Enterprise Security Addendum — Connecticut

ENTERPRISE SECURITY ADDENDUM

Connecticut Jurisdictional Version

Addendum Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) and the entity identified as "Provider" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) have entered into the Master Agreement referenced above (the "Master Agreement");

WHEREAS, Provider will Process, store, transmit, or otherwise have access to Customer Data, including Personal Information and Personal Data as defined under Connecticut law, in connection with the services described in the Master Agreement;

WHEREAS, the Connecticut Data Privacy Act (Conn. Gen. Stat. §§ 42-515 through 42-525, effective July 1, 2023) establishes comprehensive consumer data privacy rights and imposes obligations on Controllers and Processors, including requirements for data processing agreements and universal opt-out mechanisms;

WHEREAS, Connecticut's data breach notification statute (Conn. Gen. Stat. § 36a-701b) imposes a sixty (60)-day notification timeline and requires identity theft prevention and mitigation services;

WHEREAS, the Parties desire to establish the security standards, controls, and obligations that Provider shall maintain and to satisfy the data processing agreement requirements of the CTDPA;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and in the Master Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized User" means any individual who has been granted access to Customer Data by Customer or through Customer's authorization, including employees, contractors, and agents operating under appropriate access controls.

1.2 "Business Day" means any day other than a Saturday, Sunday, or day on which banks in the State of Connecticut are authorized or required to be closed.

1.3 "Confidential Information" means all non-public information disclosed by either Party to the other, including but not limited to Trade Secrets as defined under Conn. Gen. Stat. § 35-51, Customer Data, business plans, technical specifications, and security configurations.

1.4 "Consumer" means an individual who is a Connecticut resident acting only in an individual or household context, excluding individuals acting in a commercial or employment context, as defined under the CTDPA.

1.5 "Controller" means a person that, alone or jointly with others, determines the purposes and means of Processing Personal Data, as defined under the CTDPA.

1.6 "CTDPA" or "Connecticut Data Privacy Act" means Conn. Gen. Stat. §§ 42-515 through 42-525 (Public Act 22-15), effective July 1, 2023, as amended from time to time.

1.7 "Customer Data" means all data, records, files, information, and materials provided by or on behalf of Customer or collected or generated by Provider on behalf of Customer in the course of performing services under the Master Agreement.

1.8 "Data Protection Assessment" means an assessment of Processing activities that present a heightened risk of harm to Consumers, as required under the CTDPA.

1.9 "De-Identified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, provided the Controller possesses and uses reasonable technical and organizational safeguards to prevent re-identification, publicly commits not to re-identify the data, and contractually obligates recipients not to re-identify.

1.10 "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a decryption key, using methods consistent with current industry standards including AES-256 for data at rest and TLS 1.2 or higher for data in transit.

1.11 "Incident" means any event that results in, or has the reasonable potential to result in, unauthorized access to, disclosure of, or loss of Customer Data, including Security Breaches.

1.12 "Multi-Factor Authentication" or "MFA" means an authentication mechanism requiring at least two distinct factors from: (a) something the user knows; (b) something the user possesses; and (c) something the user is.

1.13 "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, as defined under the CTDPA. Personal Data does not include De-Identified Data or publicly available information.

1.14 "Personal Information" means, as defined under Conn. Gen. Stat. § 36a-701b, a Connecticut resident's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted or secured: (a) Social Security number; (b) taxpayer identification number; (c) identity protection personal identification number issued by the IRS; (d) driver's license number or state identification card number; (e) passport number; (f) military identification number; (g) other identification number issued by a government entity used to verify identity; (h) credit or debit card number; (i) financial account number in combination with access code or password; (j) medical information; (k) health insurance policy number or subscriber identification number; (l) biometric data; (m) individual taxpayer identification number.

1.15 "Process" or "Processing" means any operation performed on Personal Data, whether by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification.

1.16 "Processor" means a person that Processes Personal Data on behalf of a Controller, as defined under the CTDPA.

