary business data.

1.6 "Encryption Standards" means encryption using algorithms and key lengths that meet or exceed: (a) AES-256 for data at rest; (b) TLS 1.2 or higher for data in transit; and (c) current NIST recommended encryption standards.

1.7 "Incident" means any event that actually or potentially jeopardizes the confidentiality, integrity, or availability of Customer Data or any information system that stores, processes, or transmits Customer Data, including but not limited to attempted or successful unauthorized access, use, disclosure, modification, or destruction.

1.8 "Information Security Program" means Provider's comprehensive, documented program of administrative, technical, and physical safeguards designed to protect Customer Data, as further described in Article 4 of this Addendum.

1.9 "Personal Information" means, consistent with A.R.S. § 18-551, an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable: (a) Social Security number; (b) number on a driver license issued pursuant to A.R.S. § 28-3166 or number on a nonoperating identification license issued pursuant to A.R.S. § 28-3165; (c) a private key that is unique to an individual and that is used to authenticate or sign an electronic record; (d) financial account number or credit or debit card number in combination with any required security code, access code, or password that would allow access to the individual's financial account; (e) an individual's health insurance identification number; (f) information about an individual's medical or mental health treatment or diagnosis by a health care professional; (g) a passport number; (h) an individual's taxpayer identification number; or (i) unique biometric data generated from a measurement or technical analysis of human body characteristics to authenticate an individual, including a fingerprint, retina or iris image, or other unique biological patterns or characteristics.

1.10 "Process" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification.

1.11 "Subprocessor" means any third party engaged by Provider to Process Customer Data on Provider's behalf in connection with the Services.

1.12 "Trade Secret" means information as defined under the Arizona Uniform Trade Secrets Act (A.R.S. § 44-401), including a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value from not being generally known to and not being readily ascertainable by proper means and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Processing of Customer Data by Provider, its Authorized Personnel, and its Subprocessors in connection with the Services provided under the Master Agreement.

2.2 Order of Precedence. In the event of any conflict or inconsistency between the terms of this Addendum and the Master Agreement, this Addendum shall prevail with respect to matters related to data security, breach notification, and compliance with Arizona law. In the event of conflict between this Addendum and applicable Arizona statutes, the applicable law shall control.

2.3 Future Privacy Legislation. Provider acknowledges that Arizona may enact comprehensive consumer data privacy legislation in the future. Provider agrees to cooperate with Customer in implementing any additional obligations imposed by such legislation within a reasonable time after its effective date. The security standards and data protection practices established in this Addendum are intended to position both Parties favorably for compliance with any future Arizona privacy legislation.

2.4 Incorporation. This Addendum is hereby incorporated into and made a part of the Master Agreement. All terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

ARTICLE 3 — DATA PROTECTION PRACTICES

3.1 No Comprehensive Privacy Act. The Parties acknowledge that as of the date of this Addendum, Arizona does not have a comprehensive consumer data privacy act comparable to those enacted in other states. In the absence of such legislation, Provider shall implement data protection practices consistent with: (a) A.R.S. § 18-551 et seq. (breach notification); (b) the Arizona Consumer Fraud Act (A.R.S. § 44-1521 et seq.); (c) recognized industry frameworks; and (d) the contractual obligations set forth in this Addendum.

3.2 Contractual Privacy Standards. Notwithstanding the absence of comprehensive privacy legislation, Provider agrees to the following contractual data protection standards, which are designed to meet or exceed protections available under leading state privacy acts:

(a) Data Minimization. Provider shall limit collection and processing of Customer Data to what is reasonably necessary for the purposes specified in the Master Agreement;

(b) Purpose Limitation. Provider shall process Customer Data only for the purposes specified in the Master Agreement and this Addendum, and shall not process Customer Data for any secondary purpose without Customer's prior written consent;

(c) Transparency. Provider shall assist Customer in maintaining transparent privacy practices and disclosures;

(d) Security by Design. Provider shall incorporate security and privacy considerations into the design and development of all systems and processes that handle Customer Data;

(e) Consumer Rights Support. Provider shall provide reasonable technical support to Customer in responding to individual data access, correction, deletion, and portability requests, to the extent Customer receives such requests under federal law, other state laws, or contractual commitments.

3.3 Arizona Consumer Fraud Act. Provider represents that its security practices and data handling shall not constitute deception, deceptive or unfair acts, fraud, false pretenses, false promises, misrepresentations, or concealment, suppression, or omission of any material fact under the Arizona Consumer Fraud Act (A.R.S. § 44-1521 et seq.).

