Enterprise Security Addendum — Delaware

ENTERPRISE SECURITY ADDENDUM

Delaware Jurisdictional Version

Addendum Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) and the entity identified as "Provider" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) have entered into the Master Agreement referenced above (the "Master Agreement");

WHEREAS, Provider will Process, store, transmit, or otherwise have access to Customer Data, including Personal Information and Personal Data as defined under Delaware law, in connection with the services described in the Master Agreement;

WHEREAS, the Delaware Personal Data Privacy Act (6 Del. C. §§ 12D-101 through 12D-114, effective January 1, 2025) establishes comprehensive consumer data privacy rights and imposes obligations on Controllers and Processors;

WHEREAS, Delaware's data breach notification statute (6 Del. C. §§ 12B-100 through 12B-104) imposes a sixty (60)-day notification timeline and specific obligations including credit monitoring requirements;

WHEREAS, the Parties desire to establish the security standards, controls, and obligations that Provider shall maintain and to satisfy the data processing agreement requirements of the DPDPA;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and in the Master Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized User" means any individual who has been granted access to Customer Data by Customer or through Customer's authorization.

1.2 "Business Day" means any day other than a Saturday, Sunday, or day on which banks in the State of Delaware are authorized or required to be closed.

1.3 "Confidential Information" means all non-public information disclosed by either Party to the other, including Trade Secrets as defined under 6 Del. C. § 2001, Customer Data, business plans, technical specifications, and security configurations.

1.4 "Consumer" means an individual who is a Delaware resident acting only in an individual or household context, as defined under the DPDPA.

1.5 "Controller" means a person that, alone or jointly with others, determines the purposes and means of Processing Personal Data, as defined under the DPDPA.

1.6 "Customer Data" means all data, records, files, information, and materials provided by or on behalf of Customer or collected or generated by Provider on behalf of Customer in the course of performing services under the Master Agreement.

1.7 "Data Protection Assessment" means an assessment of Processing activities that present a heightened risk of harm to Consumers, as required under the DPDPA.

1.8 "DPDPA" or "Delaware Personal Data Privacy Act" means 6 Del. C. §§ 12D-101 through 12D-114 (House Bill 154), effective January 1, 2025, as amended from time to time.

1.9 "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a decryption key, using methods consistent with current industry standards including AES-256 for data at rest and TLS 1.2 or higher for data in transit.

1.10 "Incident" means any event that results in, or has the reasonable potential to result in, unauthorized access to, disclosure of, or loss of Customer Data, including Security Breaches.

1.11 "Multi-Factor Authentication" or "MFA" means an authentication mechanism requiring at least two distinct factors from: (a) something the user knows; (b) something the user possesses; and (c) something the user is.

1.12 "Personal Data" means information that is linked or reasonably linkable to an identified or identifiable individual, as defined under the DPDPA. Personal Data does not include de-identified data or publicly available information.

1.13 "Personal Information" means, as defined under 6 Del. C. § 12B-101, a Delaware resident's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, redacted, or protected by another method rendering them unreadable or unusable: (a) Social Security number; (b) driver's license number or state identification card number; (c) account number, credit card number, or debit card number, in combination with any required security code, access code, or password; (d) passport number; (e) a username or email address, in combination with a password or security question and answer that would permit access to an online account; (f) medical history, medical treatment by a healthcare professional, or diagnosis by a healthcare professional; (g) health insurance policy number, subscriber identification number, or unique health plan identifier; (h) unique biometric data.

1.14 "Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.

1.15 "Processor" means a person that Processes Personal Data on behalf of a Controller, as defined under the DPDPA.

1.16 "Profiling" means any form of automated Processing of Personal Data to evaluate, analyze, or predict personal aspects regarding an individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

1.17 "Security Breach" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information, as defined under 6 Del. C. § 12B-101.

1.18 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identification; Personal Data from a known child; or precise geolocation data, as defined under the DPDPA.

1.19 "Subprocessor" means any third party engaged by Provider to Process Customer Data on behalf of Customer.

1.20 "Targeted Advertising" means displaying advertisements to a Consumer based on Personal Data obtained from that Consumer's activities over time and across nonaffiliated websites or applications.

1.21 "Trade Secret" means information as defined under 6 Del. C. § 2001(4), including a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value from not being generally known and is the subject of reasonable efforts to maintain its secrecy.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Customer Data that Provider Processes in connection with the Master Agreement. This Addendum also constitutes the data processing agreement required under the DPDPA.