1.17 "Profiling" means any form of automated Processing performed on Personal Data to evaluate, analyze, or predict personal aspects of an individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

1.18 "Security Breach" means unauthorized access to, or unauthorized acquisition of, electronic files, media, databases, or computerized data containing Personal Information, where access to the Personal Information has not been secured by encryption or any other method rendering the information unreadable or unusable.

1.19 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; Processing of genetic data or biometric data for the purpose of uniquely identifying a natural person; Personal Data collected from a known child; or precise geolocation data, as defined under the CTDPA.

1.20 "Subprocessor" means any third party engaged by Provider to Process Customer Data on behalf of Customer.

1.21 "Targeted Advertising" means displaying advertisements to a Consumer where the advertisement is selected based on Personal Data obtained from that Consumer's activities over time and across nonaffiliated websites or online applications.

1.22 "Trade Secret" means information as defined under Conn. Gen. Stat. § 35-51(d), including a formula, pattern, compilation, program, device, method, technique, process, drawing, cost data, or customer list that derives independent economic value from not being generally known and is the subject of reasonable efforts to maintain its secrecy.

1.23 "Universal Opt-Out Mechanism" means a mechanism that clearly communicates a Consumer's choice to opt out of Processing for Targeted Advertising or sale, as required under the CTDPA effective January 1, 2025.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Customer Data that Provider Processes, accesses, stores, transmits, or otherwise handles in connection with the Master Agreement. This Addendum also constitutes the data processing agreement required under the CTDPA.

2.2 Order of Precedence. In the event of a conflict between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and privacy matters. In the event of a conflict between this Addendum and applicable Connecticut law, applicable law shall control.

2.3 Minimum Standards. The requirements in this Addendum establish minimum standards.

2.4 Regulatory Changes. Provider shall monitor changes to Connecticut law, including CTDPA amendments and Attorney General enforcement guidance, and shall notify Customer within thirty (30) days of any material change.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Comprehensive Security Program. Provider shall establish, implement, and maintain a written information security program ("ISP") that includes administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction.

3.2 Framework Alignment. Provider's ISP shall be aligned with one or more of the following:

☐ ISO/IEC 27001:2022 — Information Security Management System
☐ SOC 2 Type II — Trust Services Criteria
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 Rev. 5
☐ CIS Controls v8

3.3 CTDPA Security Obligations. Consistent with the CTDPA, Provider shall implement appropriate technical and organizational measures to assist Customer in meeting Customer's obligations in relation to the security of Processing Personal Data, taking into account the nature of Processing and the information available to Provider.

3.4 Risk Assessment. Provider shall conduct comprehensive risk assessments at least annually. Assessments shall identify threats, evaluate likelihood and impact, document risk treatment, and be reviewed by senior security leadership.

3.5 Security Policies. Provider shall maintain documented security policies covering access control, encryption, incident response, vulnerability management, change management, acceptable use, data classification, and business continuity. Policies reviewed annually.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control. Provider shall implement RBAC limiting access to personnel whose job functions require it.

4.2 Principle of Least Privilege. Need-to-know access. No standing administrative access where just-in-time access is feasible.

4.3 Multi-Factor Authentication. MFA required for all remote access, privileged access, security infrastructure, cloud consoles, and VPN connections.

4.4 Authentication Standards. Fourteen (14) character minimum passwords, lockout after five (5) failed attempts, fifteen (15) minute privileged session timeout, no shared accounts.

4.5 Access Reviews. Quarterly for all access; monthly for privileged access; twenty-four (24) hours for termination; five (5) Business Days for role changes.

4.6 Access Logging. All access logged with identity, timestamp, data accessed, and actions. Twelve (12) month minimum retention.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. TLS 1.2 or higher with forward secrecy. TLS 1.0 and 1.1 prohibited.

5.2 Data at Rest. AES-256 or equivalent for all Customer Data including databases, backups, file systems, removable media, and workstations.

