SECURITY ADDENDUM (ENTERPRISE SAAS)

District of Columbia Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

RECITALS

This Security Addendum ("Addendum") is entered into as of the Effective Date set forth above by and between:

Provider:
Name: [________________________________]
Address: [________________________________]
Jurisdiction of Organization: [________________________________]
("Provider" or "Service Provider")

AND

Customer:
Name: [________________________________]
Address: [________________________________]
Jurisdiction of Organization: [________________________________]
("Customer" or "Client")

Each individually a "Party" and collectively the "Parties."

WHEREAS, the Parties have entered into a Master Services Agreement, SaaS Subscription Agreement, or similar agreement dated [__/__/____] (the "Master Agreement") pursuant to which Provider delivers certain software-as-a-service and related technology services to Customer;

WHEREAS, the performance of services under the Master Agreement requires Provider to access, process, store, or transmit data belonging to or entrusted to Customer, including data that may be subject to protection under District of Columbia law, specifically the Consumer Security Breach Notification Act (D.C. Code §§ 28-3851 et seq.) and the Security Breach Protection Amendment Act of 2020 (D.C. Law 23-98);

WHEREAS, the District of Columbia has enacted affirmative security requirements under D.C. Code § 28-3852.01 requiring persons and entities that maintain Personal Information to implement and maintain reasonable security safeguards;

WHEREAS, Customer requires that Provider implement and maintain comprehensive information security controls to protect Customer Data from unauthorized access, use, disclosure, alteration, or destruction;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below when used in this Addendum. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.2 "Authorized Users" means individuals who have been granted access to Provider Systems by Customer or Provider in accordance with this Addendum, including employees, contractors, agents, and third parties with a legitimate business need to access Customer Data.

1.3 "Confidential Information" means all non-public information disclosed by one Party to the other in connection with this Addendum or the Master Agreement, including trade secrets as defined under the District of Columbia Uniform Trade Secrets Act (D.C. Code § 36-401), business plans, technical data, security configurations, audit results, and vulnerability assessments.

1.4 "Customer Data" means all data, information, records, documents, files, and materials provided by or on behalf of Customer to Provider, or collected, generated, or processed by Provider on Customer's behalf in the course of performing services under the Master Agreement, regardless of format or medium.

1.5 "Data Breach" means a breach of the security of the system as defined under D.C. Code § 28-3851(1A), meaning the unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of Personal Information maintained by the person or entity. For purposes of this Addendum, "Data Breach" also includes any Security Incident that results in the unauthorized access to, acquisition of, or exfiltration of Customer Data, whether or not such incident meets the statutory threshold for notification.

1.6 "Data Processing" means any operation or set of operations performed on Customer Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.7 "DPA" means a Data Processing Agreement or Data Processing Addendum that may be executed between the Parties to address specific data processing obligations, including those arising under applicable federal or international data protection regulations.

1.8 "Encryption Standard" means, at a minimum, Advanced Encryption Standard (AES) with a key length of 256 bits for data at rest, and Transport Layer Security (TLS) version 1.2 or higher for data in transit, or such stronger encryption standards as may become industry standard during the Term.

1.9 "High-Risk Data" means Customer Data that, if disclosed, altered, or destroyed without authorization, could cause significant harm to individuals or Customer, including Social Security numbers, government-issued identification numbers, financial account numbers, health information, biometric data, authentication credentials, and any data classified as "High" or "Critical" under the data classification framework established in this Addendum.

1.10 "Information Security Program" means Provider's comprehensive, written program of policies, procedures, and controls designed to protect the security, confidentiality, integrity, and availability of Customer Data, as more fully described in Article 4 of this Addendum, and consistent with the reasonable security safeguards mandated by D.C. Code § 28-3852.01.

1.11 "Malware" means any software, code, or program designed to disrupt, damage, or gain unauthorized access to computer systems, including viruses, worms, trojans, ransomware, spyware, adware, rootkits, keyloggers, and any other malicious or unauthorized code.

1.12 "Personal Information" means, consistent with D.C. Code § 28-3851(3), an individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person's information:

(a) Social Security number;
(b) Driver's license number or District of Columbia identification card number;
(c) Credit card number or debit card number;
(d) Any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual's financial or credit account;
(e) Medical information;
(f) Genetic information and DNA profile;
(g) Health insurance information, including a policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
(h) Biometric data (such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data);
(i) A username or email address in combination with a password, security question and answer, or other means of authentication or access that permits access to an individual's email account.

Personal Information does not include publicly available information that is lawfully made available to the general public from federal, District of Columbia, or local government records or widely distributed media.

1.13 "Provider Systems" means all information technology infrastructure, platforms, applications, networks, servers, databases, storage systems, and related components owned, operated, managed, or controlled by Provider and used to process, store, or transmit Customer Data.

1.14 "Security Incident" means any event that actually or potentially compromises the confidentiality, integrity, or availability of Provider Systems or Customer Data, including unauthorized access attempts, denial-of-service attacks, Malware infections, phishing incidents, physical security breaches, and any other event that triggers investigation or response by Provider's security team.

1.15 "Subprocessor" means any third party engaged by Provider to process Customer Data on Provider's behalf in connection with the services provided under the Master Agreement, including cloud infrastructure providers, managed service providers, data center operators, and any subcontractor with access to Customer Data.

1.16 "Vulnerability" means a weakness in Provider Systems, software, hardware, or processes that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of Customer Data, as identified through vulnerability scanning, penetration testing, or other assessment methods.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all services provided by Provider to Customer under the Master Agreement that involve the access, processing, storage, transmission, or handling of Customer Data through Provider Systems. This Addendum governs Provider's information security obligations regardless of whether Customer Data is processed within or outside the District of Columbia.

2.2 Order of Precedence. In the event of any conflict or inconsistency between the terms of this Addendum and the terms of the Master Agreement, the terms of this Addendum shall prevail with respect to information security, data protection, and breach notification matters. In the event of any conflict between this Addendum and any service order, statement of work, or other ancillary agreement, the terms of this Addendum shall take precedence unless the conflicting provision in such ancillary agreement expressly references this Addendum by name and states that it is intended to supersede a specific provision hereof.

2.3 Regulatory Compliance. The District of Columbia has enacted affirmative security requirements under D.C. Code § 28-3852.01. To the extent Customer is subject to additional industry-specific regulations (including but not limited to HIPAA, GLBA, PCI DSS, SOX, or federal government security requirements), Provider shall comply with the applicable security requirements of such regulations as they pertain to Customer Data processed by Provider. Customer shall notify Provider in writing of any such regulatory requirements at the time of execution of this Addendum or promptly upon becoming subject to new requirements.