2.2 Order of Precedence. This Addendum controls for security, data protection, and privacy matters. Applicable law controls over any conflicting provision.

2.3 Minimum Standards. More stringent requirements in the Master Agreement or applicable law shall apply.

2.4 Regulatory Changes. Provider shall monitor DPDPA amendments and Delaware DOJ guidance, notifying Customer within thirty (30) days of material changes.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Comprehensive Security Program. Provider shall establish, implement, and maintain a written information security program ("ISP") that includes administrative, technical, and physical safeguards.

3.2 Framework Alignment. Provider's ISP shall align with one or more:

☐ ISO/IEC 27001:2022
☐ SOC 2 Type II
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 Rev. 5
☐ CIS Controls v8

3.3 DPDPA Security Obligations. Consistent with the DPDPA, Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of Processing and the risks to Consumers.

3.4 Risk Assessment. Annual comprehensive risk assessments with threat identification, impact evaluation, risk treatment documentation, and senior leadership review.

3.5 Security Policies. Documented policies covering access control, encryption, incident response, vulnerability management, change management, acceptable use, data classification, and business continuity. Annual review.

ARTICLE 4 — ACCESS CONTROLS

4.1 RBAC limiting access to authorized personnel. 4.2 Least privilege and just-in-time access. 4.3 MFA for remote access, privileged access, security infrastructure, cloud consoles, and VPN. 4.4 Fourteen (14) character passwords, five (5) attempt lockout, fifteen (15) minute privileged session timeout. 4.5 Quarterly access reviews; monthly privileged reviews; twenty-four (24) hour termination revocation. 4.6 Comprehensive access logging with twelve (12) month retention.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 TLS 1.2+ with forward secrecy for data in transit. 5.2 AES-256 for all data at rest. 5.3 Delaware encryption safe harbor: 6 Del. C. § 12B-101 excludes encrypted data from breach notification. 5.4 HSM-based key management with annual rotation. 5.5 No unencrypted transmission without written authorization.

ARTICLE 6 — NETWORK SECURITY

6.1 Segmented network architecture. 6.2 Default-deny firewalls, IDS/IPS, WAFs. 6.3 Continuous network monitoring with real-time analysis. 6.4 WPA3-Enterprise for wireless. 6.5 VPN with MFA for remote access.

ARTICLE 7 — APPLICATION SECURITY

7.1 Documented SSDLC. 7.2 OWASP Top Ten compliance. 7.3 Peer review, SAST, quarterly DAST, IAST, SCA. 7.4 Change management with risk assessment and rollback procedures. 7.5 API security with authentication, authorization, rate limiting.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Weekly vulnerability scanning.

8.2 Remediation Timelines.

8.3 Patch management with emergency procedures. 8.4 Documented exceptions with Customer notification for Critical/High.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Centralized SIEM. 9.2 Comprehensive log collection from all sources. 9.3 Twenty-four (24) month log retention. 9.4 Log integrity controls. 9.5 24/7/365 monitoring with fifteen (15) minute critical alert investigation.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical segregation of Customer Data. 10.2 No Customer Data in non-production without anonymization and approval. 10.3 Continental US data residency. 10.4 No cross-border transfers without consent and safeguards.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual independent third-party testing. 11.2 PTES/OWASP/NIST methodologies. 11.3 Report within thirty (30) days. 11.4 Remediation per Article 8. 11.5 Customer testing upon sixty (60) days' notice.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Documented BCP. 12.2 DRP with RPO of [____] hours and RTO of [____] hours. 12.3 Annual tabletop exercises, biennial functional tests. 12.4 Encrypted, geographically separate backups. 12.5 Redundant infrastructure.

ARTICLE 13 — INCIDENT RESPONSE AND DELAWARE BREACH NOTIFICATION

13.1 Incident Response Plan. Documented IRP with classification, escalation, containment, recovery, evidence preservation, and post-incident review.

13.2 Notification to Customer.

(a) Confirmed Security Breach: Within twenty-four (24) hours;
(b) Suspected Security Breach: Within forty-eight (48) hours;
(c) Other Incidents: Within seventy-two (72) hours.