5.3 Connecticut Encryption Safe Harbor. Under Conn. Gen. Stat. § 36a-701b, data secured by encryption or any method rendering it unreadable or unusable is excluded from breach notification requirements. Provider shall maintain encryption at all times.

5.4 Key Management. Cryptographically secure generation, separation of duties, HSM storage, annual rotation, secure destruction of retired keys.

5.5 Prohibition. No unencrypted transmission of Customer Data without Customer's express written authorization.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Architecture. Segmented environments for Customer Data with firewalls, VLANs, or equivalent logical separation.

6.2 Firewall and Perimeter Controls. Default-deny rules, quarterly rule review, IDS/IPS, and WAFs.

6.3 Network Monitoring. Continuous monitoring with real-time traffic analysis, NetFlow logging, DNS monitoring, and automated alerting.

6.4 Wireless Security. WPA3-Enterprise or equivalent for Customer Data environments.

6.5 Remote Access. VPN with MFA, logged and monitored.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle. Documented SSDLC incorporating security at every phase.

7.2 OWASP Compliance. Address OWASP Top Ten in all applications Processing Customer Data.

7.3 Code Review and Testing. Peer review, SAST in CI/CD, quarterly DAST, IAST where feasible, SCA for dependencies.

7.4 Change Management. Documented requests, risk assessment, non-production testing, segregation of duties, rollback procedures.

7.5 API Security. Authentication, authorization, rate limiting, input validation, and logging.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Weekly automated scans and upon significant changes.

8.2 Remediation Timelines.

8.3 Patch Management. Monitor advisories, test before deployment, emergency procedures for zero-days, documentation.

8.4 Exception Management. Documented exceptions with compensating controls. Customer notified of Critical/High exceptions within five (5) Business Days.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 SIEM. Centralized SIEM system aggregating and correlating security events.

9.2 Log Collection. Authentication, privileged activities, system events, network traffic, data access, security alerts, and cloud API events.

9.3 Log Retention. Twelve (12) months active, twelve (12) months archival, twenty-four (24) months total.

9.4 Log Integrity. Write-once storage, restricted access, NTP synchronization, tamper alerting.

9.5 Monitoring and Alerting. 24/7/365 monitoring. Critical alerts investigated within fifteen (15) minutes.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Customer Data segregated at database, application, or equivalent level.

10.2 Environment Segregation. No Customer Data in non-production without anonymization and Customer approval.

10.3 Data Residency. Continental United States unless otherwise agreed in writing. Sixty (60) days' notice before location changes.

10.4 Cross-Border Transfers. Prior written consent and appropriate safeguards required.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Independent third-party testing of external, internal, web application, and API components.

11.2 Standards. PTES, OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Written report to Customer within thirty (30) days.

11.4 Remediation. Critical and High findings per Article 8 timelines.

11.5 Customer Testing. Permitted upon sixty (60) days' notice at Customer's expense.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Documented BCP for continued service availability and Customer Data protection.

12.2 Disaster Recovery Plan. Including:

(a) Recovery Point Objective (RPO): Maximum data loss of [____] hours;
(b) Recovery Time Objective (RTO): Maximum service downtime of [____] hours;
(c) Recovery procedures, communication protocols, and failover sites.

12.3 Testing. Annual tabletop exercises. Full functional test every two (2) years.

12.4 Backups. Encrypted, geographically separate, quarterly restorability testing.

12.5 Resilience. Redundant network paths, power, and storage to eliminate single points of failure.

ARTICLE 13 — INCIDENT RESPONSE AND CONNECTICUT BREACH NOTIFICATION

13.1 Incident Response Plan. Documented IRP with classification, escalation, containment, eradication, recovery, evidence preservation, and post-incident review.

13.2 Notification to Customer. Provider shall notify Customer:

(a) Confirmed Security Breach: Within twenty-four (24) hours of confirmation;
(b) Suspected Security Breach: Within forty-eight (48) hours of detection;
(c) Other Security Incidents: Within seventy-two (72) hours of detection.

