Enterprise Security Addendum

ENTERPRISE SECURITY ADDENDUM

State of Iowa

---

PARTIES AND EFFECTIVE DATE

This Enterprise Security Addendum ("Addendum") is entered into as of [__/__/____] ("Effective Date")

CUSTOMER:

Name: [________________________________]

Address: [________________________________]

City, State, ZIP: [________________________________]

Contact Person: [________________________________]

Email: [________________________________]

Phone: [________________________________]

(hereinafter "Customer" or "Data Controller")

AND

SERVICE PROVIDER:

Name: [________________________________]

Address: [________________________________]

City, State, ZIP: [________________________________]

Contact Person: [________________________________]

Email: [________________________________]

Phone: [________________________________]

(hereinafter "Provider" or "Data Processor")

(Customer and Provider collectively, the "Parties")

---

RECITALS

WHEREAS, Customer and Provider have entered into a Master Services Agreement dated [__/__/____] (the "Master Agreement") pursuant to which Provider will provide certain services to Customer;

WHEREAS, the provision of services under the Master Agreement requires Provider to access, process, store, or transmit Personal Information on behalf of Customer;

WHEREAS, Iowa Code Chapter 715C establishes requirements for the protection of Personal Information and notification obligations in the event of a Security Breach;

WHEREAS, the Parties desire to establish comprehensive security requirements, data protection obligations, and breach notification procedures in compliance with applicable Iowa law and industry best practices;

NOW, THEREFORE, in consideration of the mutual covenants and agreements herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

---

ARTICLE 1: DEFINITIONS

1.1 For purposes of this Addendum, the following terms shall have the meanings set forth below:

(a) "Authorized Personnel" means Provider's employees, contractors, agents, or other individuals who: (i) have a legitimate business need to access Personal Information; (ii) have completed required background screening; (iii) have completed security awareness training; and (iv) are bound by confidentiality obligations at least as protective as those in this Addendum.

(b) "Breach of Security" or "Security Breach" means, as defined under Iowa Code § 715C.1, the unauthorized acquisition of Personal Information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the Personal Information. A Breach of Security does not include the good faith acquisition of Personal Information by a person's employee or agent for purposes of the person if the Personal Information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.

(c) "Confidential Information" means all non-public information disclosed by either Party to the other Party, whether orally, in writing, or by inspection, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure.

(d) "Data Subject" means an identified or identifiable natural person to whom Personal Information relates.

(e) "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key, using an algorithmic process recognized as industry standard by the National Institute of Standards and Technology (NIST) or equivalent standards body.

(f) "Personal Information" means, as defined under Iowa Code § 715C.1, an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual, when the data elements are not encrypted, redacted, or otherwise altered so that they are unreadable:

(i) Social Security number;

(ii) Driver's license number or other unique identification number created or collected by a government body;

(iii) Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual's financial account;

(iv) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;

(v) Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.

Personal Information does not include information that is lawfully obtained from publicly available sources or from federal, state, or local government records lawfully made available to the general public.

(g) "Processing" means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

(h) "Redacted" means, as defined under Iowa Code § 715C.1, altered or truncated so that no more than five digits of a Social Security number or the last four digits of other protected numbers are accessible as part of the data.

(i) "Security Incident" means any actual or reasonably suspected: (i) unauthorized access to or acquisition of Personal Information; (ii) unauthorized disclosure of Personal Information; (iii) loss, theft, or unauthorized destruction of Personal Information; (iv) compromise of the security, confidentiality, or integrity of systems containing Personal Information; or (v) any other event that may constitute a Breach of Security under Iowa Code Chapter 715C.

(j) "Subprocessor" means any third party engaged by Provider to Process Personal Information on behalf of Customer pursuant to this Addendum.

---

ARTICLE 2: SCOPE OF PROCESSING

2.1 Nature and Purpose. Provider shall Process Personal Information solely for the following purposes:

☐ Provision of services under the Master Agreement
☐ Performance of contractual obligations
☐ Compliance with applicable law
☐ Other (specify): [________________________________]

2.2 Categories of Personal Information. The categories of Personal Information to be Processed include:

☐ Names and contact information
☐ Social Security numbers
☐ Driver's license or government ID numbers
☐ Financial account information
☐ Payment card data
☐ Biometric data
☐ Other (specify): [________________________________]

2.3 Categories of Data Subjects. Personal Information relates to the following categories of Data Subjects:

☐ Customers/Clients
☐ Employees
☐ Contractors
☐ Business contacts
☐ Other (specify): [________________________________]

2.4 Duration of Processing. Processing shall continue for the term of the Master Agreement unless earlier terminated, plus any retention period required by law or specified in Article 11.