13.3 Delaware Breach Notification Requirements (6 Del. C. § 12B-102).

(a) Trigger. Notification required upon unauthorized acquisition of computerized data compromising the security, confidentiality, or integrity of Personal Information.

(b) Timeline. Notice to affected Delaware residents must be made without unreasonable delay but NOT LATER THAN SIXTY (60) DAYS after determination of the breach. If reasonable diligence cannot identify all affected residents within sixty (60) days, notice must be provided as soon as practicable after such identification.

(c) Attorney General Notification. If the breach affects more than five hundred (500) Delaware residents, Provider shall notify the Delaware Attorney General no later than the time residents are notified. The notice shall include a synopsis of the breach, the number of Delaware residents affected, remediation services offered, and Provider's contact information.

(d) Content of Notice. Notification shall include:

• Description of the Security Breach;
• Type of Personal Information involved;
• Steps Provider has taken regarding the breach;
• Provider's toll-free contact information;
• Advice to remain vigilant regarding account statements and credit reports;
• Federal Trade Commission and consumer reporting agency contact information;
• Information about credit monitoring services offered.

(e) Credit Monitoring Required. If Social Security numbers are compromised, Provider MUST offer affected Delaware residents free credit monitoring services for a minimum of one (1) year.

(f) Methods of Notice. Written notice, electronic notice (per E-SIGN Act), telephonic notice, or substitute notice if cost exceeds $75,000, more than 100,000 residents affected, or insufficient contact information.

(g) Penalties. The Delaware Attorney General may seek appropriate damages and penalties. Delaware permits a PRIVATE RIGHT OF ACTION, allowing affected individuals to recover up to triple damages plus costs and attorneys' fees.

(h) Encryption Safe Harbor. Notification not required if Personal Information was encrypted or secured by another method rendering it unreadable or unusable.

13.4 Cooperation. Full cooperation, evidence preservation for three (3) years.

13.5 Responsibility. Provider bears all costs from breaches caused by non-compliance.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain and provide to Customer a current list of all approved Subprocessors.

14.2 DPDPA Subprocessor Requirements. Consistent with the DPDPA (6 Del. C. § 12D-106), Provider shall engage Subprocessors only pursuant to a written contract that requires the Subprocessor to meet Provider's obligations with respect to Personal Data.

14.3 Due Diligence. Before engaging any Subprocessor, Provider shall conduct due diligence to verify that the Subprocessor can meet security requirements at least as protective as those in this Addendum.

14.4 Contractual Requirements. Provider shall enter into a written agreement with each Subprocessor imposing data protection and security obligations no less stringent than those in this Addendum, including compliance with applicable Delaware law.

14.5 Ongoing Monitoring. Provider shall monitor each Subprocessor's compliance at least annually and shall promptly notify Customer of any material deficiency.

14.6 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors with respect to Customer Data as if such acts and omissions were Provider's own.

14.7 Objection Right. Customer may object to any proposed Subprocessor within fifteen (15) Business Days of receiving notice. If Customer objects and Provider cannot reasonably accommodate the objection, either Party may terminate the affected services upon thirty (30) days' written notice.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data prior to granting access, to the extent permitted by Delaware law (19 Del. C. § 711).

15.2 Security Training. Provider shall provide security awareness training to all personnel at onboarding and at least annually thereafter. Training shall cover:

(a) Information security policies and procedures;
(b) Identification and reporting of security incidents;
(c) Phishing and social engineering awareness;
(d) Data handling and classification requirements;
(e) Delaware-specific requirements, including DPDPA obligations and breach notification procedures.

15.3 Confidentiality Agreements. All Provider personnel and contractors with access to Customer Data shall execute confidentiality or non-disclosure agreements before being granted access.

15.4 Disciplinary Measures. Provider shall maintain and enforce disciplinary procedures for personnel who violate security policies, up to and including termination of employment.

15.5 Offboarding. Provider shall implement offboarding procedures that ensure all access to Customer Data is revoked within twenty-four (24) hours of personnel departure or role change, and all Customer Data in the departing individual's possession is returned or securely destroyed.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Security. All facilities where Customer Data is stored or Processed shall implement, at minimum:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Access control systems requiring badge, biometric, or multi-factor authentication;
(c) Visitor management and escort procedures;
(d) Video surveillance with a minimum retention period of ninety (90) days;
(e) Intrusion detection and alarm systems;
(f) Environmental controls (fire suppression, HVAC, water detection);
(g) Redundant power with UPS and generator backup.