3.4 Arizona Genetic Information Privacy. Where the Services involve genetic data, Provider shall comply with Arizona's Genetic Information Privacy Act, including providing detailed privacy notices and obtaining consent before processing genetic data.

ARTICLE 4 — INFORMATION SECURITY PROGRAM

4.1 General Obligation. Provider shall establish, implement, and maintain a comprehensive, written Information Security Program that includes administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, acquisition, destruction, use, modification, or disclosure. Such program shall be appropriate to the size and complexity of Provider's operations and the nature and scope of Customer Data processed.

4.2 Security Frameworks. Provider's Information Security Program shall align with one or more of the following recognized frameworks:

(a) ISO/IEC 27001:2022 — Information Security Management Systems;
(b) SOC 2 Type II — Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy);
(c) NIST Cybersecurity Framework (CSF) v2.0;
(d) NIST SP 800-53 Rev. 5 — Security and Privacy Controls.

4.3 Minimum Security Controls. Without limiting the generality of Section 4.1, Provider's Information Security Program shall include, at a minimum, the controls described in Articles 5 through 17 of this Addendum.

4.4 Continuous Improvement. Provider shall review and update its Information Security Program no less than annually, and more frequently as necessary to address new threats, vulnerabilities, changes in technology, or changes in applicable Arizona law.

4.5 Documentation. Provider shall maintain current documentation of its Information Security Program and make it available to Customer upon reasonable request.

ARTICLE 5 — ACCESS CONTROLS

5.1 Role-Based Access Control (RBAC). Provider shall implement and enforce role-based access controls to ensure that access to Customer Data is limited to Authorized Personnel whose job functions require such access.

5.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for: (a) all remote access to systems containing Customer Data; (b) all administrative and privileged access to Critical Systems; (c) all access to Customer-facing portals and dashboards; and (d) all access to cloud management consoles and infrastructure.

5.3 Least Privilege. Access shall be granted based on the principle of least privilege, providing only the minimum access necessary to perform assigned job functions.

5.4 Access Reviews. Provider shall conduct formal access reviews no less than quarterly to verify that access privileges remain appropriate and that accounts for terminated or transferred personnel have been promptly deactivated. Evidence of such reviews shall be maintained and available for audit.

5.5 Privileged Access Management. Provider shall implement dedicated privileged access management (PAM) controls, including session recording, credential vaulting, and just-in-time access provisioning for administrative accounts.

5.6 Account Management. Provider shall: (a) disable or remove inactive accounts after thirty (30) days of inactivity; (b) enforce account lockout after no more than five (5) consecutive failed login attempts; (c) deactivate accounts of terminated personnel within twenty-four (24) hours of notification; and (d) implement unique user identifiers for all accounts with access to Customer Data.

5.7 Password Policy. Provider shall enforce password policies requiring a minimum of fourteen (14) characters, complexity requirements, prohibition of known compromised passwords, and mandatory rotation for privileged accounts no less than every ninety (90) days.

ARTICLE 6 — ENCRYPTION STANDARDS

6.1 Data in Transit. All Customer Data transmitted over public or untrusted networks shall be encrypted using TLS 1.2 or higher with strong cipher suites. TLS 1.0 and 1.1 shall be disabled on all systems.

6.2 Data at Rest. All Customer Data stored on Provider systems, including databases, file systems, backups, and removable media, shall be encrypted using AES-256 or an equivalent or stronger algorithm.

6.3 Key Management. Provider shall implement a formal key management program that includes: (a) generation of cryptographic keys using approved random number generators; (b) secure storage of keys in hardware security modules (HSMs) or equivalent; (c) key rotation no less than annually; (d) key revocation and destruction procedures; (e) separation of duties between key custodians; and (f) documentation and audit trails for all key management activities.

6.4 End-to-End Encryption. Where technically feasible and appropriate to the sensitivity of the data, Provider shall implement end-to-end encryption.

6.5 Encryption and Breach Notification. The Parties acknowledge that under A.R.S. § 18-551, data that is encrypted, redacted, or secured by any other method rendering the element unreadable or unusable is excluded from the definition of Personal Information for breach notification purposes. Provider shall implement encryption controls sufficient to support this exclusion.

