Enterprise Security Addendum — Colorado

ENTERPRISE SECURITY ADDENDUM

Colorado Jurisdictional Version

Addendum Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) and the entity identified as "Provider" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) have entered into the Master Agreement referenced above (the "Master Agreement");

WHEREAS, Provider will Process, store, transmit, or otherwise have access to Customer Data, including Personal Information and Personal Data as defined under Colorado law, in connection with the services described in the Master Agreement;

WHEREAS, the Colorado Privacy Act (C.R.S. §§ 6-1-1301 through 6-1-1314, effective July 1, 2023) establishes comprehensive consumer data privacy rights and imposes obligations on Controllers and Processors, including requirements for data processing agreements;

WHEREAS, Colorado's data breach notification statute (C.R.S. § 6-1-716) imposes a strict thirty (30)-day notification timeline and specific obligations regarding notification following a security breach;

WHEREAS, the Colorado Attorney General has promulgated rules under 4 CCR 904-3 further implementing the Colorado Privacy Act;

WHEREAS, the Parties desire to establish the security standards, controls, and obligations that Provider shall maintain in connection with the Processing of Customer Data and to satisfy the data processing agreement requirements of the CPA;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and in the Master Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized User" means any individual who has been granted access to Customer Data by Customer or through Customer's authorization, including employees, contractors, and agents operating under appropriate access controls.

1.2 "Bona Fide Loyalty Program" means a program operated by Customer that complies with the requirements of C.R.S. § 6-1-1304(2)(c) of the CPA.

1.3 "Business Day" means any day other than a Saturday, Sunday, or day on which banks in the State of Colorado are authorized or required to be closed.

1.4 "Confidential Information" means all non-public information disclosed by either Party to the other, including but not limited to Trade Secrets as defined under C.R.S. § 7-74-102(4), Customer Data, business plans, technical specifications, and security configurations.

1.5 "Consumer" means an individual who is a Colorado resident acting only in an individual or household context, as defined under C.R.S. § 6-1-1303(7).

1.6 "Controller" means a person that, alone or jointly with others, determines the purposes and means of Processing Personal Data, as defined under C.R.S. § 6-1-1303(8).

1.7 "Colorado Privacy Act" or "CPA" means C.R.S. §§ 6-1-1301 through 6-1-1314 and the rules promulgated thereunder at 4 CCR 904-3, as amended from time to time.

1.8 "Customer Data" means all data, records, files, information, and materials provided by or on behalf of Customer or collected or generated by Provider on behalf of Customer in the course of performing services under the Master Agreement.

1.9 "Data Protection Assessment" means an assessment of Processing activities that present a heightened risk of harm to Consumers, as required under C.R.S. § 6-1-1309.

1.10 "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a decryption key, using methods consistent with current industry standards including AES-256 for data at rest and TLS 1.2 or higher for data in transit.

1.11 "Incident" means any event that results in, or has the reasonable potential to result in, unauthorized access to, disclosure of, or loss of Customer Data, including Security Breaches.

1.12 "Multi-Factor Authentication" or "MFA" means an authentication mechanism requiring at least two distinct factors from: (a) something the user knows; (b) something the user possesses; and (c) something the user is.

1.13 "Personal Data" means information that is linked or reasonably linkable to an identified or identifiable individual, as defined under C.R.S. § 6-1-1303(17). Personal Data does not include de-identified data or publicly available information.

1.14 "Personal Information" means, as defined under C.R.S. § 6-1-716(1)(g), a Colorado resident's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (a) Social Security number; (b) student, military, or passport identification number; (c) driver's license number or identification card number; (d) medical information; (e) health insurance identification number; (f) biometric data; (g) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; (h) a username, unique identifier, or email address in combination with a password, access code, or security question and answer.

1.15 "Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined under C.R.S. § 6-1-1303(18).

1.16 "Processor" means a person that Processes Personal Data on behalf of a Controller, as defined under C.R.S. § 6-1-1303(19).

1.17 "Profiling" means any form of automated Processing of Personal Data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, as defined under C.R.S. § 6-1-1303(20).

1.18 "Security Breach" means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by a covered entity, as defined under C.R.S. § 6-1-716.

1.19 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status; genetic or biometric data processed for the purpose of uniquely identifying an individual; or Personal Data from a known child, as defined under C.R.S. § 6-1-1303(24).