13.3 Connecticut Breach Notification Requirements (Conn. Gen. Stat. § 36a-701b).

(a) Trigger. Notification is required upon unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing Personal Information, where access to the Personal Information has not been secured by encryption or other method rendering it unreadable or unusable.

(b) Timeline. Notice to affected Connecticut residents must be provided without unreasonable delay but no later than sixty (60) days from the date of discovery of the Security Breach.

(c) Attorney General Notification. Provider shall notify the Connecticut Attorney General no later than the time when affected residents are notified. The Attorney General notice must be submitted through the AG's online reporting portal.

(d) Credit Reporting Agency Notification. If the Security Breach affects more than five thousand (5,000) Connecticut residents, Provider shall also notify all consumer credit reporting agencies.

(e) Content of Notice. Notification to affected individuals shall include:
- A description of the incident in general terms;
- The type of Personal Information that was subject to the breach;
- General actions taken by Provider to protect the affected Personal Information from further unauthorized access;
- Contact information for Provider, including a toll-free telephone number;
- Advice to individuals to remain vigilant regarding account statements, credit reports, and explanations of benefits;
- Contact information for the Federal Trade Commission and the Connecticut Attorney General.

(f) Identity Theft Prevention and Mitigation Services. If a Connecticut resident's Social Security number or taxpayer identification number is compromised, Provider MUST offer identity theft prevention and mitigation services for a minimum of twenty-four (24) months at no cost to the affected individual. Services shall include, at minimum:
- Credit monitoring;
- Identity theft insurance;
- Identity restoration services.

(g) Methods of Notice. Written notice, electronic notice (consistent with E-SIGN Act), telephonic notice, or substitute notice if cost exceeds $250,000, more than 500,000 persons affected, or insufficient contact information.

(h) Risk of Harm Exemption. Notification is not required if, after investigation and consultation with law enforcement, Provider reasonably determines the breach will not likely result in harm to affected individuals. Documentation of such determination must be maintained for five (5) years.

(i) CUTPA Enforcement. Failure to comply with Conn. Gen. Stat. § 36a-701b constitutes a violation of the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. § 42-110a et seq.), exposing Provider to CUTPA penalties, injunctive relief, and private rights of action.

13.4 Cooperation. Provider shall cooperate fully with Customer and preserve all evidence for a minimum of three (3) years.

13.5 Responsibility. Provider shall bear all costs from Security Breaches caused by Provider's non-compliance, including twenty-four (24) month identity theft services.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. No Subprocessor engagement without Customer's prior written approval.

14.2 CTDPA Subprocessor Requirements. Consistent with the CTDPA, Provider shall engage Subprocessors only pursuant to a written contract requiring the Subprocessor to meet Provider's obligations with respect to Personal Data.

14.3 Due Diligence. Security capability verification before engagement.

14.4 Contractual Requirements. Written agreements no less stringent than this Addendum.

14.5 Ongoing Monitoring. Annual compliance monitoring with prompt deficiency notification.

14.6 Liability. Provider fully liable for Subprocessor acts and omissions.

14.7 Objection Right. Fifteen (15) Business Day objection period.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Pre-access background checks to the extent permitted by Connecticut law.

15.2 Security Training. At onboarding and annually. Covering policies, incident reporting, phishing, data handling, and CTDPA compliance obligations.

15.3 Confidentiality Agreements. Required before access to Customer Data.

15.4 Disciplinary Measures. Enforced for security policy violations.

15.5 Offboarding. Access revoked within twenty-four (24) hours of departure.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Security. 24/7 security, badge/biometric/MFA access, visitor management, ninety (90)-day video retention, intrusion detection, environmental controls, redundant power.