ARTICLE 7 — NETWORK SECURITY

7.1 Network Architecture. Provider shall implement network segmentation to isolate systems that store or process Customer Data from other systems. Critical Systems shall reside in dedicated network segments with strictly controlled ingress and egress traffic.

7.2 Firewalls and Intrusion Prevention. Provider shall deploy and maintain: (a) next-generation firewalls at all network perimeters; (b) intrusion detection and prevention systems (IDS/IPS) monitoring all network traffic to and from Customer Data environments; (c) web application firewalls (WAF) protecting all Customer-facing applications.

7.3 Network Monitoring. Provider shall monitor all network traffic for anomalous activity on a continuous (24/7/365) basis using automated tools and shall investigate all alerts promptly.

7.4 Wireless Security. All wireless networks with access to Customer Data environments shall use WPA3 or equivalent encryption and shall be segmented from production networks.

7.5 Remote Access. All remote access to Customer Data environments shall be conducted through encrypted VPN connections or zero-trust network access (ZTNA) solutions, with multi-factor authentication required for all sessions.

7.6 DDoS Protection. Provider shall implement distributed denial-of-service (DDoS) mitigation capabilities sufficient to maintain availability of Services.

ARTICLE 8 — APPLICATION SECURITY

8.1 Secure Development Lifecycle (SDLC). Provider shall implement a formal Secure Development Lifecycle for all applications that store, process, or transmit Customer Data, incorporating security at each phase of development.

8.2 OWASP Compliance. Provider shall ensure that all web applications and APIs are developed and maintained in accordance with the OWASP Top Ten and OWASP Application Security Verification Standard (ASVS).

8.3 Static and Dynamic Analysis. Provider shall perform: (a) Static Application Security Testing (SAST) on all code prior to release; (b) Dynamic Application Security Testing (DAST) on all deployed applications no less than quarterly; and (c) Software Composition Analysis (SCA) to identify vulnerabilities in third-party libraries and open-source components.

8.4 Code Review. All code changes affecting Customer Data handling shall undergo peer code review with security-focused review criteria before deployment to production.

8.5 API Security. Provider shall implement API authentication, authorization, rate limiting, input validation, and logging for all APIs that access or expose Customer Data.

8.6 Change Management. Provider shall implement formal change management procedures for all modifications to production systems, including documented approval, testing, rollback plans, and post-implementation review.

ARTICLE 9 — VULNERABILITY MANAGEMENT

9.1 Vulnerability Scanning. Provider shall conduct automated vulnerability scanning of all Critical Systems no less than weekly, and of all other systems no less than monthly.

9.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines, measured from the date of identification:

9.3 Zero-Day Vulnerabilities. Emergency patches or compensating controls within twenty-four (24) hours of vendor notification or public disclosure.

9.4 Patch Management. Provider shall maintain a formal patch management program that includes testing, approval, deployment, and verification procedures.

9.5 Vulnerability Reporting. Quarterly reports to Customer on vulnerability findings and remediation status.

ARTICLE 10 — LOGGING, MONITORING, AND AUDIT

10.1 Security Information and Event Management (SIEM). Provider shall implement and maintain a SIEM solution capable of real-time aggregation, correlation, and analysis of security events from all Critical Systems.

10.2 Log Collection. Provider shall collect and maintain audit logs from all systems that store, process, or transmit Customer Data, including: (a) authentication events (successes and failures); (b) authorization changes; (c) data access events; (d) system administrator activities; (e) system and application errors; (f) firewall and IDS/IPS events; (g) anti-malware events; and (h) data modification and deletion events.

10.3 Log Retention. Audit logs shall be retained for a minimum of twelve (12) months online and an additional twelve (12) months in secure archived storage, for a total retention period of twenty-four (24) months. Logs shall be protected against unauthorized modification or deletion.

10.4 Log Integrity. Provider shall implement controls to ensure log integrity, including cryptographic hashing, write-once storage, or equivalent tamper-evident mechanisms.

10.5 Monitoring and Alerting. Provider shall maintain 24/7/365 security monitoring with defined alert thresholds, escalation procedures, and response timeframes.

10.6 Log Access. Provider shall provide logs pertaining to Customer Data within ten (10) business days of request.

ARTICLE 11 — DATA SEGREGATION AND RESIDENCY

11.1 Logical Segregation. Provider shall logically segregate Customer Data from the data of other customers at the application, database, and storage layers.

11.2 Data Residency. Unless otherwise agreed in writing, Customer Data shall be stored and processed within the continental United States. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent.

