SECURITY ADDENDUM (ENTERPRISE SAAS)

Florida Jurisdictional Version

TABLE OF CONTENTS

1. Scope and Order of Precedence
2. Security Program
3. Access Controls and Authentication
4. Encryption
5. Network and Infrastructure Security
6. Application Security and SDLC
7. Vulnerability Management
8. Logging and Monitoring
9. Business Continuity and Disaster Recovery
10. Data Segregation and Residency
11. Penetration Testing and Assessments
12. Incident Response and Notification
13. Audit and Compliance Reports
14. Third-Party Subprocessors
15. Physical Security
16. Personnel Security and Training
17. Data Return and Deletion
18. Changes to Security Controls
19. Florida-Specific Data Protection Requirements
20. Governing Law and Dispute Resolution

1. SCOPE AND ORDER OF PRECEDENCE

• Applies to the Services under the [SaaS Agreement name/date].
• If conflict with the SaaS Agreement/DPA on security matters, this Addendum governs; otherwise, SaaS Agreement controls.

2. SECURITY PROGRAM

• Provider maintains a written information security program with administrative, technical, and physical safeguards appropriate to risk, aligned to [ISO 27001/SOC 2/other].
• Provider's security program shall comply with the Florida Information Protection Act of 2014 (FIPA), Fla. Stat. sections 501.171 et seq., and the Florida Digital Bill of Rights (FDBR), Fla. Stat. sections 501.701 et seq., including implementation of reasonable measures to protect and secure data in electronic form containing personal information.
• Provider shall take reasonable measures to protect and secure data in electronic form containing personal information as required under FIPA.

3. ACCESS CONTROLS AND AUTHENTICATION

• Role-based access; least privilege; MFA for administrative access; strong password/secret policies; session management; timely deprovisioning.

4. ENCRYPTION

• In transit: TLS [1.2/1.3] or better; at rest: industry-standard encryption for Customer Data stores.
• Key management: [KMS/HSM], separation of duties, rotation policies.

5. NETWORK AND INFRASTRUCTURE SECURITY

• Segmentation of environments (prod/non-prod); firewalls/security groups; DDoS protections; hardened images; configuration management and baselines.

6. APPLICATION SECURITY AND SDLC

• Secure development lifecycle with code review, dependency scanning, SAST/DAST for relevant components; change management with approvals and rollback plans.

7. VULNERABILITY MANAGEMENT

• Regular scanning; prioritization/remediation targets:
• Critical: [X] hours/days; High: [Y] days; Medium: [Z] days; Low: [define].
• Patch management process; emergency patching for exploited vulnerabilities.

8. LOGGING AND MONITORING

• Centralized logging for auth, access, admin actions, and security events; time-synchronized; retention [X] days/months; alerting for anomalous events.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

• Documented BC/DR plan; tested [annually/semi-annually]; RPO [X hours], RTO [Y hours]; backups encrypted and tested for restoration.

10. DATA SEGREGATION AND RESIDENCY

• Logical/tenant isolation; data residency options [Regions] if offered; no relocation without notice and updated transfer mechanisms.

11. PENETRATION TESTING AND ASSESSMENTS

• Independent penetration tests [annually/semi-annually]; summary reports available under NDA; remediation tracked to closure.
• Customer-sourced testing requires prior written approval and coordinated scope.

12. INCIDENT RESPONSE AND NOTIFICATION

• Incident response plan with roles, runbooks, and communications.
• Notification to Customer without undue delay and within [X] hours of confirming a Security Incident affecting Customer Data; include nature, scope, mitigations, and recommended actions.
• In compliance with FIPA (Fla. Stat. section 501.171), Provider shall provide notice to Customer of any breach of security as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach occurred.
• If a breach affects 500 or more individuals in Florida, Provider shall notify the Florida Department of Legal Affairs within 30 days as required by Fla. Stat. section 501.171(3).
• Post-incident report for material incidents within [Y] business days.

13. AUDIT AND COMPLIANCE REPORTS

• Provide current SOC 2 / ISO 27001 certificate and summary upon request; significant exceptions disclosed with remediation plans.
• Onsite/customer audits: [once per year] with reasonable notice; subject to confidentiality and limited to security controls; time/materials fees if onsite.

14. THIRD-PARTY SUBPROCESSORS

• Subprocessors must meet equivalent security standards; list available at [URL/Annex]; notice of new subprocessors with [X] days to object on reasonable grounds; Provider remains liable.
• Third-party agents receiving personal information from Provider must implement reasonable security measures consistent with FIPA requirements; Provider remains responsible for compliance.