16.2 Media Handling. Encrypted, tracked, tamper-evident transport, proper destruction.

16.3 Clean Desk Policy. Enforced in all areas with Customer Data access.

ARTICLE 17 — INSURANCE

17.1 Required Coverage.

(a) Cyber Liability / Technology E&O: Minimum $5,000,000;
(b) Professional Liability / E&O: Minimum $2,000,000;
(c) Commercial General Liability: Minimum $1,000,000 per occurrence / $2,000,000 aggregate;
(d) Workers' Compensation: As required by Connecticut law (Conn. Gen. Stat. § 31-275 et seq.).

17.2 Policy Requirements. AM Best A- VII or better, additional insured, thirty (30) days' cancellation notice, waiver of subrogation.

17.3 Certificates. Upon execution and annually.

ARTICLE 18 — AUDIT RIGHTS

18.1 Audit Right. Annual audits upon thirty (30) days' notice (additional audits post-Incident).

18.2 CTDPA Audit Obligation. Provider shall make available to Customer all information necessary to demonstrate compliance with the CTDPA, and shall allow and cooperate with reasonable assessments by Customer or Customer's designated assessor.

18.3 Scope. Security policies, access records, scan results, incident records, Subprocessor agreements, training records, CTDPA compliance documentation.

18.4 Third-Party Reports. SOC 2 Type II, ISO 27001, penetration test summaries, and other assessments.

18.5 Remediation. Thirty (30) days for general deficiencies; fifteen (15) days for critical.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Officer. Designated CISO or equivalent.

19.2 Reporting. Quarterly security reports, annual security assessments, incident reports, ad hoc reports.

19.3 Security Meetings. Semi-annual security review meetings.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Industry-standard format within thirty (30) days of termination or request.

20.2 Data Destruction. All copies destroyed within sixty (60) days per NIST SP 800-88 Rev. 1.

20.3 CTDPA Deletion Support. Provider shall implement technical capabilities to support deletion of Personal Data upon Customer's instruction in response to Consumer deletion requests under the CTDPA.

20.4 Certification. Written certification within ten (10) Business Days.

20.5 Retention Exception. Only as required by law, subject to ongoing obligations.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify Customer from all claims, losses, damages, liabilities, costs, and expenses arising from:

(a) Security Breaches caused by Provider's non-compliance;
(b) Violations of Conn. Gen. Stat. § 36a-701b attributable to Provider;
(c) Violations of the CTDPA attributable to Provider;
(d) CUTPA claims resulting from breach notification failures;
(e) Costs of twenty-four (24)-month identity theft prevention and credit monitoring services;
(f) Regulatory fines, penalties, or enforcement actions.

21.2 Customer Indemnification. Customer shall indemnify Provider from claims arising from Customer's violation of law or instructions causing Provider to violate law, provided Provider has complied with this Addendum.

21.3 Indemnification Procedures. Prompt notice, sole control of defense, reasonable cooperation.

ARTICLE 22 — CONNECTICUT-SPECIFIC LEGAL PROVISIONS

22.1 Connecticut Data Privacy Act (CTDPA) Compliance — Data Processing Agreement

This Article 22.1 constitutes the data processing agreement required under the CTDPA between Customer (as Controller) and Provider (as Processor).

(a) Processing Instructions. Provider shall Process Personal Data only in accordance with Customer's documented instructions. Provider shall immediately inform Customer if, in Provider's opinion, an instruction violates the CTDPA.

(b) Duty of Confidentiality. Provider shall ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the data.

(c) Subprocessor Restrictions. Provider shall engage Subprocessors only with Customer's prior written consent and pursuant to a written contract requiring the Subprocessor to meet Provider's obligations, as set forth in Article 14.