2.4 Safe Harbor Provisions. The Parties acknowledge that pursuant to D.C. Code § 28-3852.01, a person or entity that is subject to and in compliance with the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), or the Health Information Technology for Economic and Clinical Health Act (HITECH) shall be deemed to be in compliance with DC security requirements. Notwithstanding this safe harbor, the security obligations in this Addendum shall apply as between the Parties regardless of any statutory safe harbor.

2.5 Incorporation. This Addendum is incorporated into and forms part of the Master Agreement. All terms, conditions, representations, warranties, and obligations of the Master Agreement not expressly modified by this Addendum shall remain in full force and effect.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Written Security Program. Provider shall establish, implement, and maintain a comprehensive, written Information Security Program that contains administrative, technical, and physical safeguards appropriate to the nature of the Personal Information and Customer Data processed by Provider, consistent with the requirements of D.C. Code § 28-3852.01. The Information Security Program shall include procedures and practices that are appropriate to the nature of the Personal Information and the nature and size of the entity or operation, and shall be designed to:

(a) Protect the security, confidentiality, integrity, and availability of Customer Data;

(b) Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer Data;

(c) Protect against unauthorized access, use, modification, or disclosure of Customer Data;

(d) Ensure the proper disposal of Customer Data in accordance with Article 21 of this Addendum.

3.2 Framework Alignment. Provider's Information Security Program shall be aligned with one or more of the following recognized security frameworks, as selected by Provider and approved by Customer:

☐ ISO/IEC 27001:2022 (Information Security Management Systems)
☐ SOC 2 Type II (Trust Services Criteria)
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 (Security and Privacy Controls)
☐ CIS Critical Security Controls (v8)
☐ FedRAMP (if applicable for federal government customers in DC)

3.3 Risk Assessment. Provider shall conduct a comprehensive risk assessment of Provider Systems at least annually, and additionally upon any material change to Provider's technology infrastructure, business operations, or threat landscape. Risk assessments shall identify threats and vulnerabilities, assess the likelihood and impact of potential security events, and result in documented risk treatment plans with assigned ownership and target remediation dates.

3.4 Security Officer. Provider shall designate a qualified individual as its Chief Information Security Officer ("CISO") or equivalent security officer with responsibility for the development, implementation, oversight, and enforcement of the Information Security Program. Provider shall notify Customer within thirty (30) days of any change in the individual serving in this role. The designated security officer as of the Effective Date is:

Name: [________________________________]
Title: [________________________________]
Contact: [________________________________]

3.5 Annual Review. Provider shall review and update the Information Security Program at least annually, and more frequently as necessary, to address changes in technology, threat landscape, regulatory requirements, and the results of risk assessments. Provider shall provide Customer with a summary of material changes to the Information Security Program within thirty (30) days of implementation.

3.6 Policy Documentation. Provider shall maintain written security policies addressing, at minimum, the following domains: access control, asset management, business continuity, cryptography, human resource security, incident management, network security, operational security, physical security, supplier relationships, system acquisition and development, and compliance.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement role-based access controls to ensure that Authorized Users are granted only the minimum level of access necessary to perform their assigned duties (principle of least privilege). Access rights shall be defined based on job function, department, and business need, and shall be documented in an access control matrix.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to Provider Systems;
(b) All administrative or privileged access to systems containing Customer Data;
(c) All access to management consoles, cloud infrastructure portals, and security tools;
(d) All access to Customer-facing portals and dashboards;
(e) All VPN connections to Provider's network.

4.3 Privileged Access Management (PAM). Provider shall implement a privileged access management program that includes:

(a) Unique identification and authentication for all privileged accounts;
(b) Time-limited elevation of privileges (just-in-time access) where technically feasible;
(c) Logging and monitoring of all privileged access sessions;
(d) Separation of duties to prevent any single individual from having unchecked privileged access;
(e) Regular rotation of privileged account credentials, not less frequently than every ninety (90) days.

4.4 Access Reviews. Provider shall conduct formal access reviews at least quarterly to verify that:

(a) All active user accounts correspond to current Authorized Users;
(b) Access rights are appropriate for each user's current role and responsibilities;
(c) Privileged access is limited to personnel with a demonstrated business need;
(d) Former employees, contractors, and terminated users have been promptly deprovisioned;
(e) Service accounts and system accounts are inventoried and appropriately restricted.

4.5 Onboarding and Offboarding. Provider shall implement documented procedures for granting access upon personnel onboarding and revoking access upon personnel offboarding, including:

(a) Provisioning of access only after appropriate authorization and background check completion;
(b) Revocation of all access within twenty-four (24) hours of employment or engagement termination;
(c) Revocation of all access within four (4) hours for involuntary terminations or for-cause separations;
(d) Return or secure destruction of all devices, tokens, and credentials upon departure.

4.6 Password Policies. Provider shall enforce password policies that require, at minimum:

(a) Minimum length of fourteen (14) characters;
(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;
(c) Prohibition against reuse of the previous twenty-four (24) passwords;
(d) Automatic account lockout after no more than five (5) consecutive failed login attempts;
(e) Password expiration not to exceed ninety (90) days for non-MFA accounts.

4.7 Session Management. Provider shall enforce automatic session timeouts after a maximum of fifteen (15) minutes of inactivity for sessions involving access to Customer Data. Concurrent session limitations shall be implemented for privileged accounts.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Encryption in Transit. All Customer Data transmitted over public networks, wireless networks, or any network not exclusively controlled by Provider shall be encrypted using TLS version 1.2 or higher with strong cipher suites. Provider shall disable support for SSL and TLS versions below 1.2.

5.2 Encryption at Rest. All Customer Data stored on Provider Systems, including primary databases, replicated databases, data warehouses, file systems, and backup storage, shall be encrypted using AES-256 or an equivalent or stronger encryption standard.

5.3 Key Management. Provider shall implement a formal cryptographic key management program that includes:

(a) Secure generation of encryption keys using cryptographically secure random number generators;
(b) Secure storage of encryption keys in dedicated hardware security modules (HSMs) or equivalent key vaults;
(c) Separation of encryption keys from the data they protect;
(d) Key rotation at least annually, and immediately upon suspected compromise;
(e) Secure key destruction upon expiration or revocation;
(f) Documented key management procedures with defined roles and responsibilities.

5.4 Certificate Management. Provider shall maintain a certificate management program that includes an inventory of all digital certificates, automated monitoring of certificate expiration dates, and procedures for timely renewal and replacement of certificates before expiration.