1.20 "Subprocessor" means any third party engaged by Provider to Process Customer Data on behalf of Customer.

1.21 "Targeted Advertising" means displaying advertisements to a Consumer where the advertisement is selected based on Personal Data obtained from that Consumer's activities over time and across nonaffiliated websites or online applications to predict such Consumer's preferences or interests, as defined under C.R.S. § 6-1-1303(25).

1.22 "Trade Secret" means information as defined under C.R.S. § 7-74-102(4), including the whole or any portion of any scientific or technical information, design, process, procedure, formula, improvement, confidential business or financial information, or other information relating to any business or profession that is secret and of value.

1.23 "Universal Opt-Out Mechanism" means a mechanism that clearly communicates a Consumer's affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for Targeted Advertising or sale, as specified in 4 CCR 904-3.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Customer Data that Provider Processes, accesses, stores, transmits, or otherwise handles in connection with the Master Agreement. This Addendum shall bind Provider and all Subprocessors. This Addendum also serves as the data processing agreement required under C.R.S. § 6-1-1305(4) of the CPA.

2.2 Order of Precedence. In the event of a conflict between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and privacy matters. In the event of a conflict between this Addendum and applicable Colorado law, applicable law shall control.

2.3 Minimum Standards. The requirements in this Addendum establish minimum standards. Where the Master Agreement or applicable law imposes more stringent requirements, Provider shall comply with the more stringent standard.

2.4 Regulatory Changes. Provider shall monitor changes to Colorado law, including CPA amendments and Attorney General rulemaking under 4 CCR 904-3, and shall notify Customer within thirty (30) days of any change that materially affects Provider's obligations under this Addendum.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Comprehensive Security Program. Provider shall establish, implement, and maintain a written information security program ("ISP") that includes administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction.

3.2 Framework Alignment. Provider's ISP shall be aligned with one or more of the following recognized frameworks:

☐ ISO/IEC 27001:2022 — Information Security Management System
☐ SOC 2 Type II — Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 Rev. 5 — Security and Privacy Controls
☐ CIS Controls v8

3.3 CPA Security Obligations. Consistent with C.R.S. § 6-1-1305(3), Provider, as a Processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to assist Customer in meeting Customer's obligations under the CPA, including obligations related to the security of Processing Personal Data and breach notification.

3.4 Risk Assessment. Provider shall conduct a comprehensive risk assessment at least annually and whenever material changes occur to the processing environment. Risk assessments shall:

(a) Identify threats and vulnerabilities relevant to Customer Data;
(b) Evaluate the likelihood and potential impact of identified risks;
(c) Document risk treatment decisions and residual risk acceptance;
(d) Be reviewed and approved by Provider's senior information security leadership.

3.5 Security Policies. Provider shall maintain documented security policies covering, at minimum: access control, encryption, incident response, vulnerability management, change management, acceptable use, data classification, and business continuity. Policies shall be reviewed and updated at least annually.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control. Provider shall implement and maintain role-based access control ("RBAC") ensuring that access to Customer Data is limited to personnel whose job functions require such access.

4.2 Principle of Least Privilege. All access to Customer Data shall be granted on a need-to-know basis consistent with the principle of least privilege. Provider shall not grant standing administrative access where temporary or just-in-time access is feasible.

4.3 Multi-Factor Authentication. Provider shall require MFA for:

(a) All remote access to systems containing Customer Data;
(b) All administrative or privileged access to production environments;
(c) Access to security infrastructure including firewalls, SIEM, and identity management systems;
(d) Access to cloud management consoles and dashboards;
(e) VPN connections to Provider's network.

4.4 Authentication Standards. Provider shall enforce:

(a) Minimum password length of fourteen (14) characters with complexity requirements;
(b) Account lockout after no more than five (5) consecutive failed authentication attempts;
(c) Automatic session timeout after fifteen (15) minutes of inactivity for privileged sessions and thirty (30) minutes for standard sessions;
(d) Prohibition of shared or generic accounts for access to Customer Data.

4.5 Access Reviews. Provider shall conduct access reviews on the following schedule:

(a) Quarterly — Review of all user access rights to systems containing Customer Data;
(b) Monthly — Review of privileged and administrative access;
(c) Within twenty-four (24) hours — Revocation of access for terminated personnel;
(d) Within five (5) Business Days — Adjustment of access for personnel who change roles.

