Templates Contracts Agreements Security Addendum (Enterprise SaaS)
California Contracts Agreements
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Ready to Edit
Security Addendum (Enterprise SaaS) - Free Editor

SECURITY ADDENDUM (ENTERPRISE SAAS)

California Jurisdictional Version

TABLE OF CONTENTS

  1. Scope and Order of Precedence
  2. Security Program
  3. Access Controls and Authentication
  4. Encryption
  5. Network and Infrastructure Security
  6. Application Security and SDLC
  7. Vulnerability Management
  8. Logging and Monitoring
  9. Business Continuity and Disaster Recovery
  10. Data Segregation and Residency
  11. Penetration Testing and Assessments
  12. Incident Response and Notification
  13. Audit and Compliance Reports
  14. Third-Party Subprocessors
  15. Physical Security
  16. Personnel Security and Training
  17. Data Return and Deletion
  18. Changes to Security Controls
  19. California-Specific Data Protection Requirements
  20. Governing Law and Dispute Resolution

1. SCOPE AND ORDER OF PRECEDENCE

  • Applies to the Services under the [SaaS Agreement name/date].
  • If conflict with the SaaS Agreement/DPA on security matters, this Addendum governs; otherwise, SaaS Agreement controls.

2. SECURITY PROGRAM

  • Provider maintains a written information security program with administrative, technical, and physical safeguards appropriate to risk, aligned to [ISO 27001/SOC 2/other].
  • Provider's security program shall comply with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code sections 1798.100 et seq., and all implementing regulations issued by the California Privacy Protection Agency (CPPA).
  • Provider shall implement reasonable security procedures and practices appropriate to the nature of the personal information, as required under California Civil Code section 1798.81.5.

3. ACCESS CONTROLS AND AUTHENTICATION

  • Role-based access; least privilege; MFA for administrative access; strong password/secret policies; session management; timely deprovisioning.

4. ENCRYPTION

  • In transit: TLS [1.2/1.3] or better; at rest: industry-standard encryption for Customer Data stores.
  • Key management: [KMS/HSM], separation of duties, rotation policies.

5. NETWORK AND INFRASTRUCTURE SECURITY

  • Segmentation of environments (prod/non-prod); firewalls/security groups; DDoS protections; hardened images; configuration management and baselines.

6. APPLICATION SECURITY AND SDLC

  • Secure development lifecycle with code review, dependency scanning, SAST/DAST for relevant components; change management with approvals and rollback plans.

7. VULNERABILITY MANAGEMENT

  • Regular scanning; prioritization/remediation targets:
  • Critical: [X] hours/days; High: [Y] days; Medium: [Z] days; Low: [define].
  • Patch management process; emergency patching for exploited vulnerabilities.

8. LOGGING AND MONITORING

  • Centralized logging for auth, access, admin actions, and security events; time-synchronized; retention [X] days/months; alerting for anomalous events.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

  • Documented BC/DR plan; tested [annually/semi-annually]; RPO [X hours], RTO [Y hours]; backups encrypted and tested for restoration.

10. DATA SEGREGATION AND RESIDENCY

  • Logical/tenant isolation; data residency options [Regions] if offered; no relocation without notice and updated transfer mechanisms.

11. PENETRATION TESTING AND ASSESSMENTS

  • Independent penetration tests [annually/semi-annually]; summary reports available under NDA; remediation tracked to closure.
  • Customer-sourced testing requires prior written approval and coordinated scope.

12. INCIDENT RESPONSE AND NOTIFICATION

  • Incident response plan with roles, runbooks, and communications.
  • Notification to Customer without undue delay and within [X] hours of confirming a Security Incident affecting Customer Data; include nature, scope, mitigations, and recommended actions.
  • In compliance with California Civil Code section 1798.82, Provider shall notify Customer of any breach of security of Customer Data in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and restore reasonable integrity of the data system.
  • Post-incident report for material incidents within [Y] business days.

13. AUDIT AND COMPLIANCE REPORTS

  • Provide current SOC 2 / ISO 27001 certificate and summary upon request; significant exceptions disclosed with remediation plans.
  • Onsite/customer audits: [once per year] with reasonable notice; subject to confidentiality and limited to security controls; time/materials fees if onsite.

14. THIRD-PARTY SUBPROCESSORS

  • Subprocessors must meet equivalent security standards; list available at [URL/Annex]; notice of new subprocessors with [X] days to object on reasonable grounds; Provider remains liable.
  • Subprocessors processing personal information of California residents must comply with CCPA/CPRA requirements for service providers and contractors.