2.5 Processing Instructions. Provider shall Process Personal Information only in accordance with Customer's documented instructions, unless required to do otherwise by applicable law. Provider shall immediately inform Customer if, in Provider's opinion, an instruction violates applicable law.

---

ARTICLE 3: SECURITY PROGRAM REQUIREMENTS

3.1 Comprehensive Security Program. Provider shall establish, implement, and maintain a comprehensive written information security program ("Security Program") that includes administrative, technical, and physical safeguards appropriate to:

(a) The size and complexity of Provider's operations;

(b) The nature and scope of Provider's activities;

(c) The sensitivity of the Personal Information Processed;

(d) The risks to Data Subjects from unauthorized access, use, or disclosure.

3.2 Security Program Components. The Security Program shall include, at minimum:

☐ Written information security policies and procedures
☐ Designated security officer or equivalent responsible party
☐ Risk assessment and management procedures
☐ Security awareness training program
☐ Incident response plan
☐ Business continuity and disaster recovery plans
☐ Vendor and subprocessor security management
☐ Regular security testing and assessment

3.3 Security Program Review. Provider shall review and update its Security Program:

(a) At least annually;

(b) Following any material Security Incident;

(c) When there are material changes to Provider's operations or information systems;

(d) When required by changes in applicable law or industry standards.

3.4 Security Standards Alignment. Provider's Security Program shall align with one or more of the following recognized security frameworks:

☐ SOC 2 Trust Services Criteria
☐ ISO/IEC 27001
☐ NIST Cybersecurity Framework
☐ Other (specify): [________________________________]

---

ARTICLE 4: TECHNICAL SAFEGUARDS

4.1 Encryption Requirements.

(a) Data at Rest:

☐ AES-256 encryption (or equivalent) for all Personal Information stored on Provider's systems
☐ Full disk encryption on all devices storing Personal Information
☐ Encrypted database fields containing Personal Information
☐ Encrypted backup media

(b) Data in Transit:

☐ TLS 1.2 or higher for all data transmissions
☐ Perfect forward secrecy enabled
☐ Strong cipher suites only (no weak or deprecated ciphers)
☐ Certificate validation and management

(c) Key Management:

☐ Secure key generation using approved random number generators
☐ Separation of key management duties
☐ Key rotation at least annually
☐ Secure key storage (HSM or equivalent protection)
☐ Documented key recovery and destruction procedures

4.2 Access Controls.

(a) Identity Management:

☐ Unique user identification for each Authorized Personnel
☐ Prohibition on shared or generic accounts for access to Personal Information
☐ Role-based access control (RBAC) implementation
☐ Least privilege access principles applied

(b) Authentication:

☐ Multi-factor authentication (MFA) required for access to systems containing Personal Information
☐ Strong password requirements: minimum [____] characters with complexity requirements
☐ Password expiration every [____] days
☐ Account lockout after [____] failed attempts
☐ Session timeout after [____] minutes of inactivity

(c) Access Provisioning and Review:

☐ Documented approval process for access requests
☐ Quarterly access rights review
☐ Immediate access revocation upon termination or role change
☐ Annual recertification of all access privileges

4.3 Network Security.

☐ Firewall protection at all network perimeters
☐ Intrusion detection and prevention systems (IDS/IPS)
☐ Network segmentation isolating systems containing Personal Information
☐ Secure VPN for all remote access
☐ Regular network vulnerability scanning
☐ Secure wireless access controls

4.4 Endpoint and System Security.

☐ Anti-malware protection with current signatures on all endpoints
☐ Endpoint detection and response (EDR) solutions
☐ Hardened system configurations based on industry standards (CIS, NIST)
☐ Timely security patch application (critical patches within [____] days)
☐ Mobile device management (MDM) for devices accessing Personal Information
☐ Secure software development lifecycle (SDLC) practices

4.5 Monitoring and Logging.

☐ Centralized security logging (SIEM)
☐ Audit trails for all access to Personal Information
☐ Log retention for minimum [____] months
☐ Real-time alerting for security events
☐ Regular log review and analysis
☐ Tamper-evident logging mechanisms