4.6 Access Logging. All access to Customer Data shall be logged, including the identity of the accessor, timestamp, data accessed, and actions performed. Access logs shall be retained for a minimum of twelve (12) months.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using TLS 1.2 or higher with cipher suites supporting forward secrecy. TLS 1.0 and 1.1 are prohibited.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using AES-256 or equivalent. Encryption shall apply to:

(a) Production databases and data stores;
(b) Backup and archival media;
(c) File systems and object storage;
(d) Removable media (where authorized by Customer);
(e) Laptop and workstation hard drives.

5.3 Colorado Encryption Safe Harbor. The Parties acknowledge that under C.R.S. § 6-1-716, data that is encrypted, redacted, or secured by any other method rendering it unreadable or unusable is excluded from the definition of Personal Information for breach notification purposes. Provider shall maintain encryption at all times to preserve this safe harbor.

5.4 Key Management. Provider shall implement a key management program that includes:

(a) Generation of encryption keys using cryptographically secure methods;
(b) Separation of key management duties from data custodian duties;
(c) Storage of encryption keys in hardware security modules ("HSMs") or equivalent key management systems;
(d) Rotation of encryption keys at least annually and upon suspected compromise;
(e) Secure destruction of retired encryption keys.

5.5 Prohibition. Provider shall not transmit Customer Data in unencrypted form, including via email or unencrypted file transfer, unless expressly authorized in writing by Customer.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Architecture. Provider shall maintain a network architecture that segments Customer Data environments from other environments through firewalls, virtual LANs, or equivalent logical separation.

6.2 Firewall and Perimeter Controls. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny ingress and egress rules;
(b) Documented rule sets reviewed at least quarterly;
(c) Intrusion detection and prevention systems ("IDS/IPS") monitoring all traffic to Customer Data environments;
(d) Web application firewalls ("WAFs") protecting Customer-facing applications.

6.3 Network Monitoring. Provider shall implement continuous network monitoring including:

(a) Real-time traffic analysis for anomalous behavior;
(b) NetFlow or equivalent traffic logging;
(c) DNS monitoring and filtering;
(d) Automated alerting for suspicious network activity.

6.4 Wireless Security. Where wireless networks are used in environments that Process Customer Data, Provider shall implement WPA3-Enterprise or equivalent encryption and authentication.

6.5 Remote Access. All remote access to environments containing Customer Data shall require VPN with MFA and shall be logged and monitored.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle. Provider shall maintain a documented Secure Software Development Lifecycle ("SSDLC") that incorporates security at every phase of development, including requirements, design, implementation, testing, deployment, and maintenance.

7.2 OWASP Compliance. Provider shall ensure that all applications that Process Customer Data are developed and tested to address, at minimum, the OWASP Top Ten risks in their most current version.

7.3 Code Review and Testing. Provider shall implement:

(a) Peer code review for all code changes affecting Customer Data processing;
(b) Static Application Security Testing ("SAST") integrated into the CI/CD pipeline;
(c) Dynamic Application Security Testing ("DAST") performed at least quarterly;
(d) Interactive Application Security Testing ("IAST") where feasible;
(e) Software Composition Analysis ("SCA") for all third-party libraries and dependencies.

7.4 Change Management. All changes to production systems Processing Customer Data shall follow a documented change management process including:

(a) Documented change requests with business justification;
(b) Risk and security impact assessment;
(c) Testing in non-production environments;
(d) Segregation of duties between development and production environments;
(e) Rollback procedures for failed changes.

7.5 API Security. Provider shall secure all APIs used to Process Customer Data with authentication, authorization, rate limiting, input validation, and logging.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall perform automated vulnerability scanning of all systems Processing Customer Data at least weekly and upon deployment of significant changes.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines from the date of detection:

8.3 Patch Management. Provider shall maintain a documented patch management program that includes:

(a) Monitoring of vendor security advisories and vulnerability databases (NVD, CVE);
(b) Testing of patches in non-production environments before deployment;
(c) Emergency patching procedures for zero-day vulnerabilities;
(d) Documentation of all patches applied and exceptions granted.

8.4 Exception Management. Where a vulnerability cannot be remediated within the timelines specified in Section 8.2, Provider shall document the exception including compensating controls and shall notify Customer of any Critical or High severity exceptions within five (5) Business Days.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Security Information and Event Management. Provider shall operate a Security Information and Event Management ("SIEM") system that aggregates, correlates, and analyzes security events from all systems Processing Customer Data.

