Security Addendum - Enterprise (California)

SECURITY ADDENDUM -- ENTERPRISE (CALIFORNIA)

Addendum Effective Date: [__/__/____]

Addendum Number: [________________________________]

PARTIES

Customer ("Customer"):

Provider ("Provider"):

RECITALS

WHEREAS, Customer and Provider have entered into that certain Master Agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Provider delivers certain services (the "Services") to Customer;

WHEREAS, the provision of Services involves Provider's access to, processing of, or storage of Customer Data, and the Parties desire to establish binding security obligations governing Provider's handling of such data;

WHEREAS, the Parties acknowledge that the handling of Personal Information of California residents is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.), the California breach notification statute (Cal. Civ. Code § 1798.82, as amended by SB-446 effective January 1, 2026), and the reasonable security requirement of Cal. Civ. Code § 1798.81.5;

WHEREAS, the Parties further acknowledge that Cal. Civ. Code § 1798.150 provides consumers a private right of action for breaches resulting from a business's failure to implement reasonable security procedures, creating heightened security obligations; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Security Program Requirements
4. Access Controls
5. Network Security
6. Encryption Standards
7. Application Security and Secure Development
8. Vulnerability Management
9. Penetration Testing
10. Logging and Monitoring
11. Incident Response and Breach Notification
12. Business Continuity and Disaster Recovery
13. Data Segregation and Residency
14. Personnel Security
15. Physical Security
16. Subprocessor Security Requirements
17. Compliance and Certifications
18. Audit Rights
19. Security SLA Metrics
20. Data Return and Destruction
21. California-Specific Provisions
22. General Provisions
23. Signatures

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This Security Addendum ("Addendum") supplements the Master Agreement between the Parties dated [__/__/____]. Capitalized terms not defined herein have meanings from the Master Agreement or associated DPA.

1.2 In the event of conflict on security matters, this Addendum prevails. On other matters, the Master Agreement controls.

1.3 This Addendum remains in effect for the duration of the Master Agreement and for so long as Provider retains Customer Data.

2. DEFINITIONS

2.1 "Authorized Personnel" means Provider's employees, contractors, or agents with a demonstrated business need to access Customer Data who have been vetted and trained per Section 14.

2.2 "Customer Data" means all data provided by or on behalf of Customer to Provider, or that Provider accesses, processes, stores, or transmits in connection with the Services, including Personal Information as defined by California law.

2.3 "Data Breach" or "Security Incident" means any confirmed or reasonably suspected unauthorized access to, acquisition of, use of, disclosure of, or loss of Customer Data, or any event compromising the confidentiality, integrity, or availability of Customer Data.

2.4 "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in Cal. Civ. Code § 1798.140(v). For breach notification purposes, Personal Information also includes the categories specified in Cal. Civ. Code § 1798.82(h).

2.5 "Reasonable Security" means the implementation and maintenance of reasonable security procedures and practices appropriate to the nature of the information, as required by Cal. Civ. Code § 1798.81.5 and as informed by the California Attorney General's guidance referencing the CIS Controls.

2.6 "Information Security Program" means Provider's documented program of administrative, technical, and physical safeguards.

2.7 "Subprocessor" means any third party engaged by Provider to process Customer Data on Provider's behalf.

3. SECURITY PROGRAM REQUIREMENTS

3.1 General Obligation. Provider shall establish, implement, and maintain a written Information Security Program with administrative, technical, and physical safeguards appropriate to the nature, size, and complexity of Provider's operations and the sensitivity of Customer Data. The program shall be designed to:

• (a) Protect the confidentiality, integrity, and availability of Customer Data;
• (b) Protect against reasonably anticipated threats or hazards;
• (c) Protect against unauthorized access to or use of Customer Data;
• (d) Meet the "reasonable security" standard of Cal. Civ. Code § 1798.81.5; and
• (e) Ensure compliance with CCPA/CPRA and all applicable California data protection laws.

3.2 California Reasonable Security Standard. The California Attorney General has identified the CIS Controls as a baseline for "reasonable security." Provider's Information Security Program shall, at minimum, implement all CIS Controls applicable to Provider's environment, as supplemented by the specific requirements of this Addendum.