(d) Consumer Rights Assistance. Provider shall, taking into account the nature of Processing and information available to Provider, implement appropriate technical and organizational measures to assist Customer in fulfilling Customer's obligation to respond to Consumer rights requests, including:

(i) Right to Confirm and Access — Confirm whether Provider is Processing Consumer's Personal Data and provide access to such data;
(ii) Right to Correct — Correct inaccuracies in Personal Data;
(iii) Right to Delete — Delete Personal Data provided by or obtained about the Consumer;
(iv) Right to Data Portability — Provide Personal Data in a portable, readily usable format;
(v) Right to Opt Out — Assist Customer in processing Consumer opt-outs for Targeted Advertising, sale of Personal Data, and Profiling in furtherance of decisions producing legal or similarly significant effects;
(vi) Consent Revocation — Stop Processing within fifteen (15) days of Consumer's revocation of consent.

(e) Response Timelines. Provider shall assist Customer in responding to Consumer requests within forty-five (45) days, with one forty-five (45)-day extension permitted where reasonably necessary considering the complexity and number of requests. If declining a request, Provider shall assist Customer in providing the Consumer an appeal mechanism with a sixty (60)-day response period.

(f) Security Assistance. Provider shall assist Customer in meeting Customer's obligations in relation to the security of Processing and breach notification under the CTDPA.

(g) Data Protection Assessments. Provider shall provide reasonable assistance to Customer in conducting Data Protection Assessments for high-risk Processing activities, including:
- Processing for Targeted Advertising;
- Sale of Personal Data;
- Processing for Profiling where there is a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, or other substantial injury;
- Processing Sensitive Data.

(h) Audit and Compliance. Provider shall make available to Customer all information necessary to demonstrate compliance with the CTDPA and shall allow and cooperate with reasonable assessments.

22.2 CTDPA Sensitive Data Processing

(a) Provider shall not Process Sensitive Data without Customer's prior written authorization.
(b) Customer represents that it has obtained the Consumer's affirmative opt-in consent before directing Provider to Process Sensitive Data.
(c) For Personal Data of a known child (under age thirteen (13)), Customer represents that it has complied with COPPA requirements.
(d) Provider shall implement enhanced safeguards for Sensitive Data, including additional access restrictions, enhanced encryption, and audit logging.

22.3 CTDPA Universal Opt-Out Mechanism

(a) Effective January 1, 2025, Provider shall implement technical support for Universal Opt-Out Mechanisms, enabling Customer to recognize and honor opt-out preference signals from Connecticut Consumers.
(b) Provider shall process Universal Opt-Out signals as valid Consumer requests to opt out of Targeted Advertising and sale of Personal Data.
(c) Provider shall not use dark patterns or other manipulative design elements to subvert Consumer choices expressed through Universal Opt-Out Mechanisms.

22.4 CTDPA Enforcement and Penalties

(a) Attorney General Enforcement. The CTDPA is enforced exclusively by the Connecticut Attorney General. There is no private right of action under the CTDPA.
(b) Cure Period. The CTDPA initially provided a sixty (60)-day cure period, which expired on December 31, 2024. Effective January 1, 2025, the Attorney General has discretion to provide a cure notice but is not required to do so.
(c) CUTPA Violations. Violations of the CTDPA are treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. § 42-110a et seq.).
(d) Proactive Compliance. Provider shall proactively maintain CTDPA compliance to avoid enforcement actions.

22.5 Connecticut Identity Theft Prevention Services

Consistent with Conn. Gen. Stat. § 36a-701b, if a Security Breach compromises Social Security numbers or taxpayer identification numbers of Connecticut residents, Provider shall:

(a) Offer affected individuals at least twenty-four (24) months of identity theft prevention and mitigation services at no cost;
(b) Include credit monitoring, identity theft insurance, and identity restoration services;
(c) Provide clear instructions for enrolling in such services;
(d) Bear all costs of identity theft prevention and mitigation services resulting from a breach attributable to Provider.

22.6 Connecticut Trade Secret Protections

Provider acknowledges that Customer Data may contain Trade Secrets as defined by the Connecticut Uniform Trade Secrets Act (Conn. Gen. Stat. §§ 35-50 through 35-58). Provider shall:

(a) Implement reasonable measures to maintain secrecy;
(b) Limit access to personnel with a need to know;
(c) Not use Trade Secrets beyond performing services under the Master Agreement;
(d) Cooperate with Customer in seeking injunctive relief under Conn. Gen. Stat. § 35-52 if unauthorized disclosure occurs.