9.2 Log Collection. Provider shall collect and retain logs from, at minimum:

(a) Authentication and authorization events;
(b) Administrative and privileged user activities;
(c) System and application events;
(d) Network traffic and firewall events;
(e) Data access and modification events;
(f) Security tool alerts (IDS/IPS, antivirus, endpoint detection);
(g) Cloud infrastructure events and API calls.

9.3 Log Retention. Security logs shall be retained for a minimum of twelve (12) months in active storage and an additional twelve (12) months in archival storage, for a total retention period of twenty-four (24) months.

9.4 Log Integrity. Provider shall implement controls to ensure the integrity of security logs, including:

(a) Write-once storage or immutable log repositories;
(b) Centralized log collection with restricted access;
(c) Time synchronization across all logging sources using NTP;
(d) Alerting on log tampering or deletion attempts.

9.5 Monitoring and Alerting. Provider shall maintain 24/7/365 security monitoring with defined escalation procedures and response times for security alerts. Critical alerts shall be investigated within fifteen (15) minutes of detection.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Customer Data shall be logically segregated from the data of Provider's other customers through database-level, application-level, or equivalent isolation controls.

10.2 Environment Segregation. Provider shall maintain strict separation between production, staging, development, and testing environments. Customer Data shall not be used in non-production environments unless anonymized or pseudonymized and approved in writing by Customer.

10.3 Data Residency. Unless otherwise agreed in writing, Customer Data shall be stored and Processed within the continental United States. Provider shall notify Customer at least sixty (60) days before any change in data storage location.

10.4 Cross-Border Transfers. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent and implementation of appropriate safeguards.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Penetration Testing. Provider shall engage an independent, qualified third-party firm to conduct penetration testing of all systems Processing Customer Data at least annually. Testing shall include:

(a) External network penetration testing;
(b) Internal network penetration testing;
(c) Web application penetration testing;
(d) API penetration testing;
(e) Social engineering testing (where agreed by the Parties).

11.2 Testing Standards. Penetration tests shall be conducted in accordance with recognized methodologies such as PTES, OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Provider shall deliver a written penetration test report to Customer within thirty (30) days of test completion.

11.4 Remediation. Provider shall remediate all Critical and High severity findings from penetration tests within the timelines specified in Article 8 and shall provide evidence of remediation to Customer.

11.5 Customer Testing. Customer may, upon sixty (60) days' prior written notice and at Customer's expense, conduct its own penetration testing of Provider systems that Process Customer Data, subject to reasonable scope and scheduling coordination.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan ("BCP") that addresses the continued availability of services and protection of Customer Data during and after disruptive events.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan ("DRP") that includes:

(a) Recovery Point Objective (RPO): Maximum data loss of [____] hours;
(b) Recovery Time Objective (RTO): Maximum service downtime of [____] hours;
(c) Defined recovery procedures for all critical systems;
(d) Communication protocols for notifying Customer during a disruptive event;
(e) Designated recovery sites with documented failover procedures.

12.3 Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises and at least once every two (2) years through a full functional recovery test. Test results shall be shared with Customer upon request.

12.4 Backups. Provider shall perform regular backups of Customer Data at intervals consistent with the RPO. Backups shall be encrypted, stored in a geographically separate location, and tested for restorability at least quarterly.

12.5 Resilience. Provider shall design systems Processing Customer Data with appropriate redundancy to eliminate single points of failure.

ARTICLE 13 — INCIDENT RESPONSE AND COLORADO BREACH NOTIFICATION

13.1 Incident Response Plan. Provider shall maintain a documented Incident Response Plan ("IRP") that includes:

(a) Defined incident classification and severity levels;
(b) Escalation procedures and contact information;
(c) Roles and responsibilities of incident response team members;
(d) Containment, eradication, and recovery procedures;
(e) Evidence preservation and chain-of-custody protocols;
(f) Post-incident review and lessons learned procedures.

13.2 Notification to Customer. Provider shall notify Customer of any Incident as follows:

(a) Confirmed Security Breach: Within twenty-four (24) hours of confirmation;
(b) Suspected Security Breach: Within forty-eight (48) hours of detection;
(c) Other Security Incidents: Within seventy-two (72) hours of detection.