4.6 Data Protection Controls.

☐ Data loss prevention (DLP) controls
☐ Database activity monitoring
☐ Secure data backup and recovery procedures
☐ Backup testing at least quarterly
☐ Data classification and handling procedures

---

ARTICLE 5: ADMINISTRATIVE SAFEGUARDS

5.1 Security Policies and Procedures.

Provider shall maintain documented security policies addressing:

☐ Information security policy
☐ Acceptable use policy
☐ Data classification and handling policy
☐ Access control policy
☐ Incident response policy
☐ Remote work and mobile device policy
☐ Change management policy
☐ Vendor and third-party security policy

5.2 Personnel Security.

(a) Background Screening:

☐ Criminal background checks for all Authorized Personnel prior to access to Personal Information
☐ Verification of employment history and references
☐ Re-screening at intervals of [____] years for personnel with access to Personal Information

(b) Confidentiality Agreements:

☐ Written confidentiality agreements executed prior to access to Personal Information
☐ Non-disclosure obligations surviving termination of employment or engagement

(c) Security Awareness Training:

☐ Training upon hire or initial access
☐ Annual refresher training thereafter
☐ Additional training following Security Incidents or material policy changes
☐ Training content covering: data handling, phishing awareness, password security, incident reporting
☐ Documented training completion records

(d) Access Termination:

☐ Immediate access termination upon personnel departure
☐ Retrieval of all devices and credentials
☐ Exit interviews addressing confidentiality obligations

5.3 Risk Management.

☐ Annual security risk assessments
☐ Vulnerability assessments at least quarterly
☐ Penetration testing at least annually by qualified third party
☐ Remediation tracking with defined timelines
☐ Risk register maintained and reviewed regularly

5.4 Change Management.

☐ Documented change management procedures
☐ Security review of changes affecting systems containing Personal Information
☐ Testing and approval process before implementation
☐ Rollback capabilities for failed changes

---

ARTICLE 6: PHYSICAL SAFEGUARDS

6.1 Facility Security.

☐ Controlled facility access with authentication (badge, key card, biometric)
☐ Visitor management and escort procedures
☐ Video surveillance of entry points and sensitive areas
☐ Security personnel or monitoring services as appropriate
☐ Intrusion detection systems

6.2 Data Center Security.

☐ 24/7 security monitoring
☐ Multi-factor authentication for data center access
☐ Mantrap or equivalent entry controls
☐ Environmental controls (fire suppression, HVAC, flood detection)
☐ Redundant power (UPS, generators)
☐ Equipment maintenance and disposal procedures

6.3 Media and Device Controls.

☐ Secure storage of portable media containing Personal Information
☐ Encryption of portable media
☐ Inventory tracking of devices containing Personal Information
☐ Secure disposal procedures (NIST SP 800-88 compliant)
☐ Chain of custody documentation for media transfers

---

ARTICLE 7: SUBCONTRACTOR AND VENDOR MANAGEMENT

7.1 Subprocessor Authorization. Provider shall not engage any Subprocessor to Process Personal Information without Customer's prior written consent.

7.2 Current Subprocessors. The Subprocessors currently authorized by Customer are listed in Exhibit A attached hereto.

7.3 New Subprocessors. Provider shall provide Customer with [____] days' prior written notice before engaging a new Subprocessor. Customer may object by providing written notice within [____] days of receiving Provider's notice. If Customer objects and the Parties cannot resolve the objection within [____] days, Customer may terminate the affected services without penalty.

7.4 Subprocessor Agreements. Provider shall enter into a written agreement with each Subprocessor that:

(a) Imposes data protection obligations no less protective than those in this Addendum;

(b) Requires the Subprocessor to Process Personal Information only as instructed by Provider on behalf of Customer;

(c) Requires appropriate technical and organizational security measures;

(d) Requires prompt notification to Provider of any Security Incident;

(e) Imposes confidentiality obligations on Subprocessor personnel;

(f) Grants audit rights to Provider and/or Customer;

(g) Requires secure deletion or return of Personal Information upon termination;

(h) Requires compliance with Iowa Code Chapter 715C as applicable.