11.3 Notification of Residency Changes. Provider shall notify Customer no less than sixty (60) days in advance of any proposed change in the geographic location of data storage or processing facilities.

11.4 Multi-Tenant Isolation. In multi-tenant environments, Provider shall implement robust tenant isolation controls, including separate encryption keys per tenant, isolated compute environments where feasible, and regular testing of isolation controls.

ARTICLE 12 — PENETRATION TESTING

12.1 Annual Testing. Provider shall engage an independent, qualified third-party firm to conduct comprehensive penetration testing of all systems that store, process, or transmit Customer Data no less than annually. Testing shall include external network, internal network, web application, and social engineering components.

12.2 Methodology. Penetration tests shall be conducted in accordance with recognized methodologies, including OWASP Testing Guide, PTES, or NIST SP 800-115.

12.3 Scope. All Customer-facing applications, APIs, infrastructure, and network perimeters.

12.4 Remediation. Critical and High findings remediated per Article 9 timelines with validation testing.

12.5 Reporting. Executive summary within thirty (30) days of test completion.

12.6 Customer Testing. Customer may conduct its own testing with thirty (30) days' notice.

ARTICLE 13 — BUSINESS CONTINUITY AND DISASTER RECOVERY

13.1 BC/DR Program. Provider shall establish, maintain, and test a comprehensive business continuity and disaster recovery program.

13.2 Recovery Objectives. Unless otherwise specified in the Master Agreement:

(a) Recovery Point Objective (RPO): No greater than four (4) hours;
(b) Recovery Time Objective (RTO): No greater than eight (8) hours.

13.3 Backup Procedures. Provider shall: (a) perform daily encrypted backups of all Customer Data; (b) store backups in a geographically separate facility; (c) test backup restoration procedures no less than quarterly; and (d) maintain backup encryption consistent with Article 6.

13.4 Annual Testing. Full disaster recovery test annually with customer observation and results within thirty (30) days.

13.5 Failover. Automated failover capabilities within the RTO.

ARTICLE 14 — INCIDENT RESPONSE AND ARIZONA BREACH NOTIFICATION

14.1 Incident Response Plan. Provider shall maintain a documented incident response plan covering: (a) identification and classification; (b) containment and eradication; (c) evidence preservation and chain of custody; (d) communication and escalation; (e) recovery and restoration; and (f) post-incident review and lessons learned.

14.2 Initial Notification to Customer. Provider shall notify Customer of any confirmed or suspected Incident involving Customer Data within twenty-four (24) hours of Provider's discovery of the Incident, by email and telephone to designated contacts.

14.3 Incident Notification Content. Provider's initial notification shall include, to the extent known: (a) nature and scope of the Incident; (b) date and time of discovery; (c) type of Customer Data affected; (d) number of individuals potentially affected; (e) actions taken or planned to contain and remediate the Incident; and (f) Provider point of contact.

14.4 Ongoing Updates. Written status updates no less than every twenty-four (24) hours until the Incident is resolved.

14.5 Arizona Breach Notification — Statutory Requirements (A.R.S. § 18-552).

In the event of a Security System Breach involving Personal Information of Arizona residents, the following requirements apply:

(a) Investigation. Upon discovery of a potential breach, Provider shall conduct a reasonable investigation to promptly determine whether there has been a security system breach. The investigation shall assess the likelihood that Personal Information has been or will be subject to unauthorized acquisition and access.

(b) Breach Determination Standard. A breach requiring notification exists when there is unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of Personal Information and that causes or is reasonably likely to cause substantial economic loss to an affected individual. Good faith acquisition by an employee or agent for purposes of the entity is not a breach, provided the Personal Information is not used or subject to further unauthorized disclosure.

(c) Timeline — 45 Days. If the investigation results in a determination that a breach has occurred, notification to affected individuals must be made within forty-five (45) days after the determination, unless a shorter period is required by federal law or a law enforcement agency requests a delay.

(d) Attorney General and Homeland Security Notification. If the breach requires notification of more than one thousand (1,000) individuals, Provider shall (in coordination with Customer) notify, in writing:

• The Arizona Attorney General, in a form prescribed by rule or order of the Attorney General;
• The Director of the Arizona Department of Homeland Security;
• The three largest nationwide consumer reporting agencies.