15. PHYSICAL SECURITY

• Data centers with industry-standard controls: access badges/biometrics, CCTV, visitor logging, environmental controls, and redundant power/cooling.

16. PERSONNEL SECURITY AND TRAINING

• Background checks where lawful for personnel with Customer Data access, subject to Florida Fair Credit Reporting Act requirements and Fla. Stat. Chapter 435 where applicable; confidentiality agreements; security and privacy training at onboarding and [annual] refreshers.

17. DATA RETURN AND DELETION

• Upon termination/expiry, Customer Data returned or deleted per Agreement/DPA within [X] days; secure deletion methods; backups aged out on standard cycles unless legal hold applies.
• Data disposal shall comply with FIPA requirements for taking reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information in a manner designed to prevent unauthorized access.

18. CHANGES TO SECURITY CONTROLS

• Material reductions not permitted without Customer consent; non-material updates allowed to improve or maintain security posture.
• Notice of material changes to contact [security contact].

19. FLORIDA-SPECIFIC DATA PROTECTION REQUIREMENTS

19.1 Florida Information Protection Act (FIPA) Compliance

• Provider shall comply with FIPA (Fla. Stat. sections 501.171 et seq.), including:
• Taking reasonable measures to protect and secure data in electronic form containing personal information;
• Providing breach notification as expeditiously as practicable, but no later than 30 days after determination of breach;
• Maintaining records of breaches for at least 5 years following the breach or discovery thereof;
• Properly disposing of customer records containing personal information.

19.2 Florida Digital Bill of Rights (FDBR) Compliance

• Provider, to the extent it acts as a processor under the FDBR (Fla. Stat. sections 501.701 et seq.), shall:
• Process personal data only in accordance with Customer's documented instructions;
• Ensure each person processing personal data is subject to a duty of confidentiality;
• Delete or return all personal data at Customer's request upon conclusion of services;
• Make available information necessary to demonstrate compliance with FDBR;
• Allow and cooperate with reasonable assessments by Customer or Customer's designated assessor;
• Engage subcontractors only pursuant to written contracts with equivalent obligations.

19.3 Florida Trade Secret Protection

• Provider acknowledges that Customer's Confidential Information may include trade secrets as defined under the Florida Uniform Trade Secrets Act (Fla. Stat. sections 688.001 et seq.) and the federal Defend Trade Secrets Act (18 U.S.C. section 1836 et seq.), and shall protect such information accordingly.

19.4 Florida E-Signatures

• Electronic signatures under this Addendum shall be valid and enforceable pursuant to the Florida Electronic Signature Act of 1996 (Fla. Stat. sections 668.001 et seq.), the Uniform Electronic Transaction Act as adopted in Florida (Fla. Stat. sections 668.50 et seq.), and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

20. GOVERNING LAW AND DISPUTE RESOLUTION

20.1 Governing Law

This Addendum and any dispute arising out of or relating hereto shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of laws rules.

20.2 Forum Selection

Subject to any arbitration provisions in the Master Agreement, the Parties consent to the exclusive jurisdiction of the state and federal courts located in [Miami-Dade County / Hillsborough County / Orange County / Broward County], Florida, for any litigation arising out of or relating to this Addendum, and waive any objection to venue or forum non conveniens.

20.3 Jury Trial Waiver

EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM.
[// GUIDANCE: Florida courts generally enforce contractual jury waivers when the waiver is knowing and voluntary. Consider making the waiver conspicuous through bold text or a separate acknowledgment. See Belvedere Condominium Ass'n v. Perez, 679 So. 2d 1308 (Fla. 3d DCA 1996).]

20.4 Injunctive Relief

Each Party acknowledges that a breach of the security obligations herein would cause irreparable harm for which monetary damages are an inadequate remedy. Accordingly, in the event of any such breach, the non-breaching Party may seek injunctive relief in addition to any other remedy available at law or equity, without posting bond or other security to the extent permitted under Florida Rule of Civil Procedure 1.610.

20.5 Late Payment Interest

Late payments under this Addendum shall accrue interest at the rate specified in the Master Agreement, or if not specified, at 18% per annum, the maximum rate permitted under Fla. Stat. section 687.02 for commercial transactions, or such lower rate as specified by the parties. For simple interest, the rate shall not exceed 18% per annum.