Notification shall include the nature and scope of the Incident, the types of Customer Data affected, measures taken to contain and remediate, and a designated point of contact.

13.3 Colorado Breach Notification Requirements (C.R.S. § 6-1-716).

(a) Trigger. Notification is required upon unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by a covered entity.

(b) Timeline — STRICT 30-DAY DEADLINE. Notice to affected Colorado residents must be made in the most expedient time possible and without unreasonable delay, but NOT LATER THAN THIRTY (30) DAYS after the date of determination that a Security Breach occurred. This is among the shortest breach notification deadlines in the United States. Provider acknowledges this strict timeline and shall implement processes to ensure compliance.

(c) Attorney General Notification. If the Security Breach affects five hundred (500) or more Colorado residents, Provider shall submit notice to the Colorado Attorney General. The notice to the Attorney General shall not be delayed pending notice to individuals.

(d) Credit Reporting Agency Notification. If the Security Breach affects one thousand (1,000) or more Colorado residents, Provider shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

(e) Content of Notice. Notification to affected individuals shall include:

• The date, estimated date, or estimated date range of the Security Breach;
• A description of the Personal Information that was acquired or reasonably believed to have been acquired;
• Information about steps individuals can take to protect themselves, including toll-free numbers, addresses, and websites for the Federal Trade Commission and consumer reporting agencies;
• Provider's contact information for inquiries, including a toll-free telephone number, email address, and mailing address;
• A statement regarding the availability of credit monitoring or identity theft prevention services, if offered.

(f) Methods of Notice. Notice may be provided by:

• Written notice;
• Electronic notice (if consistent with 15 U.S.C. § 7001 (E-SIGN Act));
• Telephonic notice;
• Substitute notice, if the cost exceeds $250,000, more than 250,000 Colorado residents must be notified, or insufficient contact information is available.

(g) Encryption Safe Harbor. Notification is not required if the Personal Information was encrypted, redacted, or secured by any method rendering it unreadable or unusable.

(h) Penalties. Under C.R.S. § 6-1-112, violations may result in civil penalties of up to $2,000 per violation, with a cap of $500,000 for a series of violations. The Attorney General may seek injunctive relief and other appropriate relief.

13.4 Cooperation. Provider shall fully cooperate with Customer in investigating and responding to any Incident, including providing access to relevant logs, personnel, and systems. Provider shall preserve all evidence for a minimum of three (3) years.

13.5 Responsibility. Provider shall bear all costs and expenses arising from any Security Breach caused by Provider's failure to comply with this Addendum.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain and provide to Customer a current list of all approved Subprocessors.

14.2 CPA Subprocessor Requirements. Consistent with C.R.S. § 6-1-1305(4)(c), Provider shall not engage a Subprocessor without a written contract that requires the Subprocessor to meet the obligations of Provider with respect to Customer Data.

14.3 Due Diligence. Before engaging any Subprocessor, Provider shall conduct due diligence to verify that the Subprocessor can meet security requirements at least as protective as those set forth in this Addendum.

14.4 Contractual Requirements. Provider shall enter into a written agreement with each Subprocessor that imposes data protection and security obligations no less stringent than those in this Addendum, including compliance with applicable Colorado law.

14.5 Ongoing Monitoring. Provider shall monitor each Subprocessor's compliance with its contractual obligations at least annually and shall promptly notify Customer of any material deficiency.

14.6 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors with respect to Customer Data as if such acts and omissions were Provider's own.

14.7 Objection Right. Customer may object to any proposed Subprocessor within fifteen (15) Business Days of receiving notice. If Customer objects and Provider cannot reasonably accommodate the objection, either Party may terminate the affected services upon thirty (30) days' written notice.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data prior to granting access, to the extent permitted by Colorado law, including C.R.S. § 8-2-126.

15.2 Security Training. Provider shall provide security awareness training to all personnel at onboarding and at least annually thereafter. Training shall cover:

(a) Information security policies and procedures;
(b) Identification and reporting of security incidents;
(c) Phishing and social engineering awareness;
(d) Data handling and classification requirements;
(e) Colorado Privacy Act compliance obligations and Consumer rights.

15.3 Confidentiality Agreements. All Provider personnel and contractors with access to Customer Data shall execute confidentiality or non-disclosure agreements before being granted access.