7.5 Subprocessor Due Diligence. Before engaging a Subprocessor, Provider shall:

☐ Conduct security assessment of Subprocessor capabilities
☐ Verify Subprocessor security certifications (SOC 2, ISO 27001, etc.)
☐ Review Subprocessor's information security program
☐ Document due diligence activities and findings

7.6 Subprocessor Liability. Provider shall remain fully liable to Customer for all acts and omissions of its Subprocessors with respect to Personal Information.

---

ARTICLE 8: SECURITY INCIDENT RESPONSE PROCEDURES

8.1 Incident Response Plan. Provider shall maintain a written incident response plan addressing:

(a) Roles and responsibilities of incident response team;

(b) Incident classification and severity levels;

(c) Detection and identification procedures;

(d) Containment strategies;

(e) Evidence preservation and chain of custody;

(f) Communication and escalation protocols;

(g) Eradication and recovery procedures;

(h) Post-incident review and lessons learned;

(i) Compliance with Iowa Code Chapter 715C notification requirements.

8.2 Incident Response Team. Provider shall designate an incident response team with the following contacts:

Primary Contact: [________________________________]

Title: [________________________________]

Phone: [________________________________]

Email: [________________________________]

Alternate Contact: [________________________________]

Title: [________________________________]

Phone: [________________________________]

Email: [________________________________]

8.3 Immediate Response Actions. Upon discovery of a Security Incident, Provider shall immediately:

☐ Activate incident response team
☐ Contain the incident to prevent further unauthorized access
☐ Preserve evidence for forensic investigation
☐ Begin initial assessment of scope and impact
☐ Escalate to Provider's security leadership

---

ARTICLE 9: IOWA BREACH NOTIFICATION REQUIREMENTS

9.1 Customer Notification. Provider shall notify Customer of any confirmed or reasonably suspected Security Incident as follows:

(a) Initial Notification:

☐ Within [____] hours of discovery
☐ Via telephone to: [________________________________]
☐ Followed by written notice to: [________________________________]

(b) Initial Notification Content:

☐ Description of the nature of the Security Incident
☐ Approximate date and time of discovery
☐ Categories of Personal Information potentially affected
☐ Estimated number of Data Subjects potentially affected
☐ Initial assessment of risk and impact
☐ Containment actions taken or planned
☐ Provider contact information for incident response coordination

(c) Ongoing Updates:

☐ Updates within [____] hours of material developments
☐ Daily status reports during active incident response
☐ Final incident report within [____] days of incident closure

9.2 Iowa Statutory Notification Requirements. The Parties acknowledge the following requirements under Iowa Code § 715C.2:

(a) Consumer Notification Timing:

Notification to affected Iowa residents must be made in the most expeditious manner possible and without unreasonable delay, consistent with:

• Legitimate needs of law enforcement;
• Measures necessary to determine contact information for affected consumers;
• Measures necessary to determine the scope of the breach;
• Measures necessary to restore the reasonable integrity, security, and confidentiality of the data.

(b) Consumer Notification Content:

Notifications to affected Iowa consumers must include:

☐ Description of the Security Breach
☐ Approximate date of the Security Breach
☐ Type of Personal Information obtained as a result of the breach
☐ Contact information for consumer reporting agencies
☐ Advice to report suspected identity theft to local law enforcement or the Iowa Attorney General

(c) Iowa Attorney General Notification:

If a Security Breach requires notification to more than five hundred (500) Iowa residents, written notice must be provided to the Director of the Consumer Protection Division of the Office of the Iowa Attorney General within five (5) business days after providing notice to affected consumers.

Attorney General Contact Information:

Consumer Protection Division
Office of the Attorney General of Iowa
1305 E. Walnut Street
Des Moines, Iowa 50319-0106
Email: [email protected]
Phone: 515-281-5926
Fax: 515-281-6771

(d) Substitute Notice:

If the cost of providing notice exceeds $250,000, if the affected class of consumers exceeds 350,000 persons, or if the person does not have sufficient contact information, substitute notice may be provided consisting of:

☐ Email notice (if email addresses are available);
☐ Conspicuous posting on the person's website; AND
☐ Notification to major statewide media.

(e) Notification Not Required:

Notification is not required if, after an appropriate investigation or consultation with relevant law enforcement agencies, the person determines that no reasonable likelihood of financial harm to consumers has resulted or will result from the breach. Such determination must be documented in writing and maintained for five (5) years.