(e) Notice Content. Written notification to affected individuals shall include: (i) the approximate date of the breach; (ii) a brief description of the Personal Information included in the breach; (iii) the toll-free numbers, addresses, and websites for the three major consumer reporting agencies; (iv) the toll-free number, address, and website for the FTC and a statement that the individual can obtain information from the FTC about steps to avoid identity theft; and (v) the entity's contact information.

(f) Method of Notice. Notification may be provided by: (i) written notice; (ii) telephonic notice; (iii) electronic notice, if the entity's primary method of communication with the individual is electronic; or (iv) substitute notice if the cost exceeds $50,000, the affected class exceeds 100,000 persons, or the entity does not have sufficient contact information. Arizona's substitute notice cost threshold ($50,000) is notably lower than most states.

(g) Substitute Notice Components. Substitute notice consists of: (i) a written letter to the Attorney General demonstrating the need for substitute notice; (ii) a conspicuous posting of the notice on the entity's website for at least forty-five (45) days; and (iii) notice to major statewide media.

14.6 Penalties for Non-Compliance. The Parties acknowledge the following enforcement provisions under A.R.S. § 18-552:

(a) A knowing and willful violation of the breach notification statute is an unlawful practice;

(b) Only the Arizona Attorney General may enforce such violations;

(c) Civil penalties may not exceed the lesser of: (i) ten thousand dollars ($10,000) per affected individual; or (ii) the total amount of economic loss sustained by affected individuals;

(d) The maximum civil penalty from a single breach or series of related breaches may not exceed five hundred thousand dollars ($500,000);

(e) The Attorney General may also seek restitution owed to affected individuals.

14.7 Vendor Notification Obligation. If Provider maintains computerized data that includes Personal Information that Provider does not own, Provider shall notify Customer (as the owner or licensee of the information) of any breach of the security of the data. Provider shall cooperate with Customer's investigation and provide any relevant information relating to the breach.

14.8 Cooperation. Provider shall cooperate fully with Customer, law enforcement, the Arizona Attorney General, and the Arizona Department of Homeland Security in the investigation and resolution of any Breach. Provider shall preserve all evidence.

14.9 Root Cause Analysis. Within thirty (30) days of Breach resolution, Provider shall deliver a written root cause analysis report identifying: (a) cause; (b) timeline; (c) scope and impact; (d) remedial actions; and (e) measures to prevent recurrence.

14.10 Credit Monitoring. In the event of a Breach involving Social Security numbers, financial account information, or other sensitive data elements, Provider shall, at its sole expense, offer no less than twenty-four (24) months of credit monitoring and identity theft protection services to affected individuals.

ARTICLE 15 — SUBPROCESSOR MANAGEMENT

15.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain a current list of all approved Subprocessors.

15.2 Notification of Changes. Provider shall notify Customer no less than thirty (30) days in advance of any proposed addition or replacement of a Subprocessor. Customer shall have the right to object within fifteen (15) days.

15.3 Contractual Requirements. Provider shall enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set forth in this Addendum, including breach notification, security controls, audit rights, and compliance with Arizona law.

15.4 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors.

15.5 Due Diligence. Provider shall conduct due diligence on each Subprocessor before engagement, and annually thereafter, to verify the Subprocessor's ability to meet its obligations.

ARTICLE 16 — PERSONNEL SECURITY

16.1 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data prior to granting such access, to the extent permitted by Arizona law. Background checks shall include, at minimum, criminal history and identity verification.

16.2 Security Training. Provider shall require all Authorized Personnel to complete comprehensive security awareness training upon hiring and no less than annually thereafter. Training shall cover: (a) data handling and protection procedures; (b) incident identification and reporting; (c) social engineering and phishing awareness; (d) applicable Arizona data protection laws; and (e) Provider's security policies and procedures.

16.3 Confidentiality Agreements. All Authorized Personnel shall execute confidentiality and non-disclosure agreements prior to accessing Customer Data, with provisions that survive termination of employment.

16.4 Separation Procedures. Upon termination or reassignment of any Authorized Personnel, Provider shall: (a) revoke all access to Customer Data within twenty-four (24) hours; (b) recover all Provider-issued devices and media; (c) confirm deletion of Customer Data from personal devices; and (d) remind the individual of continuing confidentiality obligations.

ARTICLE 17 — PHYSICAL SECURITY

17.1 Data Center Security. All facilities housing Critical Systems shall implement, at minimum: (a) 24/7/365 security personnel or video surveillance; (b) multi-layer access controls (badge, biometric, PIN) with visitor escort requirements; (c) environmental controls including fire suppression, climate control, and water detection; (d) redundant power supply with UPS and backup generators; and (e) secure media storage and destruction capabilities.