5.5 Encryption of Backups. All backup copies of Customer Data shall be encrypted to the same standard as production data. Backup encryption keys shall be managed in accordance with Section 5.3 and stored separately from backup media.

5.6 Field-Level Encryption. For High-Risk Data elements, including Social Security numbers, financial account numbers, government-issued identification numbers, biometric data, and authentication credentials, Provider shall implement field-level encryption or tokenization to provide an additional layer of protection beyond volume-level or database-level encryption.

5.7 Encryption Safe Harbor. The Parties acknowledge that under D.C. Code § 28-3852(a-1), breach notification is not required when the Personal Information was rendered secure (i.e., encrypted in a manner consistent with industry standards and the encryption key was not acquired). Provider shall maintain encryption to at least meet this safe harbor standard.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate environments processing Customer Data from other network segments, including corporate networks, development environments, and other customer environments. Segmentation shall be enforced through firewalls, virtual local area networks (VLANs), or software-defined networking controls.

6.2 Firewalls. Provider shall deploy and maintain enterprise-grade firewalls at all network perimeters and at boundaries between network segments. Firewall rules shall be reviewed at least quarterly and follow a default-deny policy, permitting only traffic that is explicitly authorized.

6.3 Intrusion Detection and Prevention. Provider shall deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) at critical network points, including network perimeters and segments processing Customer Data. IDS/IPS signatures and rules shall be updated at least daily.

6.4 DDoS Mitigation. Provider shall implement distributed denial-of-service (DDoS) mitigation measures, including traffic scrubbing, rate limiting, and capacity planning, sufficient to maintain service availability during volumetric, protocol, and application-layer attacks.

6.5 VPN Requirements. All remote administrative access to Provider Systems shall be conducted through encrypted virtual private network (VPN) tunnels or equivalent secure connectivity mechanisms. Split tunneling shall be prohibited for VPN connections used to access Customer Data.

6.6 Wireless Security. Any wireless networks within Provider facilities that have connectivity to systems processing Customer Data shall use WPA3 encryption (or WPA2-Enterprise at minimum), shall be segmented from wired networks, and shall require individual authentication credentials.

6.7 DMZ Architecture. Provider shall implement a demilitarized zone (DMZ) architecture to separate internet-facing systems from internal systems processing Customer Data. No Customer Data shall be stored in the DMZ. All traffic from the internet to internal systems shall traverse the DMZ and be subject to inspection and filtering.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Software Development Lifecycle (SDLC). Provider shall implement a secure SDLC that integrates security requirements, threat modeling, secure coding practices, code review, and security testing throughout all phases of software development and deployment.

7.2 OWASP Top 10. Provider shall ensure that all applications processing Customer Data are tested for and protected against the vulnerabilities identified in the current OWASP Top 10 and OWASP API Security Top 10. Provider shall document remediation of any identified vulnerabilities prior to deployment to production.

7.3 Code Reviews. Provider shall require peer code reviews with security focus for all changes to applications that process Customer Data. Code reviews shall be performed by personnel other than the original developer and shall include review for common security vulnerabilities.

7.4 Static and Dynamic Application Security Testing. Provider shall perform:

(a) Static Application Security Testing (SAST) on all application code prior to deployment to production environments;
(b) Dynamic Application Security Testing (DAST) on all production applications at least quarterly;
(c) Interactive Application Security Testing (IAST) during quality assurance testing where technically feasible.

7.5 Dependency and Supply Chain Security. Provider shall maintain a software bill of materials (SBOM) for applications processing Customer Data and shall perform automated scanning of third-party libraries and dependencies for known vulnerabilities. Vulnerable dependencies shall be updated or remediated in accordance with the vulnerability remediation SLAs set forth in Article 9.

7.6 API Security. Provider shall implement API security controls including authentication, authorization, rate limiting, input validation, output encoding, and logging for all APIs that process or provide access to Customer Data.

7.7 Input Validation. Provider shall implement server-side input validation for all user-supplied data to prevent injection attacks, cross-site scripting (XSS), and other input-based vulnerabilities.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall conduct automated vulnerability scanning of all Provider Systems, including network infrastructure, operating systems, databases, and applications, at least weekly for external-facing systems and at least monthly for internal systems.

8.2 Remediation SLAs. Provider shall remediate identified vulnerabilities according to the following timelines, measured from the date of identification:

8.3 Patch Management. Provider shall implement a formal patch management program that includes:

(a) Monitoring of vendor security advisories and vulnerability disclosures;
(b) Testing of patches in a non-production environment before deployment;
(c) Emergency patching procedures for Critical vulnerabilities that bypass standard change management timelines;
(d) Documentation of all patching activities, including exceptions and compensating controls.

8.4 Zero-Day Response. Upon discovery or notification of a zero-day vulnerability affecting Provider Systems, Provider shall:

(a) Immediately assess the potential impact on Customer Data;
(b) Implement available compensating controls within four (4) hours;
(c) Notify Customer within twenty-four (24) hours if the vulnerability poses a material risk to Customer Data;
(d) Apply vendor-supplied patches or permanent fixes within the Critical remediation timeline upon availability.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Centralized Logging. Provider shall implement centralized log management using a Security Information and Event Management (SIEM) system or equivalent technology. All security-relevant events across Provider Systems shall be aggregated, correlated, and analyzed in the centralized platform.

9.2 Logging Requirements. Provider shall log, at minimum, the following events:

(a) User authentication events (successful and failed);
(b) Authorization changes and privilege escalations;
(c) Access to Customer Data, including create, read, update, and delete operations;
(d) Administrative and configuration changes;
(e) Security events detected by IDS/IPS, firewalls, and endpoint protection;
(f) System startup, shutdown, and error events;
(g) File integrity monitoring alerts.

9.3 Log Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in immediately accessible, searchable storage, and for an additional twelve (12) months in archived storage. Logs relevant to known or suspected Security Incidents shall be retained for a minimum of thirty-six (36) months or until the resolution of any related legal proceedings, whichever is longer.

9.4 Log Integrity. Provider shall implement controls to prevent unauthorized modification or deletion of log data, including write-once storage, cryptographic hashing, or other tamper-detection mechanisms. Access to log management systems shall be restricted to authorized security personnel.

9.5 Real-Time Alerting. Provider shall configure real-time alerts for high-severity security events, including but not limited to: multiple failed authentication attempts, privilege escalation events, access from anomalous geographic locations, data exfiltration indicators, and Malware detection events. Provider shall maintain a 24/7 security operations capability (internal or outsourced) to monitor and respond to alerts.