9.3 Notification Responsibilities.

(a) Customer Responsibility: Unless otherwise agreed in writing, Customer shall be responsible for issuing notifications to affected Data Subjects and the Iowa Attorney General.

(b) Provider Cooperation: Provider shall cooperate with Customer and provide all information and assistance reasonably necessary for Customer to fulfill its notification obligations.

(c) Provider Direct Notification: Provider shall not directly notify Data Subjects or regulators without Customer's prior written consent, except where required by applicable law.

9.4 Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. Provider shall document any such delay request and notify Customer immediately.

9.5 Encryption Safe Harbor. Pursuant to Iowa Code § 715C.1, Personal Information that is encrypted, redacted, or otherwise altered so that it is unreadable may not require breach notification, provided that the encryption key or security credential enabling decryption was not compromised in connection with the Security Breach.

---

ARTICLE 10: AUDIT RIGHTS AND CERTIFICATIONS

10.1 Audit Rights. Customer shall have the right to audit Provider's compliance with this Addendum as follows:

(a) Scope:

☐ Security policies, procedures, and controls
☐ Technical infrastructure and configurations
☐ Access control logs and records
☐ Incident response capabilities and records
☐ Subprocessor management documentation
☐ Personnel training records
☐ Data handling and Processing activities

(b) Frequency:

☐ One (1) comprehensive audit per calendar year
☐ Additional audits following a Security Incident
☐ Additional audits upon reasonable suspicion of non-compliance

(c) Audit Process:

☐ Customer shall provide at least [____] days' written notice
☐ Audits shall be conducted during normal business hours
☐ Customer may use qualified third-party auditors subject to confidentiality obligations
☐ Provider shall provide reasonable access to facilities, personnel, and documentation
☐ Customer shall bear its own costs of conducting audits

10.2 Security Certifications. Provider shall obtain and maintain the following certifications:

(a) SOC 2 Type II:

☐ Annual SOC 2 Type II audit by independent auditor
☐ Report covering Security, Availability, and Confidentiality Trust Service Criteria
☐ Report provided to Customer within [____] days of issuance
☐ Bridge letter provided if certification gap occurs

(b) ISO 27001 (if applicable):

☐ Certification by accredited certification body
☐ Scope covering services provided to Customer
☐ Annual surveillance audits
☐ Recertification every three (3) years

(c) Additional Certifications:

☐ ISO 27017 (Cloud Security Controls)
☐ ISO 27018 (Cloud Privacy)
☐ PCI DSS (if processing payment card data)
☐ HITRUST (if processing health information)
☐ Other: [________________________________]

10.3 Certification Maintenance. Provider shall:

(a) Notify Customer immediately of any certification suspension, revocation, or non-renewal;

(b) Provide copies of current certifications and audit reports upon request;

(c) Address any audit findings or non-conformities within required timeframes;

(d) Maintain gap-free certification coverage during the term.

10.4 Audit Findings Remediation. Provider shall:

(a) Respond to audit findings within [____] business days;

(b) Develop remediation plans for identified deficiencies;

(c) Complete critical remediation within [____] days;

(d) Complete non-critical remediation within [____] days;

(e) Provide evidence of remediation completion to Customer.

---

ARTICLE 11: DATA RETENTION AND DESTRUCTION

11.1 Retention Period. Provider shall retain Personal Information only for as long as necessary to:

(a) Fulfill the purposes for which it was collected;

(b) Perform obligations under the Master Agreement;

(c) Comply with applicable legal retention requirements.

11.2 Customer-Specified Retention. Customer may specify retention periods for categories of Personal Information, which Provider shall implement. Absent specific instructions, Provider shall not retain Personal Information longer than [____] years after the purpose for Processing has been fulfilled.

11.3 Return of Data. Upon termination or expiration of the Master Agreement, or upon Customer's written request, Provider shall return all Personal Information to Customer:

☐ In a format reasonably requested by Customer
☐ Within [____] days of termination or request
☐ Via secure transfer method agreed by the Parties

11.4 Secure Destruction. Following return of Personal Information or upon Customer's written direction, Provider shall securely destroy all remaining copies using methods that render the data unrecoverable:

(a) Electronic Data:

☐ NIST SP 800-88 compliant sanitization
☐ Cryptographic erasure (destruction of encryption keys)
☐ Physical destruction of media if sanitization not feasible

(b) Physical Media:

☐ Cross-cut shredding (minimum DIN 66399 Level P-4)
☐ Degaussing (for magnetic media)
☐ Physical destruction (incineration, pulverization)

(c) Paper Records:

☐ Cross-cut shredding (minimum DIN 66399 Level P-4)
☐ Incineration

11.5 Destruction Certification. Provider shall provide written certification of destruction within [____] days, including:

☐ Date(s) of destruction
☐ Description of data destroyed
☐ Method(s) of destruction used
☐ Name and signature of responsible official

11.6 Exceptions to Destruction. Provider may retain copies of Personal Information only to the extent:

(a) Required by applicable law or regulation (with documentation of legal basis);

(b) Contained in routine backup systems, provided backups are encrypted and destroyed in accordance with normal retention schedules not exceeding [____] days;

(c) Necessary to establish, exercise, or defend legal claims.

Any retained data shall remain subject to the confidentiality and security obligations of this Addendum.

---

ARTICLE 12: INSURANCE REQUIREMENTS

12.1 Required Insurance Coverage. Provider shall obtain and maintain throughout the term of the Master Agreement the following insurance coverage:

(a) Cyber Liability / Technology Errors and Omissions:

☐ Minimum per occurrence: $[________________________________]
☐ Minimum annual aggregate: $[________________________________]
☐ Coverage for: data breach response costs, notification expenses, credit monitoring, regulatory defense, fines and penalties (where insurable), cyber extortion, business interruption

(b) Professional Liability / Errors and Omissions:

☐ Minimum per occurrence: $[________________________________]
☐ Minimum annual aggregate: $[________________________________]

(c) Commercial General Liability:

☐ Minimum per occurrence: $[________________________________]
☐ Minimum annual aggregate: $[________________________________]

(d) Workers' Compensation:

☐ Statutory limits as required by Iowa law

12.2 Policy Requirements. All required insurance policies shall:

(a) Be issued by insurers rated A- or better by A.M. Best;

(b) Name Customer as an additional insured (where applicable);

(c) Include waiver of subrogation in favor of Customer;

(d) Provide [____] days' written notice to Customer prior to cancellation or material change.

12.3 Certificates of Insurance. Provider shall provide certificates of insurance:

(a) Upon execution of this Addendum;

(b) Upon each policy renewal;

(c) Upon Customer's reasonable request.

12.4 Tail Coverage. Provider shall maintain insurance coverage for a period of [____] years following termination of the Master Agreement.

---

ARTICLE 13: COMPLIANCE REPRESENTATIONS

13.1 Compliance with Law. Provider represents and warrants that it shall comply with:

(a) Iowa Code Chapter 715C (Personal Information Security Breach Protection);

(b) All other applicable federal, state, and local laws and regulations relating to data protection, privacy, and information security;

(c) Industry-specific requirements applicable to the services provided (e.g., GLBA, HIPAA, PCI DSS).

13.2 No Violations. Provider represents that, as of the Effective Date:

(a) Provider has not experienced a Security Breach affecting Personal Information similar to that covered by this Addendum within the past [____] years that has not been previously disclosed to Customer;

(b) Provider is not aware of any pending regulatory investigations related to data security or privacy;

(c) Provider's current security practices are consistent with the requirements of this Addendum.

13.3 Ongoing Compliance Monitoring. Provider shall:

(a) Monitor changes in applicable laws and regulations;

(b) Notify Customer of changes that may affect this Addendum;

(c) Propose necessary amendments to maintain compliance;

(d) Implement required changes within timeframes required by law.

13.4 Compliance Documentation. Provider shall maintain and make available to Customer upon request:

☐ Written information security policies and procedures
☐ Risk assessment documentation
☐ Security awareness training records
☐ Vulnerability assessment and penetration test reports (executive summaries)
☐ Incident response plan
☐ Business continuity and disaster recovery plans
☐ Subprocessor due diligence documentation
☐ Evidence of insurance coverage

---

ARTICLE 14: REMEDIES FOR SECURITY FAILURES

14.1 Remediation Obligations. In the event of a Security Incident caused by Provider's failure to comply with this Addendum, Provider shall, at its sole expense:

(a) Conduct thorough forensic investigation to determine cause and scope;

(b) Implement immediate containment measures;

(c) Remediate vulnerabilities that contributed to the incident;

(d) Implement enhanced security measures to prevent recurrence;

(e) Provide the following to affected Data Subjects:

☐ Credit monitoring services for [____] months
☐ Identity theft protection services
☐ Identity restoration services
☐ Dedicated call center support

(f) Pay all costs of consumer notification, including:

☐ Preparation of notification materials
☐ Printing and mailing costs
☐ Substitute notice advertising costs (if applicable)
☐ Call center operations

(g) Pay regulatory notification costs;

(h) Reimburse Customer for reasonable legal fees incurred.