17.2 Visitor Management. All visitors shall be logged, escorted, and required to sign confidentiality agreements.

17.3 Media Handling. All removable media containing Customer Data shall be encrypted, inventoried, tracked, and securely stored. Disposal shall comply with Article 21.

17.4 Clean Desk Policy. Provider shall enforce a clean desk policy in all areas where Customer Data may be accessed.

ARTICLE 18 — INSURANCE

18.1 Cyber Liability Insurance. Provider shall maintain cyber liability insurance coverage with limits of no less than five million dollars ($5,000,000) per occurrence and in the aggregate, covering: (a) data breaches and security incidents; (b) regulatory fines and penalties; (c) crisis management and notification costs; (d) business interruption; and (e) third-party claims arising from security failures.

18.2 Errors and Omissions Insurance. Provider shall maintain professional liability (errors and omissions) insurance with limits of no less than two million dollars ($2,000,000) per occurrence and in the aggregate.

18.3 General Requirements. All required insurance policies shall: (a) be issued by carriers rated A- VII or better by A.M. Best; (b) name Customer as an additional insured where applicable; (c) contain a waiver of subrogation in favor of Customer; and (d) require thirty (30) days' prior written notice to Customer of cancellation, non-renewal, or material change.

18.4 Certificates. Provider shall furnish certificates of insurance upon execution of this Addendum and annually thereafter.

ARTICLE 19 — AUDIT RIGHTS

19.1 Audit Right. Customer, or its designated independent auditor, shall have the right to audit Provider's compliance with this Addendum no more than once per twelve (12) month period, upon no less than thirty (30) days' prior written notice.

19.2 Scope of Audit. Audits may include: (a) review of security policies, procedures, and documentation; (b) inspection of data center and office facilities; (c) review of access logs and security monitoring records; (d) interviews with Provider security personnel; (e) review of third-party audit reports (SOC 2, ISO 27001, penetration test results); and (f) review of incident response records.

19.3 Additional Audits. Customer may conduct additional audits following a confirmed Breach, regulatory inquiry, or material change to Provider's security posture.

19.4 Cooperation. Provider shall cooperate fully and provide reasonable access to facilities, systems, records, and personnel.

19.5 Remediation. Provider shall address audit findings within: (a) thirty (30) days for Critical findings; (b) sixty (60) days for High findings; and (c) ninety (90) days for Medium and Low findings.

19.6 Third-Party Reports. Provider shall make available upon request: (a) SOC 2 Type II reports; (b) ISO 27001 certification; (c) penetration test summaries; and (d) other relevant assessment reports.

ARTICLE 20 — SECURITY GOVERNANCE AND REPORTING

20.1 Security Governance. Provider shall designate a qualified Chief Information Security Officer (CISO) or equivalent senior security executive with responsibility for the Information Security Program.

20.2 Quarterly Reporting. Provider shall provide Customer with quarterly security reports including: (a) incident summary; (b) vulnerability management metrics; (c) patch compliance status; (d) access review results; (e) training completion rates; and (f) material changes to the Information Security Program.

20.3 Annual Security Review. Provider and Customer shall conduct an annual security review meeting to discuss security posture, emerging threats, Arizona law developments (including potential privacy legislation), audit results, and planned improvements.

20.4 Risk Management. Provider shall maintain a formal risk management program that includes regular risk assessments, risk treatment plans, and a risk register.

ARTICLE 21 — DATA RETURN AND DESTRUCTION

21.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request, Provider shall return all Customer Data to Customer in a machine-readable, industry-standard format within thirty (30) days.

21.2 Data Destruction. Following return of Customer Data (or upon Customer's written instruction), Provider shall securely destroy all copies of Customer Data in its possession or control, including backup copies, within sixty (60) days. Destruction shall comply with NIST Special Publication 800-88 (Guidelines for Media Sanitization).

21.3 Certification of Destruction. Provider shall provide Customer with a written certification of destruction signed by an authorized officer of Provider, specifying the data destroyed, the method of destruction, and the date of destruction.

21.4 Exceptions. Provider may retain Customer Data only to the extent required by applicable law, provided that: (a) Provider notifies Customer of the specific requirement; (b) the retained data remains subject to the protections of this Addendum; and (c) the retained data is destroyed promptly upon expiration of the retention requirement.