15. PHYSICAL SECURITY

  • Data centers with industry-standard controls: access badges/biometrics, CCTV, visitor logging, environmental controls, and redundant power/cooling.

16. PERSONNEL SECURITY AND TRAINING

  • Background checks where lawful for personnel with Customer Data access, subject to the California Investigative Consumer Reporting Agencies Act (Cal. Civ. Code sections 1786 et seq.) and the California Consumer Credit Reporting Agencies Act (Cal. Civ. Code sections 1785.1 et seq.); confidentiality agreements; security and privacy training at onboarding and [annual] refreshers.

17. DATA RETURN AND DELETION

  • Upon termination/expiry, Customer Data returned or deleted per Agreement/DPA within [X] days; secure deletion methods; backups aged out on standard cycles unless legal hold applies.
  • Data deletion shall comply with CCPA/CPRA deletion requirements, including verification of deletion and notification upon completion.

18. CHANGES TO SECURITY CONTROLS

  • Material reductions not permitted without Customer consent; non-material updates allowed to improve or maintain security posture.
  • Notice of material changes to contact [security contact].

19. CALIFORNIA-SPECIFIC DATA PROTECTION REQUIREMENTS

19.1 CCPA/CPRA Compliance

  • Provider, acting as a service provider or contractor under CCPA/CPRA, shall:
  • Process personal information only for the specific business purposes set forth in the Agreement;
  • Not sell or share personal information of California consumers;
  • Not retain, use, or disclose personal information outside the direct business relationship;
  • Comply with CPRA requirements for sensitive personal information;
  • Provide reasonable assistance to Customer for responding to consumer rights requests including access, deletion, correction, and data portability requests;
  • Certify understanding and compliance with CCPA/CPRA obligations upon request.

19.2 California Trade Secret Protection

  • Provider acknowledges that Customer's Confidential Information may include trade secrets as defined under the California Uniform Trade Secrets Act (Cal. Civ. Code sections 3426 et seq.) and the federal Defend Trade Secrets Act (18 U.S.C. section 1836 et seq.), and shall protect such information accordingly.

19.3 California E-Signatures

  • Electronic signatures under this Addendum shall be valid and enforceable pursuant to the California Uniform Electronic Transactions Act (Cal. Civ. Code sections 1633.1 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

20. GOVERNING LAW AND DISPUTE RESOLUTION

20.1 Governing Law

This Addendum and any dispute arising out of or relating hereto shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws rules.

20.2 Forum Selection

Subject to any arbitration provisions in the Master Agreement, the Parties consent to the exclusive jurisdiction of the state and federal courts located in [San Francisco County / Los Angeles County / Santa Clara County], California, for any litigation arising out of or relating to this Addendum, and waive any objection to venue or forum non conveniens.

20.3 Jury Trial Waiver

EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM, TO THE EXTENT SUCH WAIVER IS ENFORCEABLE UNDER CALIFORNIA LAW.
[// GUIDANCE: California courts generally enforce jury waivers if knowing, voluntary, and not unconscionable. Consider including express acknowledgment of waiver.]

20.4 Injunctive Relief

Each Party acknowledges that a breach of the security obligations herein would cause irreparable harm for which monetary damages are an inadequate remedy. Accordingly, in the event of any such breach, the non-breaching Party may seek injunctive relief in addition to any other remedy available at law or equity, without posting bond or other security to the extent permitted under California Code of Civil Procedure section 529.

20.5 Late Payment Interest

Late payments under this Addendum shall accrue interest at the rate specified in the Master Agreement, or if not specified, at 10% per annum, the maximum rate permitted under California Constitution Article XV, Section 1, for non-exempt transactions, or if exempt, at the rate agreed by the parties not to exceed the maximum permitted by applicable law.

AI Legal Assistant

Security Addendum (Enterprise SaaS)

Download this template free, or draft it 10x faster with Ezel.

Stop spending hours on:

  • Searching for the right case law
  • Manually tracking changes in Word
  • Checking citations one by one
  • Hunting through emails for client documents

Ezel is the complete legal workspace:

  • Case Law Search — All 50 states + federal, natural language
  • Document Editor — Word-compatible track changes
  • Citation Checking — Verify every case before you file
  • Matters — Organize everything by client or case