16.2 Media Handling. Physical media containing Customer Data shall be:

(a) Encrypted in accordance with Article 5;
(b) Tracked through an asset management system;
(c) Transported in secure, tamper-evident containers;
(d) Destroyed in accordance with Article 20 when no longer needed.

16.3 Clean Desk Policy. Provider shall enforce a clean desk policy in all areas where Customer Data may be accessed, ensuring that printed or written Customer Data is secured when not in active use.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall maintain the following insurance coverages throughout the term of the Master Agreement and for three (3) years following termination:

(a) Cyber Liability / Technology Errors & Omissions Insurance: Minimum coverage of $5,000,000 per occurrence and in the aggregate, covering data breaches, network security failures, privacy liability, regulatory defense, and crisis management expenses;

(b) Professional Liability / Errors & Omissions Insurance: Minimum coverage of $2,000,000 per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: Minimum coverage of $1,000,000 per occurrence and $2,000,000 in the aggregate;

(d) Workers' Compensation Insurance: As required by Delaware law (19 Del. C. § 2301 et seq.).

17.2 Policy Requirements. All policies shall:

(a) Be issued by carriers with an AM Best rating of A- VII or better;
(b) Name Customer as an additional insured where applicable;
(c) Provide for thirty (30) days' prior written notice to Customer of cancellation or material change;
(d) Include a waiver of subrogation in favor of Customer.

17.3 Certificates of Insurance. Provider shall deliver certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon Customer's request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Audit Right. Customer, or its authorized representative, shall have the right to audit Provider's compliance with this Addendum upon thirty (30) days' prior written notice, no more than once per calendar year (except following an Incident, in which case additional audits may be conducted).

18.2 DPDPA Audit Obligation. Consistent with the DPDPA, Provider shall make available to Customer all information necessary to demonstrate compliance with the DPDPA and shall allow and cooperate with reasonable assessments by Customer or Customer's designated assessor.

18.3 Scope. Audits may include review of:

(a) Security policies, procedures, and documentation;
(b) Access control records and logs;
(c) Vulnerability scan and penetration test results;
(d) Incident response records;
(e) Subprocessor agreements and compliance documentation;
(f) Training records and personnel security documentation;
(g) Business continuity and disaster recovery plans and test results;
(h) DPDPA compliance documentation including Data Protection Assessment records.

18.4 Third-Party Audit Reports. Provider shall make available current copies of:

(a) SOC 2 Type II audit reports;
(b) ISO 27001 certification and statement of applicability;
(c) Penetration test executive summaries;
(d) Any other relevant third-party audit or assessment reports.

18.5 Remediation. Provider shall develop and implement a remediation plan for deficiencies within thirty (30) days of receipt of findings. Critical deficiencies shall be remediated within fifteen (15) days.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Officer. Provider shall designate a qualified senior-level employee as its Chief Information Security Officer ("CISO") or equivalent, with responsibility for Provider's information security program.

19.2 Security Committee. Provider shall maintain a security governance committee that meets at least quarterly to review the security program, risk assessments, incident trends, and compliance status.

19.3 Reporting to Customer. Provider shall deliver the following reports to Customer:

(a) Quarterly Security Report — Summary of security metrics, incidents, vulnerability trends, and remediation status;
(b) Annual Security Assessment — Comprehensive review of the security program, risk posture, and framework compliance;
(c) Incident Reports — As required under Article 13;
(d) Ad hoc Reports — Upon Customer's reasonable request regarding specific security matters.

19.4 Security Meetings. The Parties shall conduct security review meetings at least semi-annually to discuss security posture, emerging threats, and any changes to the processing environment.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon termination or expiration of the Master Agreement, or upon Customer's written request, Provider shall return all Customer Data to Customer in a mutually agreed-upon, industry-standard format within thirty (30) days.

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall securely destroy all copies of Customer Data, including backups, within sixty (60) days. Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization").

20.3 Destruction Methods. Acceptable destruction methods include:

(a) Electronic media: Cryptographic erasure, degaussing, or physical destruction;
(b) Physical media: Cross-cut shredding (minimum DIN 66399 Level P-4) or incineration;
(c) Cloud-hosted data: Cryptographic key destruction rendering data unrecoverable, with vendor-provided certification.