9.6 Audit Trail. Provider shall maintain a complete, immutable audit trail of all actions taken with respect to Customer Data sufficient to support forensic investigation, regulatory inquiry, and Customer audit requirements.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Tenant Isolation. Provider shall implement logical isolation controls to ensure that Customer Data is segregated from the data of other Provider customers. Such controls shall prevent any unauthorized cross-tenant data access, leakage, or commingling and shall be validated through regular testing.

10.2 Data Residency. Unless otherwise agreed in writing, Provider shall store and process Customer Data within the geographic boundaries of the United States. Provider shall notify Customer at least sixty (60) days in advance of any proposed change to data storage locations and shall obtain Customer's written consent before transferring Customer Data outside the United States.

10.3 Cross-Border Transfer Restrictions. Provider shall not transfer Customer Data to any location outside the United States without Customer's prior written consent. If cross-border transfer is authorized, Provider shall implement appropriate safeguards, including contractual protections and encryption, to ensure that the transferred data receives a level of protection substantially equivalent to that provided under this Addendum.

10.4 Data Classification. Provider shall support Customer's data classification framework and shall implement technical and organizational controls commensurate with the classification level assigned to Customer Data. At minimum, Provider shall support the following classification levels:

(a) Public — Information approved for public disclosure;
(b) Internal — Information intended for internal business use;
(c) Confidential — Sensitive business information requiring protection;
(d) Restricted — High-Risk Data requiring the strongest level of protection.

10.5 Federal Government Considerations. Given the District of Columbia's unique position as the seat of the federal government, Provider acknowledges that Customer Data may include data subject to federal government security requirements (e.g., FISMA, FedRAMP, ITAR, EAR). Provider shall comply with any such additional requirements identified by Customer in writing.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Provider shall engage a qualified, independent third-party penetration testing firm to conduct comprehensive penetration testing of Provider Systems at least annually. Penetration testing shall include network-layer, application-layer, and social engineering components.

11.2 Scope. Penetration testing shall encompass all Provider Systems that process, store, or transmit Customer Data, including external-facing and internal network components, web applications, APIs, mobile applications, and cloud infrastructure configurations.

11.3 Methodology. Penetration testing shall be conducted in accordance with recognized methodologies, including OWASP Testing Guide, PTES (Penetration Testing Execution Standard), or NIST SP 800-115. Testing shall simulate real-world attack scenarios and include both authenticated and unauthenticated testing perspectives.

11.4 Reporting. Provider shall share penetration testing results with Customer under mutual non-disclosure obligations within thirty (30) days of test completion. Reports shall include an executive summary, detailed findings, severity ratings, proof-of-concept demonstrations (where applicable), and recommended remediation actions.

11.5 Remediation Tracking. Provider shall remediate all findings from penetration testing in accordance with the vulnerability remediation SLAs set forth in Article 8. Provider shall provide Customer with a remediation status report within sixty (60) days of test completion and verification that all Critical and High findings have been addressed.

11.6 Customer Testing. Upon reasonable advance notice (not less than thirty (30) days) and subject to mutually agreed scope and rules of engagement, Customer may conduct or commission its own penetration testing of Provider Systems. Provider shall cooperate with such testing and shall not impose unreasonable conditions or restrictions.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 BC/DR Plans. Provider shall establish, maintain, and test written business continuity and disaster recovery plans designed to ensure the continued availability of Provider Systems and the protection and recovery of Customer Data in the event of a disruption, disaster, or other emergency.

12.2 Recovery Objectives. Provider shall meet or exceed the following recovery objectives for services provided to Customer:

(a) Recovery Point Objective (RPO): [____] hours — the maximum acceptable amount of data loss measured in time;
(b) Recovery Time Objective (RTO): [____] hours — the maximum acceptable time to restore service availability.

12.3 Geographic Redundancy. Provider shall maintain geographically separated backup and recovery infrastructure sufficient to achieve the RPO and RTO targets specified in Section 12.2. Primary and secondary data centers shall be located in different geographic regions or availability zones separated by a minimum of [____] miles.

12.4 Annual Testing. Provider shall test its business continuity and disaster recovery plans at least annually, including failover and failback testing, and shall provide Customer with a summary of test results, including any deficiencies identified and corrective actions taken, within thirty (30) days of test completion.

12.5 Failover Procedures. Provider shall implement automated failover mechanisms where technically feasible to minimize service disruption. Failover procedures shall be documented, regularly updated, and include clear escalation paths and communication protocols for notifying Customer of failover events.

12.6 Customer Notification. Provider shall notify Customer within one (1) hour of any unplanned invocation of disaster recovery procedures that affects or may affect the availability of services provided to Customer.

ARTICLE 13 — INCIDENT RESPONSE AND DC-SPECIFIC BREACH NOTIFICATION

13.1 Incident Response Plan. Provider shall establish and maintain a written incident response plan that defines roles, responsibilities, communication protocols, and procedures for identifying, containing, investigating, remediating, and reporting Security Incidents. The incident response plan shall be tested at least annually through tabletop exercises or simulated incident drills.

13.2 Incident Classification. Provider shall classify Security Incidents according to the following severity levels:

13.3 Customer Notification of Security Incidents. Provider shall notify Customer of any P1 or P2 Security Incident within the timeframes specified in Section 13.2. Notification shall be provided to Customer's designated security contact(s) via telephone and email at the following:

Primary Security Contact: [________________________________]
Phone: [________________________________]
Email: [________________________________]

Secondary Security Contact: [________________________________]
Phone: [________________________________]
Email: [________________________________]

13.4 Incident Notification Contents. Provider's initial notification shall include, to the extent known at the time:

(a) Date and time the incident was detected;
(b) Nature and scope of the incident;
(c) Types of Customer Data potentially affected;
(d) Number of records or individuals potentially affected;
(e) Containment measures implemented or planned;
(f) Initial assessment of impact;
(g) Identity and contact information of Provider's incident lead.

13.5 District of Columbia Statutory Breach Notification Requirements. In the event of a Data Breach involving Personal Information of District of Columbia residents, the following requirements apply under D.C. Code § 28-3852 (as amended by the Security Breach Protection Amendment Act of 2020, D.C. Law 23-98):

(a) Notification Timeline. Provider shall assist Customer in providing notification to affected individuals in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. D.C. Code § 28-3852(a).