22.7 Governing Law and Forum

(a) This Addendum shall be governed by and construed in accordance with the laws of the State of Connecticut, without regard to conflict-of-law principles.

(b) Any dispute shall be subject to the exclusive jurisdiction of the state and federal courts located in Hartford County, Connecticut.

(c) JURY WAIVER. EACH PARTY HEREBY WAIVES, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ANY RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM.

22.8 Late Payment

Any amounts due that are not paid when due shall accrue interest at the rate of twelve percent (12%) per annum, consistent with Conn. Gen. Stat. § 37-3a, or the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Connecticut Uniform Electronic Transactions Act (Conn. Gen. Stat. §§ 1-266 through 1-286) and the federal E-SIGN Act (15 U.S.C. § 7001 et seq.).

23.2 Legal Effect. Electronic signatures shall have the same force and effect as handwritten signatures.

23.3 Consent. Each Party consents to electronic execution.

23.4 Retention. Each Party shall retain an electronic copy per applicable requirements.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum and the Master Agreement constitute the entire agreement regarding security and data protection.

24.2 Amendments. Written instrument executed by both Parties required.

24.3 Severability. Invalid provisions do not affect remaining provisions.

24.4 Waiver. Written waiver required.

24.5 Notices. Written, delivered per Master Agreement addresses.

24.6 Term. Duration of Master Agreement; survives for remaining Customer Data.

24.7 Counterparts. May be executed in counterparts.

EXECUTION

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SCHEDULE A — SECURITY CONTACTS

SCHEDULE B — APPROVED SUBPROCESSORS

SCHEDULE C — CTDPA PROCESSING DETAILS

Categories of Personal Data Processed: [________________________________]

Categories of Consumers: [________________________________]

Nature and Purpose of Processing: [________________________________]

Duration of Processing: [________________________________]

Sensitive Data Categories (if applicable): [________________________________]

PRE-EXECUTION CHECKLIST

☐ Master Agreement fully executed and referenced above
☐ All blanks and variable fields completed
☐ RPO and RTO values agreed upon and inserted in Article 12
☐ Approved Subprocessor list completed in Schedule B
☐ Security contact information completed in Schedule A
☐ CTDPA Processing details completed in Schedule C
☐ Insurance certificates obtained and reviewed
☐ Provider's SOC 2 Type II or ISO 27001 certification reviewed
☐ CTDPA applicability assessment completed
☐ Data Protection Assessment requirements evaluated
☐ Universal Opt-Out Mechanism compliance verified
☐ Identity theft prevention service provider identified
☐ Connecticut-licensed counsel review completed
☐ Both Parties' authorized signatories confirmed

SOURCES AND REFERENCES

1. Connecticut Data Privacy Act — Conn. Gen. Stat. §§ 42-515 through 42-525
   https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
2. Public Act 22-15 (CTDPA Statute)
   https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
3. Connecticut Data Breach Notification — Conn. Gen. Stat. § 36a-701b
   https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/
4. Connecticut Attorney General — Reporting a Data Breach
   https://portal.ct.gov/ag/sections/privacy/reporting-a-data-breach
5. Connecticut Uniform Trade Secrets Act — Conn. Gen. Stat. §§ 35-50 through 35-58
   https://law.justia.com/codes/connecticut/title-35/chapter-625/
6. Connecticut Uniform Electronic Transactions Act — Conn. Gen. Stat. §§ 1-266 through 1-286
   https://www.cga.ct.gov/2025/pub/chap_015.htm
7. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
8. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework
9. ISO/IEC 27001:2022
   https://www.iso.org/standard/27001
10. OWASP Top Ten
    https://owasp.org/www-project-top-ten/