20.4 DPDPA Deletion Support. Provider shall implement technical capabilities to support deletion of Personal Data upon Customer's instruction in response to Consumer deletion requests under the DPDPA.

20.5 Certification. Provider shall deliver to Customer a written certification of destruction, signed by an authorized officer, within ten (10) Business Days of completing destruction, specifying the data destroyed, methods used, and date of destruction.

20.6 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law or regulation, provided that such retained data remains subject to the confidentiality and security obligations of this Addendum and is destroyed promptly when the retention obligation expires.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify Customer from all claims arising from:

(a) Security Breaches caused by non-compliance;
(b) Violations of 6 Del. C. § 12B-102;
(c) Violations of the DPDPA;
(d) Private right of action claims by affected individuals (including treble damages);
(e) Regulatory fines and enforcement actions;
(f) Credit monitoring service costs.

21.2 Customer indemnification for Customer's violations. 21.3 Standard procedures.

ARTICLE 22 — DELAWARE-SPECIFIC LEGAL PROVISIONS

22.1 Delaware Personal Data Privacy Act (DPDPA) Compliance — Data Processing Agreement

This Article constitutes the data processing agreement required between Customer (Controller) and Provider (Processor) under the DPDPA.

(a) Processing Instructions. Provider shall Process Personal Data only in accordance with Customer's documented instructions. Provider shall immediately inform Customer if an instruction violates the DPDPA.

(b) Duty of Confidentiality. Provider shall ensure each person Processing Personal Data is subject to a duty of confidentiality.

(c) Subprocessor Restrictions. Provider shall engage Subprocessors only with Customer's written consent and pursuant to contracts requiring the Subprocessor to meet Provider's obligations.

(d) Consumer Rights Assistance. Provider shall implement appropriate technical and organizational measures to assist Customer in fulfilling Consumer rights requests, including:

(i) Right to Confirm and Access — Confirm Processing and provide access to Personal Data;
(ii) Right to Correct — Correct inaccurate Personal Data;
(iii) Right to Delete — Delete Personal Data provided by or obtained about the Consumer;
(iv) Right to Data Portability — Provide Personal Data in a portable, readily usable format;
(v) Right to Opt Out — Process opt-outs for Targeted Advertising, sale of Personal Data, and Profiling with significant effects;
(vi) Consent Revocation — Process within fifteen (15) days of revocation.

(e) Response Timeline. Provider shall assist Customer in responding within forty-five (45) days, with one forty-five (45)-day extension.

(f) Data Minimization. Provider shall only Process Personal Data that is reasonably necessary in relation to the purposes for which it is Processed, as required by the DPDPA's data minimization principles.

(g) Data Protection Assessments. Provider shall provide reasonable assistance to Customer in conducting Data Protection Assessments for Processing activities presenting a heightened risk of harm, including:

• Processing for Targeted Advertising;
• Sale of Personal Data;
• Processing Sensitive Data;
• Profiling with foreseeable risk of injury or unfair treatment.

NOTE: Under the DPDPA, Controllers processing data of 100,000 or more consumers must conduct Data Protection Assessments.

(h) Audit and Compliance. Provider shall make available to Customer all information necessary to demonstrate DPDPA compliance and shall cooperate with reasonable assessments.

(i) Return or Deletion. Upon termination, Provider shall delete or return all Personal Data to Customer unless retention is required by law.

22.2 DPDPA Sensitive Data Processing

(a) Provider shall not Process Sensitive Data without Customer's prior written authorization and documentation of Consumer opt-in consent.
(b) For children's data, Customer shall ensure COPPA compliance before directing Provider to Process.
(c) Enhanced safeguards for Sensitive Data including additional access restrictions and audit logging.

22.3 DPDPA Enforcement and Cure Period

(a) Cure Period (through December 31, 2025). Until December 31, 2025, the Delaware Department of Justice must provide a sixty (60)-day cure notice before enforcement action, if the violation is curable. Provider shall promptly cure any alleged violation within such period.
(b) Discretionary Cure (from January 1, 2026). Beginning January 1, 2026, the Delaware DOJ may, but is not required to, provide a cure opportunity.
(c) Enforcement. The DPDPA is enforced exclusively by the Delaware Department of Justice. There is no private right of action under the DPDPA (note: the private right of action applies to breach notification under 6 Del. C. § 12B-104, not the DPDPA).
(d) Proactive Compliance. Provider shall proactively maintain DPDPA compliance.