(b) Notification Recipients.
- Affected Individuals: Notice must be provided to all District of Columbia residents whose Personal Information was included in the breach.
- District of Columbia Attorney General: If the breach affects fifty (50) or more District of Columbia residents, notice must be provided to the Office of the Attorney General for the District of Columbia. The notifying entity shall not delay providing notice to the Attorney General or to affected individuals while ascertaining the exact number of District residents affected. D.C. Code § 28-3852(b-1).

(c) Required Content of Notification. Under D.C. Code § 28-3852(b), notices to affected individuals shall include:
- (i) The name of the person or entity reporting the breach and the name of the person or entity that experienced the breach if different;
- (ii) The type of Personal Information compromised;
- (iii) The date or estimated date of the breach;
- (iv) A description of the breach;
- (v) The person or entity's contact information, including a phone number, mailing address, and email;
- (vi) Information about what the person or entity is doing to protect the individual's data;
- (vii) Advice on steps the individual may take to protect themselves, including contact information for credit reporting agencies;
- (viii) Information about the availability of security freezes under District of Columbia and federal law;
- (ix) A specific statement that the affected individual has the right to obtain a police report and information about how to do so.

(d) Identity Theft Protection Requirement. When a breach involves or is reasonably believed to involve a Social Security number or taxpayer identification number, the person or entity must offer identity theft protection services at no cost to the affected individual for a period of not less than eighteen (18) months. D.C. Code § 28-3852(b)(2).

(e) Form of Notification. Notice may be provided by:
- Written notice to the last known address of the affected individual;
- Telephonic notice;
- Electronic notice, if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001 (E-SIGN Act);
- Substitute Notice — if the cost of providing notice would exceed Fifty Thousand Dollars ($50,000), the affected class exceeds one hundred thousand (100,000) individuals, or the person does not have sufficient contact information, substitute notice may consist of: (i) email notice to affected individuals for whom the person has an email address; (ii) conspicuous posting on the person's website; and (iii) publication in a major District of Columbia media outlet.

(f) Encryption Safe Harbor. Notification is not required if the Personal Information that was subject to the breach was rendered secure, provided that the encryption key was not also acquired. D.C. Code § 28-3852(a-1).

(g) Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or jeopardize national security, provided that such delay shall not last beyond when the law enforcement agency determines it will no longer impede the investigation or jeopardize national security. D.C. Code § 28-3852(d).

(h) Enforcement, Remedies, and Penalties. Under D.C. Code § 28-3852.02, a violation of the breach notification law constitutes an unfair or deceptive trade practice. The Attorney General of the District of Columbia may bring an action on behalf of affected individuals. Remedies include:
- Treble damages or statutory damages of $1,500 per violation, whichever is greater;
- Actual damages suffered by affected individuals;
- Reasonable attorneys' fees and costs;
- Injunctive or equitable relief.

The D.C. breach notification law does not create an explicit private right of action, but enforcement through the Consumer Protection Procedures Act (D.C. Code § 28-3901 et seq.) provides broad remedial authority.

13.6 D.C. Security Requirements Compliance. Under D.C. Code § 28-3852.01, Provider shall implement and maintain reasonable security safeguards to protect Personal Information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat. These safeguards must include procedures and practices that are appropriate to the nature of the Personal Information and the nature and size of the entity's operations. Failure to maintain reasonable security safeguards may constitute a violation of D.C. law independent of any Data Breach.

13.7 Cooperation with Customer's Incident Response. Provider shall fully cooperate with Customer's incident response efforts, including:

(a) Providing Customer with timely access to all relevant logs, records, and data;
(b) Making Provider personnel available for interviews and consultation;
(c) Preserving all evidence related to the Security Incident;
(d) Implementing additional containment or remediation measures as reasonably requested by Customer;
(e) Supporting Customer's communications with affected individuals, regulators, and law enforcement.

13.8 Forensic Investigation. For any P1 Security Incident, Provider shall engage a qualified, independent third-party forensic investigation firm (subject to Customer's reasonable approval) to conduct a thorough investigation. Provider shall share the results of the forensic investigation with Customer under mutual non-disclosure obligations. The cost of the forensic investigation shall be borne by Provider if the incident resulted from Provider's failure to comply with its obligations under this Addendum.

13.9 Root Cause Analysis and Remediation. Following any P1 or P2 Security Incident, Provider shall:

(a) Conduct a root cause analysis and provide findings to Customer within thirty (30) days;
(b) Implement corrective actions to address the root cause and prevent recurrence;
(c) Provide Customer with a written remediation report documenting actions taken;
(d) Conduct a post-incident review with Customer, if requested.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Approval Process. Provider shall not engage any Subprocessor to process Customer Data without Customer's prior written consent. Provider shall notify Customer at least thirty (30) days in advance of any proposed engagement of a new Subprocessor or replacement of an existing Subprocessor, providing sufficient detail for Customer to evaluate the Subprocessor's security posture.

14.2 Current Subprocessor List. Provider shall maintain and provide to Customer a current list of all Subprocessors that process Customer Data, including each Subprocessor's name, location, and description of processing activities. The current Subprocessor list as of the Effective Date is attached as Exhibit A to this Addendum or available at: [________________________________].

14.3 Flow-Down Requirements. Provider shall impose on each Subprocessor, by written agreement, security and data protection obligations that are no less protective than those imposed on Provider under this Addendum. Provider shall ensure that each Subprocessor agreement includes, at minimum, requirements for:

(a) Compliance with the Encryption Standards set forth in Article 5;
(b) Access controls consistent with Article 4;
(c) Incident notification timelines no longer than those set forth in Article 13;
(d) Audit rights for both Provider and Customer;
(e) Data return and destruction obligations consistent with Article 21;
(f) Confidentiality obligations at least as restrictive as those in this Addendum;
(g) Compliance with the reasonable security safeguard requirements of D.C. Code § 28-3852.01.

14.4 Right to Object. Customer shall have the right to object to the engagement of any Subprocessor within fifteen (15) days of receiving notice from Provider. If Customer objects on reasonable security grounds, the Parties shall negotiate in good faith to resolve the objection. If the Parties are unable to resolve the objection within thirty (30) days, Customer may terminate the affected services under the Master Agreement without penalty.

14.5 Subprocessor Audit Rights. Provider shall maintain audit rights over all Subprocessors and shall exercise such rights at least annually. Provider shall make the results of Subprocessor audits available to Customer upon request. Customer shall have the right to audit Subprocessors directly, subject to reasonable notice and coordination with Provider.