15.4 Disciplinary Measures. Provider shall maintain and enforce disciplinary procedures for personnel who violate security policies, up to and including termination of employment.

15.5 Offboarding. Provider shall implement offboarding procedures that ensure all access to Customer Data is revoked within twenty-four (24) hours of personnel departure or role change.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Security. All facilities where Customer Data is stored or Processed shall implement, at minimum:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Access control systems requiring badge, biometric, or multi-factor authentication;
(c) Visitor management and escort procedures;
(d) Video surveillance with a minimum retention period of ninety (90) days;
(e) Intrusion detection and alarm systems;
(f) Environmental controls (fire suppression, HVAC, water detection);
(g) Redundant power with UPS and generator backup.

16.2 Media Handling. Physical media containing Customer Data shall be encrypted, tracked, transported in tamper-evident containers, and destroyed in accordance with Article 21 when no longer needed.

16.3 Clean Desk Policy. Provider shall enforce a clean desk policy in all areas where Customer Data may be accessed.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall maintain the following insurance coverages throughout the term of the Master Agreement and for three (3) years following termination:

(a) Cyber Liability / Technology E&O Insurance: Minimum $5,000,000 per occurrence and in the aggregate;
(b) Professional Liability / E&O Insurance: Minimum $2,000,000 per occurrence and in the aggregate;
(c) Commercial General Liability Insurance: Minimum $1,000,000 per occurrence and $2,000,000 aggregate;
(d) Workers' Compensation Insurance: As required by Colorado law (C.R.S. § 8-40-101 et seq.).

17.2 Policy Requirements. All policies shall be issued by carriers with an AM Best rating of A- VII or better, name Customer as additional insured where applicable, and provide thirty (30) days' prior notice of cancellation.

17.3 Certificates of Insurance. Provider shall deliver certificates of insurance upon execution and annually thereafter.

ARTICLE 18 — AUDIT RIGHTS

18.1 Audit Right. Customer shall have the right to audit Provider's compliance with this Addendum upon thirty (30) days' notice, no more than once per calendar year (except following an Incident).

18.2 CPA Audit Obligation. Consistent with C.R.S. § 6-1-1305(4)(e), Provider shall make available to Customer all information necessary to demonstrate compliance with the CPA and shall allow and cooperate with reasonable assessments by Customer or Customer's designated assessor.

18.3 Scope. Audits may include review of security policies, access records, vulnerability scan results, incident records, Subprocessor agreements, training records, and CPA compliance documentation.

18.4 Third-Party Audit Reports. Provider shall make available current copies of SOC 2 Type II reports, ISO 27001 certifications, penetration test summaries, and other relevant assessments.

18.5 Remediation. Provider shall remediate audit deficiencies within thirty (30) days. Critical deficiencies within fifteen (15) days.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Officer. Provider shall designate a CISO or equivalent with responsibility for the security program.

19.2 Reporting to Customer. Provider shall deliver quarterly security reports, annual security assessments, and incident reports as required. Ad hoc reports upon reasonable request.

19.3 Security Meetings. The Parties shall conduct security review meetings at least semi-annually.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon termination or upon request, Provider shall return all Customer Data in an industry-standard format within thirty (30) days.

20.2 Data Destruction. Following return, Provider shall destroy all copies within sixty (60) days per NIST SP 800-88 Rev. 1. Provider shall deliver a written certification of destruction within ten (10) Business Days of completion.

20.3 Destruction Methods. Cryptographic erasure, degaussing, physical destruction, cross-cut shredding (DIN 66399 Level P-4), or cryptographic key destruction for cloud data.

20.4 CPA Deletion Obligation. Consistent with CPA requirements, Provider shall implement technical capabilities to support deletion of Personal Data upon Customer's instruction in response to Consumer deletion requests under C.R.S. § 6-1-1306(1)(c).

20.5 Retention Exception. Provider may retain data only as required by law, subject to ongoing security obligations.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer from all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

(a) Any Security Breach caused by Provider's failure to comply with this Addendum;
(b) Any violation of C.R.S. § 6-1-716 attributable to Provider;
(c) Any violation of the CPA attributable to Provider's Processing of Customer Data;
(d) Any regulatory fines, penalties, or enforcement actions resulting from Provider's acts or omissions.