22.4 Delaware Private Right of Action — Breach Notification

The Parties acknowledge that 6 Del. C. § 12B-104 provides a private right of action for violations of the breach notification statute. Affected individuals may recover up to triple the amount of actual damages plus costs and reasonable attorneys' fees. Provider acknowledges this heightened exposure and shall implement rigorous controls to prevent Security Breaches and ensure timely notification.

22.5 Delaware Trade Secret Protections

Provider acknowledges that Customer Data may contain Trade Secrets as defined by the Delaware Uniform Trade Secrets Act (6 Del. C. §§ 2001 through 2009). Provider shall:

(a) Take reasonable measures, including passwords, access restrictions, and confidentiality provisions, to maintain secrecy;
(b) Limit access to personnel with a need to know;
(c) Not use Trade Secrets beyond performing services;
(d) Cooperate with Customer in seeking injunctive relief under 6 Del. C. § 2003 if unauthorized disclosure occurs.

22.6 Governing Law and Forum

(a) This Addendum shall be governed by the laws of the State of Delaware, without regard to conflict-of-law principles.

(b) Exclusive jurisdiction in the state and federal courts located in the State of Delaware.

(c) JURY WAIVER. EACH PARTY HEREBY WAIVES ANY RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING OUT OF THIS ADDENDUM.

22.7 Late Payment

Interest at five percent (5%) over the Federal Reserve discount rate, consistent with 6 Del. C. § 2301, or the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 This Addendum may be executed electronically per the Delaware Uniform Electronic Transactions Act (6 Del. C. §§ 12A-101 et seq.) and the federal E-SIGN Act (15 U.S.C. § 7001 et seq.).

23.2 Electronic signatures shall have the same legal effect as handwritten signatures.

23.3 Each Party consents to electronic execution.

23.4 Each Party shall retain an electronic copy.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire agreement for security and data protection with the Master Agreement. 24.2 Written amendments only. 24.3 Severability. 24.4 Written waiver required. 24.5 Written notices per Master Agreement. 24.6 Term coextensive with Master Agreement, surviving for remaining data. 24.7 Counterparts permitted.

EXECUTION

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SCHEDULE A — SECURITY CONTACTS

SCHEDULE B — APPROVED SUBPROCESSORS

SCHEDULE C — DPDPA PROCESSING DETAILS

Categories of Personal Data Processed: [________________________________]

Categories of Consumers: [________________________________]

Nature and Purpose of Processing: [________________________________]

Duration of Processing: [________________________________]

Sensitive Data Categories (if applicable): [________________________________]

PRE-EXECUTION CHECKLIST

☐ Master Agreement fully executed and referenced above
☐ All blanks and variable fields completed
☐ RPO and RTO values agreed upon and inserted in Article 12
☐ Approved Subprocessor list completed in Schedule B
☐ Security contact information completed in Schedule A
☐ DPDPA Processing details completed in Schedule C
☐ Insurance certificates obtained and reviewed
☐ Provider's SOC 2 Type II or ISO 27001 certification reviewed
☐ DPDPA applicability assessment completed
☐ Data Protection Assessment requirements evaluated
☐ Cure period status confirmed (expires Dec. 31, 2025)
☐ Private right of action exposure assessed
☐ Delaware-licensed counsel review completed
☐ Both Parties' authorized signatories confirmed

SOURCES AND REFERENCES

1. Delaware Personal Data Privacy Act — 6 Del. C. §§ 12D-101 through 12D-114 (HB 154)
   https://legis.delaware.gov/BillDetail?LegislationId=140388

2. Delaware Data Breach Notification — 6 Del. C. §§ 12B-100 through 12B-104
   https://delcode.delaware.gov/title6/c012b/index.html

3. Delaware Attorney General — Data Security Breaches
   https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/

4. Delaware Uniform Trade Secrets Act — 6 Del. C. §§ 2001 through 2009
   https://delcode.delaware.gov/title6/c020/index.html

5. Delaware Uniform Electronic Transactions Act — 6 Del. C. §§ 12A-101 et seq.
   https://delcode.delaware.gov/title6/c012a/index.shtml

6. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

7. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework

8. ISO/IEC 27001:2022
   https://www.iso.org/standard/27001

9. OWASP Top Ten
   https://owasp.org/www-project-top-ten/