14.6 Provider Responsibility. Provider shall remain fully responsible and liable for the acts, omissions, and security failures of its Subprocessors as if such acts, omissions, or failures were those of Provider itself.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct background checks on all personnel who will have access to Customer Data, including employees and contractors, prior to granting such access. Background checks shall include, at minimum, verification of identity, criminal history, and employment history, to the extent permitted by applicable District of Columbia and federal law, including the D.C. Human Rights Act (D.C. Code § 2-1401.01 et seq.) and the Fair Criminal Record Screening Amendment Act (D.C. Code § 32-1341 et seq.).

15.2 Security Training. Provider shall require all personnel with access to Customer Data to complete security awareness training upon hire and at least annually thereafter. Training shall cover, at minimum:

(a) Information security policies and procedures;
(b) Data handling and classification requirements;
(c) Phishing and social engineering awareness;
(d) Incident reporting procedures;
(e) Acceptable use of Provider Systems;
(f) District of Columbia data breach notification requirements under D.C. Code § 28-3852;
(g) D.C. affirmative security safeguard requirements under D.C. Code § 28-3852.01.

15.3 Acceptable Use Policies. Provider shall maintain and enforce written acceptable use policies governing the use of Provider Systems by all personnel. Such policies shall address, at minimum, appropriate use of email, internet, removable media, mobile devices, and social media.

15.4 Non-Disclosure Agreements. All Provider personnel with access to Customer Data shall be bound by written non-disclosure and confidentiality agreements that protect Customer Data and Confidential Information and survive the termination of employment or engagement.

15.5 Termination Procedures. Provider shall implement documented procedures to ensure that upon termination of employment or engagement, all access to Provider Systems and Customer Data is revoked promptly in accordance with Section 4.5, all company-owned devices and media are returned or securely wiped, and all Customer Data in the departed individual's possession is identified, returned, or destroyed.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. All data centers used by Provider to process or store Customer Data shall maintain physical security controls appropriate for enterprise-grade hosting, including:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Multi-factor physical access controls (e.g., biometric plus keycard);
(c) Video surveillance of all entry/exit points and sensitive areas, with recordings retained for a minimum of ninety (90) days;
(d) Mantrap or airlock entry systems for server rooms;
(e) Perimeter fencing and lighting appropriate for the facility location.

16.2 SOC 2 Type II Certification. All data center facilities used to process or store Customer Data shall maintain current SOC 2 Type II certification or equivalent third-party security certification. Provider shall make copies of such certifications available to Customer upon request.

16.3 Visitor Management. Provider shall implement visitor management procedures for all facilities housing Provider Systems, including visitor identification verification, sign-in/sign-out logging, escort requirements for visitor access to sensitive areas, and visitor badge issuance and return.

16.4 Environmental Controls. Data center facilities shall be equipped with:

(a) Redundant heating, ventilation, and air conditioning (HVAC) systems;
(b) Fire detection and suppression systems;
(c) Water detection systems;
(d) Uninterruptible power supplies (UPS) and backup generator systems;
(e) Redundant network connectivity from diverse providers.

16.5 Media Destruction. Provider shall implement secure media destruction procedures for all physical media that has contained Customer Data, including hard drives, solid-state drives, tapes, and optical media. Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) and shall be documented with certificates of destruction that include media serial numbers and destruction method used.

ARTICLE 17 — INSURANCE REQUIREMENTS

17.1 Cyber Liability Insurance. Provider shall maintain cyber liability (including network security and privacy liability) insurance with a minimum coverage limit of Five Million Dollars ($5,000,000) per occurrence and in the aggregate. Such policy shall cover:

(a) Data breach response costs, including notification, credit monitoring, and identity restoration;
(b) Regulatory proceedings and penalties;
(c) Media liability;
(d) Cyber extortion and ransomware;
(e) Business interruption arising from cyber events;
(f) Third-party claims arising from security failures;
(g) Costs of mandatory identity theft protection services under D.C. Code § 28-3852(b)(2).

17.2 Errors and Omissions Insurance. Provider shall maintain professional liability / errors and omissions (E&O) insurance with a minimum coverage limit of Two Million Dollars ($2,000,000) per occurrence and in the aggregate, covering claims arising from professional services rendered under the Master Agreement.

17.3 General Commercial Liability. Provider shall maintain commercial general liability insurance with a minimum coverage limit of One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate.

17.4 Evidence of Coverage. Provider shall furnish Customer with certificates of insurance evidencing the coverages required by this Article within ten (10) business days of the Effective Date and annually thereafter upon renewal. Certificates shall name Customer as an additional insured where applicable.

17.5 Notice of Cancellation. Provider shall provide Customer with at least thirty (30) days' prior written notice of any material change, cancellation, or non-renewal of any insurance coverage required under this Article.

17.6 No Limitation of Liability. The insurance requirements set forth in this Article shall not be construed to limit Provider's liability under this Addendum or the Master Agreement.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right, upon not less than thirty (30) days' prior written notice, to conduct or commission an independent third party to conduct an audit of Provider's Information Security Program, policies, procedures, and controls as they relate to the processing and protection of Customer Data. Customer may exercise this right no more than once per twelve (12) month period, unless a Security Incident or material deficiency has been identified, in which case additional audits may be conducted.

18.2 Audit Scope. Audits may include review of Provider's security policies and procedures, physical inspection of facilities, interviews with security personnel, review of security logs and monitoring reports, review of vulnerability assessment and penetration testing results, and verification of compliance with the requirements of this Addendum, including D.C. Code § 28-3852.01 security safeguard requirements.

18.3 Third-Party Audit Acceptance. In lieu of a direct audit, Customer may accept the following third-party audit reports and certifications as evidence of Provider's compliance with this Addendum:

☐ SOC 2 Type II Report (covering Security, Availability, Confidentiality, and Processing Integrity trust service criteria)
☐ ISO/IEC 27001 Certification
☐ SOC 1 Type II Report (for financial reporting controls)
☐ PCI DSS Report on Compliance (if processing payment card data)
☐ HITRUST CSF Certification (if processing health information)
☐ FedRAMP Authorization (if applicable)

Provider shall make such reports and certifications available to Customer upon request, subject to reasonable confidentiality protections.

18.4 Regulatory Audit Cooperation. Provider shall cooperate fully with any audit, inspection, or examination conducted by a regulatory authority having jurisdiction over Customer, including the Attorney General for the District of Columbia and applicable federal regulators. Provider shall provide timely access to records, facilities, and personnel as reasonably required by such regulatory audits.