3.3 Administrative Safeguards.

• (a) Qualified CISO or equivalent responsible for the Information Security Program;
• (b) Documented policies reviewed and updated at least annually;
• (c) Annual risk assessments with documented findings and remediation;
• (d) Security awareness training for all personnel;
• (e) Documented incident response plan tested annually; and
• (f) Vendor and third-party risk management program.

3.4 Framework Alignment.

☐ NIST Cybersecurity Framework (CSF) 2.0
☐ ISO/IEC 27001:2022
☐ SOC 2 Type II Trust Services Criteria
☐ CIS Controls v8 (California AG recommended baseline)
☐ NIST SP 800-53 Rev. 5
☐ Other: [________________________________]

4. ACCESS CONTROLS

4.1 Only Authorized Personnel on a least-privilege, need-to-know basis.

4.2 Authentication Requirements.

☐ Multi-Factor Authentication (MFA) for all administrative and privileged access
☐ Multi-Factor Authentication (MFA) for all remote access
☐ Multi-Factor Authentication (MFA) for all user access to Customer Data
☐ Role-Based Access Control (RBAC) enforced across all systems
☐ Single Sign-On (SSO) using SAML 2.0 or OpenID Connect
☐ Encryption at Rest for all stored credentials (AES-256 or equivalent)
☐ Encryption in Transit for all credential transmissions (TLS 1.2+)

4.3 Password Policies.

• (a) Minimum [____] characters (12 recommended);
• (b) Complexity requirements;
• (c) Rotation not to exceed [____] days for privileged accounts;
• (d) Prohibition against reuse of previous [____] passwords;
• (e) Lockout after [____] consecutive failed attempts; and
• (f) Industry-standard hashing (bcrypt, Argon2).

4.4 Automatic session timeout after [____] minutes of inactivity.

4.5 Quarterly access reviews for privileged accounts; semi-annual for all others.

4.6 Access revoked within twenty-four (24) hours of termination or role change.

5. NETWORK SECURITY

5.1 Segmentation between production/non-production, Customer Data environments and corporate networks, different tenant environments, and internet-facing/internal systems.

5.2 Next-generation firewalls, IDS/IPS, WAF, DDoS protection, DNS security, and NAC.

5.3 All remote access via encrypted VPN or equivalent with MFA.

6. ENCRYPTION STANDARDS

6.1 TLS 1.2 or higher for all data in transit; TLS 1.3 preferred.

6.2 AES-256 or equivalent at rest for all databases, file storage, backups, and logs.

6.3 Key management via KMS or HSM; separation of duties; rotation not to exceed [____] days; secure storage separate from data.

6.4 California Encryption Safe Harbor. Under Cal. Civ. Code § 1798.82, the breach notification obligation does not apply to Personal Information that was encrypted if the encryption key or security credential was not acquired. Provider shall implement encryption controls sufficient to qualify for this safe harbor, maintaining strict separation between encrypted data and encryption keys.

7. APPLICATION SECURITY AND SECURE DEVELOPMENT

7.1 Secure SDLC with SAST, DAST, SCA, peer code review, container scanning, and security sign-off prior to deployment.

7.2 Formal change management with approval, testing, and rollback procedures.

8. VULNERABILITY MANAGEMENT

8.1 External systems: weekly scans; internal: monthly; web applications: monthly.

8.2 Remediation Timelines.

8.3 Emergency patches or compensating controls within twenty-four (24) hours for zero-days.

9. PENETRATION TESTING

9.1 Independent third-party testing at least annually covering external/internal network, web apps, and APIs.

9.2 Executive summaries under NDA within thirty (30) days.

9.3 Critical/high findings remediated per Section 8.2.

9.4 Customer-initiated testing with [____] days' notice and agreed scope.

10. LOGGING AND MONITORING

10.1 Comprehensive logging of authentication, authorization, administrative actions, data access/modification, configuration changes, and security alerts.