21.5 Subprocessor Data Destruction. Provider shall ensure that all Subprocessors comply with the same data return and destruction requirements.

ARTICLE 22 — INDEMNIFICATION FOR SECURITY BREACHES

22.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or resulting from:

(a) Any Breach caused by Provider's failure to comply with this Addendum;

(b) Any violation of A.R.S. § 18-552 (breach notification) caused by Provider's acts or omissions;

(c) Any civil penalties imposed under A.R.S. § 18-552, up to and including the $500,000 maximum penalty cap;

(d) Any violation of the Arizona Consumer Fraud Act (A.R.S. § 44-1521 et seq.) arising from Provider's security or privacy practices;

(e) Any restitution awarded to affected individuals due to Provider's failure to comply with breach notification requirements;

(f) Any third-party claims arising from unauthorized access to or disclosure of Customer Data attributable to Provider's negligence or willful misconduct.

22.2 Uncapped Liability. The indemnification obligations set forth in this Article shall not be subject to any limitation of liability or cap on damages set forth in the Master Agreement.

22.3 Mitigation. Provider shall take all commercially reasonable steps to mitigate damages arising from a Breach.

ARTICLE 23 — ARIZONA-SPECIFIC LEGAL PROVISIONS

23.1 Arizona Breach Notification — Detailed Provisions.

(a) Broad Definition of Personal Information. Provider acknowledges that Arizona's definition of Personal Information (A.R.S. § 18-551) is among the broader definitions in the United States, covering nine categories of data elements including Social Security numbers, driver's license numbers, private keys for electronic signatures, financial account numbers, health insurance numbers, medical/mental health information, passport numbers, taxpayer identification numbers, and biometric data.

(b) Materiality and Economic Loss Standard. Provider understands that Arizona's breach notification obligation is triggered only when the breach "materially compromises the security or confidentiality of personal information" and "causes or is reasonably likely to cause substantial economic loss to an affected individual." Provider shall interpret this standard conservatively and err on the side of notification when there is uncertainty about whether the threshold is met.

(c) Low Substitute Notice Threshold. Provider acknowledges that Arizona's substitute notice threshold ($50,000 cost) is significantly lower than most states ($250,000), making substitute notice more readily available. However, Provider shall make reasonable efforts to provide direct written or electronic notice before resorting to substitute notice.

(d) Homeland Security Notification. Arizona uniquely requires notification to the Director of the Arizona Department of Homeland Security (in addition to the Attorney General) for breaches affecting more than 1,000 individuals. Provider shall maintain current contact information for both the Attorney General and the Department of Homeland Security for breach notification purposes.

(e) Attorney General Exclusive Enforcement. Only the Arizona Attorney General may enforce violations of the breach notification statute. There is no private right of action under A.R.S. § 18-552.

23.2 Arizona Uniform Trade Secrets Act (A.R.S. § 44-401 et seq.).

(a) Provider acknowledges that Customer Data may include Trade Secrets as defined under the Arizona UTSA.

(b) Provider shall implement and maintain reasonable measures to preserve the secrecy of all Trade Secrets, including access controls, encryption, confidentiality agreements, and employee training.

(c) In the event of actual or threatened misappropriation, Customer shall be entitled to injunctive relief, actual damages, and exemplary damages not exceeding twice actual damages for willful and malicious misappropriation, plus reasonable attorneys' fees, as provided under A.R.S. § 44-403 and § 44-404.

23.3 Arizona Consumer Fraud Act (A.R.S. § 44-1521 et seq.).

(a) Provider represents that its security and data handling practices shall not constitute deception, deceptive or unfair acts, fraud, false pretenses, false promises, misrepresentations, or concealment of material facts under the Arizona Consumer Fraud Act.

(b) The Arizona Attorney General has enforcement authority under the Consumer Fraud Act, with remedies including injunctive relief, civil penalties, and restitution.

(c) Affected consumers have a private right of action under the Consumer Fraud Act (A.R.S. § 44-1528) for actual damages and equitable relief.

23.4 Forum and Governing Law.

(a) This Addendum shall be governed by and construed in accordance with the laws of the State of Arizona, without regard to its conflict-of-laws principles.

(b) Any dispute arising out of or relating to this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in Maricopa County, State of Arizona.

(c) JURY WAIVER. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM.