18.5 Audit Cost Allocation. The costs of audits conducted by Customer or Customer's designated third-party auditor shall be borne by Customer, except that if an audit reveals a material failure by Provider to comply with its obligations under this Addendum, Provider shall bear the reasonable costs of such audit and any follow-up audit required to verify remediation.

18.6 Remediation of Audit Findings. Provider shall address all findings identified in audits conducted under this Article in accordance with the vulnerability remediation SLAs set forth in Article 8, as applicable, and shall provide Customer with a written remediation plan within fifteen (15) business days of receiving audit findings.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Quarterly Security Reviews. The Parties shall participate in quarterly security review meetings to discuss Provider's security posture, recent Security Incidents, changes to the threat landscape, planned security improvements, and the status of any open remediation items. Meetings may be conducted in person or via videoconference.

19.2 Annual Security Assessment. Provider shall provide Customer with an annual security assessment report that includes:

(a) Summary of the Information Security Program's effectiveness;
(b) Results of the most recent risk assessment;
(c) Summary of penetration testing and vulnerability assessment results;
(d) Review of Security Incidents and trends;
(e) Status of compliance with industry frameworks (ISO 27001, SOC 2, NIST CSF);
(f) Summary of changes to security policies, procedures, and controls;
(g) Forward-looking security roadmap and planned investments.

19.3 Security Metrics and KPIs. Provider shall track and report to Customer the following security metrics on a quarterly basis:

(a) Mean time to detect (MTTD) security events;
(b) Mean time to respond (MTTR) to Security Incidents;
(c) Vulnerability remediation rates by severity;
(d) Patch compliance rates;
(e) Percentage of personnel completing security training;
(f) Number and severity of Security Incidents;
(g) System availability and uptime percentages.

19.4 Executive Security Briefings. Provider's CISO or designated security officer shall be available, upon reasonable request, to participate in executive security briefings with Customer's senior management, providing an overview of security posture, material risks, and strategic security initiatives.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon termination or expiration of the Master Agreement, or upon Customer's written request at any time during the Term, Provider shall return to Customer all Customer Data in Provider's possession or control in a mutually agreed, industry-standard, machine-readable format within thirty (30) days of such termination, expiration, or request.

20.2 Data Destruction. Following the return of Customer Data to Customer (and Customer's written confirmation of receipt), or upon Customer's written instruction to destroy Customer Data in lieu of return, Provider shall securely destroy all copies of Customer Data in Provider's possession or control, including all backup copies, archived copies, and copies held by Subprocessors, within sixty (60) days.

20.3 Destruction Standards. Data destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) or equivalent industry-recognized standards. Destruction methods shall render Customer Data irrecoverable and shall include, as appropriate:

(a) Cryptographic erasure (destruction of encryption keys rendering encrypted data irrecoverable);
(b) Secure overwriting using approved sanitization patterns;
(c) Physical destruction (degaussing, shredding, or incineration) for physical media.

20.4 Certification of Destruction. Provider shall provide Customer with a written certification of destruction within ten (10) business days of completing the destruction process. The certification shall include the date of destruction, description of data destroyed, destruction method used, and the identity of the individual responsible for overseeing the destruction.

20.5 Retention Exceptions. Provider may retain copies of Customer Data only to the extent required by applicable law, regulation, or legal hold obligation, provided that Provider shall: (a) promptly notify Customer of the legal requirement and the specific data retained; (b) limit the retention to only the data required; (c) continue to protect such retained data in accordance with this Addendum; and (d) securely destroy such data when the retention obligation expires.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer, its officers, directors, employees, agents, successors, and assigns from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or relating to:

(a) Provider's failure to comply with its obligations under this Addendum;
(b) A Data Breach resulting from Provider's negligence, willful misconduct, or failure to implement and maintain the security measures required by this Addendum;
(c) Provider's failure to comply with breach notification requirements under D.C. Code § 28-3852 or the affirmative security requirements under D.C. Code § 28-3852.01;
(d) Any regulatory investigation, enforcement action, or penalty resulting from Provider's security failures.

21.2 Notification and Remediation Costs. Provider's indemnification obligations under this Article include, without limitation:

(a) Costs of providing notice to affected individuals and the DC Attorney General as required by D.C. Code § 28-3852;
(b) Costs of providing mandatory identity theft protection services for a minimum period of eighteen (18) months as required by D.C. Code § 28-3852(b)(2) when Social Security numbers or taxpayer identification numbers are involved;
(c) Costs of providing credit monitoring services to affected individuals for a minimum period of twenty-four (24) months;
(d) Costs of establishing and operating a call center or response team to handle inquiries from affected individuals;
(e) Costs of forensic investigation;
(f) Costs of public relations and crisis communications;
(g) Treble damages or statutory damages of $1,500 per violation under D.C. Code § 28-3852.02, to the extent arising from Provider's security failures;
(h) Regulatory fines, penalties, and assessments, to the extent insurable and arising from Provider's security failures.

21.3 Carve-Out from Liability Cap. Notwithstanding any limitation of liability in the Master Agreement, the following shall not be subject to any cap on liability: (a) Provider's indemnification obligations under this Article; (b) Provider's breach of its confidentiality obligations; (c) Provider's willful misconduct or gross negligence; and (d) Provider's breach of its obligations under Article 13 (Incident Response and Breach Notification).

21.4 Customer Indemnification. Customer shall indemnify, defend, and hold harmless Provider from and against any and all claims, losses, liabilities, damages, costs, and expenses arising out of or relating to Customer's failure to comply with its obligations under this Addendum, including Customer's failure to provide accurate information regarding applicable regulatory requirements.

ARTICLE 22 — DISTRICT OF COLUMBIA-SPECIFIC LEGAL PROVISIONS

22.1 Governing Law. This Addendum shall be governed by, construed, and enforced in accordance with the laws of the District of Columbia, without regard to its conflict of laws principles.

22.2 Venue and Jurisdiction. Any dispute arising out of or relating to this Addendum shall be brought exclusively in the Superior Court of the District of Columbia or the United States District Court for the District of Columbia. Each Party hereby irrevocably submits to the exclusive jurisdiction and venue of such courts and waives any objection based on forum non conveniens or any other basis.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY AND UNCONDITIONALLY WAIVES ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY IN RESPECT OF ANY LEGAL PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY. EACH PARTY CERTIFIES AND ACKNOWLEDGES THAT (A) NO REPRESENTATIVE OF THE OTHER PARTY HAS REPRESENTED, EXPRESSLY OR OTHERWISE, THAT SUCH OTHER PARTY WOULD NOT SEEK TO ENFORCE THE FOREGOING WAIVER IN THE EVENT OF A LEGAL PROCEEDING, (B) EACH PARTY HAS CONSIDERED THE IMPLICATIONS OF THIS WAIVER, (C) EACH PARTY MAKES THIS WAIVER VOLUNTARILY, AND (D) EACH PARTY HAS BEEN INDUCED TO ENTER INTO THIS ADDENDUM BY, AMONG OTHER THINGS, THE MUTUAL WAIVERS AND CERTIFICATIONS IN THIS SECTION.