10.2 SIEM centralization, time synchronization, minimum [____] days retention (365 recommended), tamper protection.

10.3 24/7/365 monitoring with automated alerting.

11. INCIDENT RESPONSE AND BREACH NOTIFICATION

11.1 Incident Response Plan. Provider shall maintain a documented plan with designated team, severity classifications, escalation procedures, containment/recovery, evidence preservation, and annual exercises.

11.2 Notification to Customer. Provider shall notify Customer of any confirmed or reasonably suspected Security Incident without undue delay and no later than [____] hours (48 recommended) after confirmation, including nature, scope, data types, estimated affected individuals, containment steps, recommended actions, and incident lead contact.

11.3 California Breach Notification Requirements (Cal. Civ. Code § 1798.82, as amended by SB-446). Provider acknowledges and shall cooperate with Customer's obligations under California law:

(a) Individual Notification Timeline. Effective January 1, 2026, disclosure must be made to affected California residents within thirty (30) calendar days of discovery or notification of the breach. Provider shall ensure its notification to Customer enables Customer to meet this deadline.

(b) Attorney General Notification. For breaches involving more than 500 California residents, notice must be submitted to the California Attorney General within fifteen (15) calendar days of notifying affected residents.

(c) Notification Content. The notice must be titled "Notice of Data Breach" and written in plain language with the following sections: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." Text shall be no smaller than 10-point type.

(d) Covered Information (Cal. Civ. Code § 1798.82(h)). Notification is triggered when unencrypted Personal Information (or encrypted data where the key was also acquired) is acquired by an unauthorized person. Covered elements include: (i) Social Security number; (ii) driver's license or California ID number; (iii) financial account, credit, or debit card number with access code or password; (iv) medical information; (v) health insurance information; (vi) unique biometric data; and (vii) tax identification number.

(e) Law Enforcement Delay. Notification may be delayed at law enforcement request if it would impede a criminal investigation.

11.4 CCPA Private Right of Action (Cal. Civ. Code § 1798.150). Provider acknowledges that California consumers have a private right of action for breaches of nonencrypted and nonredacted Personal Information resulting from a business's violation of the duty to implement and maintain reasonable security procedures. Provider's compliance with this Addendum is intended to satisfy the reasonable security standard and mitigate this risk.

11.5 Post-Incident Report. Written report within [____] business days (15 recommended) of closure.

11.6 Costs. Unless caused by Customer's sole negligence, Provider bears costs of investigating and remediating incidents caused by Provider's breach of this Addendum.

12. BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Documented BC/DR plans.

12.2 Recovery Objectives.

12.3 Encrypted backups at geographically separate locations, tested quarterly.

12.4 Plans tested [annually / semi-annually]; results available to Customer.

13. DATA SEGREGATION AND RESIDENCY

13.1 Logical tenant isolation in multi-tenant environments.

13.2 Customer Data not used in non-production without anonymization or Customer consent.

13.3 Data Residency.

☐ United States
☐ California-only (if required)
☐ EEA (for GDPR-covered data)
☐ Other: [________________________________]

No relocation without Customer's prior written consent.

14. PERSONNEL SECURITY

14.1 Background checks consistent with California law (including Cal. Lab. Code § 432.7 restrictions on use of arrest records) on all personnel with Customer Data access.

14.2 Written confidentiality agreements before access.

14.3 Security training at onboarding, annually, with quarterly phishing simulations and role-specific training.

15. PHYSICAL SECURITY

15.1 Data centers with controlled entry, multi-factor access (badge plus biometric), 24/7 CCTV with [____] days retention, visitor logging, environmental controls, redundant power and network.