21.2 Customer Indemnification. Customer shall indemnify Provider from claims arising from Customer's provision of data in violation of law, or instructions that cause Provider to violate law, provided Provider has complied with this Addendum.

21.3 Indemnification Procedures. Prompt notice, sole control of defense, and reasonable cooperation.

ARTICLE 22 — COLORADO-SPECIFIC LEGAL PROVISIONS

22.1 Colorado Privacy Act (CPA) Compliance — Data Processing Agreement

This Article 22.1 constitutes the data processing agreement required under C.R.S. § 6-1-1305(4) between Customer (as Controller) and Provider (as Processor).

(a) Processing Instructions. Pursuant to C.R.S. § 6-1-1305(4)(a), Provider shall Process Personal Data only in accordance with Customer's documented instructions, including with respect to transfers of Personal Data to a third country or international organization. Provider shall immediately inform Customer if, in Provider's opinion, an instruction violates the CPA.

(b) Duty of Confidentiality. Pursuant to C.R.S. § 6-1-1305(4)(b), Provider shall ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the data.

(c) Subprocessor Restrictions. Pursuant to C.R.S. § 6-1-1305(4)(c), Provider shall engage Subprocessors only with Customer's written consent and pursuant to a written contract that requires the Subprocessor to meet Provider's obligations with respect to Personal Data, as set forth in Article 14.

(d) Security Measures. Pursuant to C.R.S. § 6-1-1305(4)(d), Provider shall implement appropriate technical and organizational measures to assist Customer in the fulfillment of Customer's obligation to respond to Consumer rights requests under C.R.S. § 6-1-1306, taking into account the nature of Processing and the information available to Provider.

(e) Audit and Compliance Assistance. Pursuant to C.R.S. § 6-1-1305(4)(e), Provider shall make available to Customer all information necessary to demonstrate compliance with the CPA and shall allow and cooperate with reasonable assessments by Customer or Customer's designated assessor. Provider shall immediately inform Customer if an assessment reveals noncompliance.

(f) Data Protection Assessment Support. Provider shall provide reasonable assistance to Customer in conducting Data Protection Assessments required under C.R.S. § 6-1-1309 for Processing activities that present a heightened risk of harm, including:

• Processing for Targeted Advertising;
• Sale of Personal Data;
• Processing for purposes of Profiling that presents a risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, intrusion upon seclusion, or other substantial injury;
• Processing of Sensitive Data.

22.2 CPA Consumer Rights Implementation

Provider shall implement technical capabilities to assist Customer in fulfilling Consumer rights under C.R.S. § 6-1-1306, including:

(a) Right to Opt Out. Assist Customer in processing Consumer opt-out requests for:

• Targeted Advertising;
• Sale of Personal Data;
• Profiling in furtherance of decisions that produce legal or similarly significant effects.

(b) Right to Access. Provide Consumer's Personal Data to Customer in a portable, readily usable format upon Customer's request.

(c) Right to Correction. Correct inaccurate Personal Data upon Customer's instruction.

(d) Right to Deletion. Delete Consumer's Personal Data upon Customer's instruction, subject to applicable retention requirements.

(e) Universal Opt-Out Mechanism. Provider shall implement technical support for Universal Opt-Out Mechanisms as required under 4 CCR 904-3, enabling Customer to comply with Universal Opt-Out obligations.

(f) Response Timeline. Provider shall assist Customer in responding to Consumer rights requests within the forty-five (45)-day response period required under the CPA, with one forty-five (45)-day extension permitted where reasonably necessary.

22.3 CPA Sensitive Data Processing

(a) Provider shall not Process Sensitive Data without Customer's prior written authorization.
(b) Customer represents that it has obtained the Consumer's affirmative, freely given, specific, informed, and unambiguous opt-in consent before directing Provider to Process Sensitive Data.
(c) Provider shall implement enhanced technical and organizational safeguards for Sensitive Data, including additional access restrictions, enhanced encryption, and audit logging.

22.4 CPA Enforcement Provisions

(a) No Cure Period. The Parties acknowledge that effective January 1, 2025, the sixty (60)-day cure period is no longer required under the CPA. The Colorado Attorney General and District Attorneys may bring enforcement actions without first providing an opportunity to cure.

(b) Attorney General Enforcement. The CPA is enforced exclusively by the Colorado Attorney General and District Attorneys. There is no private right of action.