(d) INJUNCTIVE RELIEF. Each Party acknowledges that a breach of this Addendum may cause irreparable harm that cannot be adequately compensated by monetary damages, and that the non-breaching Party shall be entitled to seek injunctive relief in addition to all other available remedies.

23.5 Late Payment.

(a) Any undisputed amounts not paid when due shall bear interest at the rate of ten percent (10%) per annum (the maximum rate permitted under A.R.S. § 44-1201), or such other rate as specified in the Master Agreement, not to exceed the maximum rate permitted under Arizona law.

ARTICLE 24 — ELECTRONIC SIGNATURES

24.1 Validity. This Addendum may be executed by electronic signature in accordance with the Arizona Electronic Transactions Act (A.R.S. § 44-7001 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.).

24.2 Equivalence. Electronic signatures shall have the same legal force, effect, and enforceability as original wet-ink signatures. No Party shall contest the validity or enforceability of this Addendum solely on the basis that it was executed electronically.

24.3 Consent to Electronic Records. Each Party consents to the use of electronic records and electronic signatures in connection with this Addendum and all related documents, notices, and communications.

24.4 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Delivery of an executed counterpart by electronic transmission (including PDF) shall be effective as delivery of an original executed counterpart.

24.5 Retention. Each Party shall retain a complete and accurate copy of this Addendum for the duration of the Master Agreement and for the applicable statute of limitations period thereafter.

ARTICLE 25 — GENERAL PROVISIONS

25.1 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the Parties with respect to security and data protection.

25.2 Amendments. This Addendum may not be amended except by a written instrument signed by duly authorized representatives of both Parties.

25.3 Severability. If any provision is held invalid, the remaining provisions shall continue in full force and effect.

25.4 Waiver. No waiver shall be effective unless in writing and signed by the waiving Party.

25.5 Notices. All notices shall be in writing and delivered to the addresses specified in the Master Agreement.

25.6 Survival. Articles 14, 21, 22, 23, and 24 shall survive expiration or termination.

25.7 Assignment. Neither Party may assign this Addendum without the prior written consent of the other Party, except in connection with a merger, acquisition, or sale of all or substantially all assets.

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have executed this Enterprise Security Addendum as of the Effective Date.

CUSTOMER

PROVIDER

EXECUTION CHECKLIST

☐ Master Agreement referenced and attached
☐ All fillable fields completed with accurate information
☐ Personal Information definition reviewed — note broad Arizona definition (nine categories) (Section 1.9)
☐ Breach notification procedures established — 45-day timeline acknowledged (Section 14.5)
☐ Attorney General and Homeland Security notification process established for breaches of 1,000+ (Section 14.5(d))
☐ Substitute notice low threshold ($50,000) acknowledged (Section 14.5(f))
☐ Arizona Consumer Fraud Act implications reviewed (Section 23.3)
☐ Subprocessor list reviewed and approved (Article 15)
☐ Insurance certificates obtained and verified (Article 18)
☐ Security contact and emergency contact designated for breach notification
☐ Provider's SOC 2 Type II report and/or ISO 27001 certification reviewed
☐ Data residency requirements confirmed (Article 11)
☐ Recovery objectives (RPO/RTO) reviewed and approved (Article 13)
☐ Arizona-licensed counsel has reviewed and approved this Addendum

SOURCES AND REFERENCES

1. Arizona Data Breach Notification Law — A.R.S. § 18-551 et seq.
   https://www.azleg.gov/ars/18/00552.htm

2. Arizona Attorney General — Data Breach Notification FAQ
   https://www.azag.gov/consumer/data-breach/faq

3. Arizona Attorney General — Data Breach Notification Form
   https://www.azag.gov/consumer/data-breach/notification-form

4. Arizona Uniform Trade Secrets Act — A.R.S. § 44-401 et seq.
   https://www.azleg.gov/ars/44/00401.htm

5. Arizona Electronic Transactions Act — A.R.S. § 44-7001 et seq.
   https://www.azleg.gov/ars/44/07001.htm

6. Arizona Consumer Fraud Act — A.R.S. § 44-1521 et seq.
   https://www.azleg.gov/ars/44/01521.htm

7. Arizona Interest Rate Statute — A.R.S. § 44-1201
   https://www.azleg.gov/ars/44/01201.htm

8. NIST Cybersecurity Framework v2.0
   https://www.nist.gov/cyberframework

9. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

10. OWASP Top Ten
    https://owasp.org/www-project-top-ten/