16. SUBPROCESSOR SECURITY REQUIREMENTS

16.1 Subprocessors bound to equivalent security obligations.

16.2 Due diligence prior to engagement and annually.

16.3 Current Subprocessor list available to Customer on request.

16.4 At least [____] days (30 recommended) prior notice before new Subprocessors.

16.5 Provider fully liable for Subprocessors' acts and omissions.

17. COMPLIANCE AND CERTIFICATIONS

17.1 Required Certifications.

☐ SOC 2 Type II Report
☐ ISO/IEC 27001:2022 Certification
☐ HITRUST CSF Certification
☐ FedRAMP Authorization (Level: [________________________________])
☐ PCI DSS Compliance (Version/Level: [________________________________])
☐ ISO/IEC 27701:2019
☐ CSA STAR Certification
☐ Other: [________________________________]

17.2 Reports available under NDA within [____] business days.

17.3 Compliance with all applicable California and federal laws.

18. AUDIT RIGHTS

18.1 Customer audits up to [____] time(s) per year with [____] business days' notice. Full cooperation. Material findings remediated promptly.

18.2 Cooperation with regulatory audits (including California Attorney General and California Privacy Protection Agency).

18.3 Costs borne by each Party unless audit reveals material Provider breach.

19. SECURITY SLA METRICS

Quarterly reporting. Persistent failure constitutes material breach.

20. DATA RETURN AND DESTRUCTION

20.1 Return in machine-readable format within [____] days (30 recommended).

20.2 Secure destruction per NIST SP 800-88 within [____] days (60 recommended).

20.3 Written certification of destruction.

20.4 Legal hold exception with notice and continued protection.

21. CALIFORNIA-SPECIFIC PROVISIONS

21.1 CCPA/CPRA Service Provider Obligations. To the extent Provider acts as a "Service Provider" or "Contractor" under the CCPA/CPRA (Cal. Civ. Code § 1798.140), Provider shall implement security measures consistent with the requirements imposed on service providers and contractors, including prohibitions on selling or sharing Personal Information and limitations on secondary use.

21.2 Reasonable Security Standard. Provider represents and warrants that its Information Security Program satisfies the "reasonable security procedures and practices" standard of Cal. Civ. Code § 1798.81.5, as interpreted by the California Attorney General with reference to the CIS Controls.

21.3 California Privacy Protection Agency. Provider acknowledges that the California Privacy Protection Agency (CPPA) has rulemaking authority over CCPA/CPRA compliance, including cybersecurity audit requirements. Provider shall comply with any applicable CPPA regulations and cooperate with any CPPA audit or investigation.

21.4 Governing Law. This Addendum shall be governed by California law without regard to conflict-of-laws principles.

21.5 Forum. Disputes shall be brought in the state or federal courts in [________________________________] County, California.

21.6 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY CALIFORNIA LAW, THE PARTIES WAIVE TRIAL BY JURY.

22. GENERAL PROVISIONS

22.1 This Addendum and the Master Agreement constitute the entire agreement on security matters.

22.2 Amendments only by written instrument signed by both Parties.

22.3 Severability.

22.4 Survival of Sections 2, 11, 18, 20, and 21.

23. SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Security Addendum as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced and attached
☐ Security framework(s) selected in Section 3.4
☐ Authentication requirements confirmed in Section 4.2
☐ Data residency selected in Section 13.3
☐ Required certifications selected in Section 17.1
☐ All bracketed fields completed
☐ Vulnerability remediation timelines agreed in Section 8.2
☐ Incident notification timeline agreed in Section 11.2
☐ California 30-day breach notification deadline reviewed (Section 11.3)
☐ CCPA private right of action risk acknowledged (Section 11.4)
☐ CIS Controls baseline confirmed (Section 3.2)
☐ Security SLA targets agreed in Section 19
☐ Reviewed by attorney licensed in California
☐ Reviewed by information security professionals
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq. -- https://leginfo.legislature.ca.gov/
• Cal. Civ. Code § 1798.82 (Breach Notification, as amended by SB-446) -- https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82
• Cal. Civ. Code § 1798.81.5 (Reasonable Security) -- https://leginfo.legislature.ca.gov/
• Cal. Civ. Code § 1798.150 (Private Right of Action) -- https://leginfo.legislature.ca.gov/
• California AG Data Breach Reporting -- https://oag.ca.gov/privacy/databreach/reporting
• NIST Cybersecurity Framework 2.0 -- https://www.nist.gov/cyberframework
• CIS Controls v8 -- https://www.cisecurity.org/controls