(c) Proactive Compliance. Given the elimination of the cure period, Provider shall proactively maintain compliance with the CPA and immediately remediate any identified compliance deficiencies.

22.5 Colorado Trade Secret Protections

Provider acknowledges that Customer Data may contain Trade Secrets as defined by the Colorado Uniform Trade Secrets Act (C.R.S. §§ 7-74-101 through 7-74-110). Provider shall:

(a) Implement measures to prevent Trade Secrets from becoming available to unauthorized persons;
(b) Limit access to Trade Secrets to personnel with a demonstrated need to know;
(c) Not use Trade Secrets for any purpose other than performing services under the Master Agreement;
(d) Cooperate with Customer in seeking injunctive relief under C.R.S. § 7-74-103 if unauthorized disclosure occurs.

22.6 Governing Law and Forum

(a) This Addendum shall be governed by and construed in accordance with the laws of the State of Colorado, without regard to conflict-of-law principles.

(b) Any dispute arising out of or relating to this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in the City and County of Denver, Colorado.

(c) JURY WAIVER. EACH PARTY HEREBY WAIVES, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ANY RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM.

22.7 Late Payment

Any amounts due under this Addendum that are not paid when due shall accrue interest at the rate of eight percent (8%) per annum, consistent with C.R.S. § 5-12-101, or the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Colorado Uniform Electronic Transactions Act (C.R.S. §§ 24-71.3-101 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).

23.2 Legal Effect. Electronic signatures shall have the same legal force and effect as original handwritten signatures.

23.3 Consent. By executing electronically, each Party consents to the use of electronic signatures.

23.4 Retention. Each Party shall retain an electronic copy in accordance with applicable requirements.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the Parties with respect to information security and data protection.

24.2 Amendments. This Addendum may be amended only by a written instrument executed by both Parties.

24.3 Severability. If any provision is held invalid, the remaining provisions remain in effect.

24.4 Waiver. No waiver shall be effective unless in writing.

24.5 Notices. All notices shall be in writing and delivered to the addresses in the Master Agreement.

24.6 Term. This Addendum remains in effect for the duration of the Master Agreement and survives termination with respect to remaining Customer Data.

24.7 Counterparts. This Addendum may be executed in counterparts.

EXECUTION

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SCHEDULE A — SECURITY CONTACTS

SCHEDULE B — APPROVED SUBPROCESSORS

SCHEDULE C — CPA PROCESSING DETAILS

Categories of Personal Data Processed: [________________________________]

Categories of Consumers: [________________________________]

Nature and Purpose of Processing: [________________________________]

Duration of Processing: [________________________________]

Sensitive Data Categories (if applicable): [________________________________]

PRE-EXECUTION CHECKLIST

☐ Master Agreement fully executed and referenced above
☐ All blanks and variable fields completed
☐ RPO and RTO values agreed upon and inserted in Article 12
☐ Approved Subprocessor list completed in Schedule B
☐ Security contact information completed in Schedule A
☐ CPA Processing details completed in Schedule C
☐ Insurance certificates obtained and reviewed
☐ Provider's current SOC 2 Type II or ISO 27001 certification reviewed
☐ CPA applicability assessment completed
☐ Data Protection Assessment requirements evaluated
☐ Universal Opt-Out Mechanism compliance verified
☐ Colorado-licensed counsel review completed
☐ Both Parties' authorized signatories confirmed

SOURCES AND REFERENCES

1. Colorado Privacy Act — C.R.S. §§ 6-1-1301 through 6-1-1314
   https://coag.gov/resources/colorado-privacy-act/

2. Colorado Privacy Act Rules — 4 CCR 904-3
   https://coag.gov/app/uploads/2022/10/CPA_Final-Draft-Rules-9.29.22.pdf

3. Colorado Data Breach Notification — C.R.S. § 6-1-716
   https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716/

4. Colorado Attorney General — Data Protection Laws FAQ
   https://coag.gov/resources/data-protection-laws/

5. Colorado Uniform Trade Secrets Act — C.R.S. §§ 7-74-101 through 7-74-110
   https://law.justia.com/codes/colorado/title-7/trade-secrets/

6. Colorado Uniform Electronic Transactions Act — C.R.S. §§ 24-71.3-101 et seq.

7. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

8. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework

9. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001

10. OWASP Top Ten
    https://owasp.org/www-project-top-ten/