22.4 Injunctive Relief. Each Party acknowledges that a breach of the security and confidentiality obligations of this Addendum may cause irreparable harm that cannot be adequately compensated by monetary damages. Accordingly, either Party may seek injunctive or other equitable relief from the Superior Court of the District of Columbia or the United States District Court for the District of Columbia without the necessity of proving actual damages, posting a bond, or other security, to the extent permitted by District of Columbia law.

22.5 Alternative Dispute Resolution. At the election of either Party, disputes arising under this Addendum may be submitted to binding arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association ("AAA"). The arbitration shall be conducted in the District of Columbia before a single arbitrator with expertise in information technology and data security matters. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction in the District of Columbia.

22.6 D.C. Consumer Protection Act. The Parties acknowledge that violations of data breach notification and security requirements under D.C. Code §§ 28-3851 et seq. may constitute unfair or deceptive trade practices under the District of Columbia Consumer Protection Procedures Act (D.C. Code § 28-3901 et seq.), enforceable by the Attorney General for the District of Columbia. Remedies include treble damages or $1,500 per violation, whichever is greater, plus attorneys' fees. D.C. Code § 28-3852.02.

22.7 Statutory Interest Rate. Any amounts due under this Addendum that are not paid when due shall bear interest at the rate of six percent (6%) per annum, as permitted under D.C. Code § 28-3302, or at the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 UETA Compliance. This Addendum may be executed by electronic signature in accordance with the District of Columbia Uniform Electronic Transactions Act (D.C. Code §§ 28-4901 to 28-4918). Electronic signatures shall have the same legal effect, validity, and enforceability as manually executed signatures pursuant to D.C. Code § 28-4911.

23.2 Federal E-SIGN Act. To the extent applicable, this Addendum is also subject to the provisions of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).

23.3 Electronic Records. Electronic records generated in connection with this Addendum shall be deemed to satisfy any requirement that such records be in writing, in accordance with D.C. Code § 28-4911.

23.4 Consent to Electronic Delivery. Each Party consents to receive electronic delivery of all notices, communications, and documents related to this Addendum, except where physical delivery is required by applicable law or this Addendum expressly requires a specific form of notice.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement and all exhibits and schedules hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written.

24.2 Amendments. This Addendum may be amended only by a written instrument signed by authorized representatives of both Parties. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the Party granting the waiver.

24.3 Severability. If any provision of this Addendum is held to be invalid, illegal, or unenforceable under applicable District of Columbia law, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.

24.4 Assignment. Neither Party may assign its rights or obligations under this Addendum without the prior written consent of the other Party, except that either Party may assign this Addendum in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by all terms and conditions of this Addendum.

24.5 Notices. All formal notices required or permitted under this Addendum shall be in writing and shall be deemed given when delivered personally, sent by certified mail (return receipt requested), or sent by nationally recognized overnight courier to the addresses set forth in the Recitals or to such other address as a Party may designate in writing.

24.6 Survival. The following Articles and Sections shall survive the termination or expiration of this Addendum: Articles 1, 13 (with respect to ongoing breach notification obligations), 14.6, 15.4, 20, 21, 22, 23, and 24.

24.7 Counterparts. This Addendum may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic and facsimile signatures shall be deemed original signatures for all purposes.

24.8 Force Majeure. Neither Party shall be liable for any failure or delay in performing its obligations under this Addendum (other than payment obligations and breach notification obligations) to the extent that such failure or delay results from causes beyond that Party's reasonable control, including acts of God, war, terrorism, pandemic, natural disaster, fire, flood, or governmental action. The affected Party shall provide prompt written notice and shall use commercially reasonable efforts to mitigate the impact and resume performance.

ARTICLE 25 — SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have executed this Security Addendum as of the Effective Date first written above, each through their duly authorized representative.

PROVIDER

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Email: [________________________________]

Representation of Authority: The undersigned represents and warrants that they have full legal authority to bind Provider to the terms and conditions of this Addendum.

CUSTOMER

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Email: [________________________________]

Representation of Authority: The undersigned represents and warrants that they have full legal authority to bind Customer to the terms and conditions of this Addendum.

EXHIBIT A — SUBPROCESSOR LIST

EXHIBIT B — SECURITY CONTACT INFORMATION

Provider Security Contacts:

Customer Security Contacts:

SOURCES AND REFERENCES

1. District of Columbia Consumer Security Breach Notification Act — D.C. Code §§ 28-3851 to 28-3853
   https://code.dccouncil.gov/us/dc/council/code/sections/28-3852

2. D.C. Security Requirements — D.C. Code § 28-3852.01
   https://code.dccouncil.gov/us/dc/council/code/sections/%5B28-3852.01%5D

3. D.C. Breach Notification Remedies — D.C. Code § 28-3852.02
   https://code.dccouncil.gov/us/dc/council/code/sections/%5B28-3852.02%5D

4. Security Breach Protection Amendment Act of 2020 — D.C. Law 23-98
   https://code.dccouncil.gov/us/dc/council/laws/23-98

5. D.C. Definitions (Personal Information) — D.C. Code § 28-3851
   https://code.dccouncil.gov/us/dc/council/code/sections/28-3851

6. District of Columbia Uniform Trade Secrets Act — D.C. Code §§ 36-401 to 36-410
   https://code.dccouncil.gov/us/dc/council/code/titles/36/chapters/4

7. District of Columbia Uniform Electronic Transactions Act — D.C. Code §§ 28-4901 to 28-4918
   https://code.dccouncil.gov/us/dc/council/code/titles/28/chapters/49

8. D.C. Consumer Protection Procedures Act — D.C. Code § 28-3901 et seq.

9. D.C. Statutory Interest Rate — D.C. Code § 28-3302

10. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
    https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

11. OWASP Top 10 — https://owasp.org/www-project-top-ten/

This template is provided for informational purposes only and does not constitute legal advice. An attorney licensed in the District of Columbia must review and customize this document before execution. Legal requirements may change over time; verify all statutory citations before use.

Prepared for use on the ezel.ai platform.