14.2 Indemnification. Provider shall indemnify, defend, and hold harmless Customer, its officers, directors, employees, agents, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and expert witness fees) arising out of or relating to:

(a) Any Security Breach or Security Incident caused by Provider's negligence, willful misconduct, or breach of this Addendum;

(b) Provider's failure to comply with Iowa Code Chapter 715C;

(c) Third-party claims arising from unauthorized access, use, or disclosure of Personal Information in Provider's possession or control;

(d) Regulatory investigations, enforcement actions, or penalties arising from Provider's Processing of Personal Information;

(e) Acts or omissions of Provider's Subprocessors with respect to Personal Information.

14.3 Indemnification Procedures.

(a) The indemnified Party shall provide prompt written notice of any claim;

(b) The indemnifying Party shall have the right to assume control of the defense;

(c) The indemnified Party shall cooperate in the defense at the indemnifying Party's expense;

(d) Neither Party shall settle any claim that would impose liability or obligations on the other Party without prior written consent.

14.4 Limitation on Liability Exclusions. Notwithstanding any limitation of liability in the Master Agreement:

(a) Provider's liability for Security Breaches caused by Provider's negligence or breach of this Addendum shall not be subject to any cap on liability;

(b) Provider's indemnification obligations under Section 14.2 shall not be subject to any cap on liability;

(c) Provider's liability for gross negligence or willful misconduct shall not be subject to any cap on liability.

14.5 Equitable Relief. Customer shall be entitled to seek injunctive or other equitable relief to prevent or remedy any actual or threatened breach of this Addendum, without the requirement of posting bond.

---

ARTICLE 15: GENERAL PROVISIONS

15.1 Order of Precedence. In the event of conflict between this Addendum and the Master Agreement, this Addendum shall control with respect to the Processing and protection of Personal Information.

15.2 Term. This Addendum shall remain in effect for the duration of the Master Agreement and for so long thereafter as Provider retains any Personal Information.

15.3 Amendments. This Addendum may be amended only by written instrument signed by both Parties. Provider shall notify Customer of changes in applicable law that may require amendment.

15.4 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.5 Waiver. No waiver of any provision shall be effective unless in writing and signed by the waiving Party. No failure or delay in exercising any right shall constitute a waiver.

15.6 Notices. All notices shall be in writing and delivered to the addresses set forth above, or to such other address as a Party may designate.

15.7 Governing Law. This Addendum shall be governed by the laws of the State of Iowa, without regard to conflict of laws principles.

15.8 Dispute Resolution. Any dispute arising under this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in Polk County, Iowa.

15.9 Survival. The following provisions shall survive termination or expiration: Article 1 (Definitions), Article 9 (Iowa Breach Notification Requirements), Article 10 (Audit Rights) for the applicable retention period, Article 11 (Data Retention and Destruction), Article 14 (Remedies for Security Failures), and Article 15 (General Provisions).

15.10 Counterparts. This Addendum may be executed in counterparts, each deemed an original.

15.11 Entire Agreement. This Addendum, together with the Master Agreement and exhibits, constitutes the entire agreement regarding the subject matter hereof.

---

SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Enterprise Security Addendum as of the Effective Date.

CUSTOMER:

Signature: [________________________________]

Print Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SERVICE PROVIDER:

Signature: [________________________________]

Print Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

---

EXHIBIT A: AUTHORIZED SUBPROCESSORS

The following Subprocessors are authorized to Process Personal Information as of the Effective Date:

Subprocessor Name	Services Provided	Location(s)	Certifications
[________________________________]	[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]	[________________________________]

---

EXHIBIT B: SECURITY CONTROLS CHECKLIST

Provider certifies implementation of the following security controls:

B.1 Administrative Safeguards

Control	Implemented	Last Review Date	Notes
Written Information Security Policy	☐ Yes ☐ No	[__/__/____]	[________________________________]
Security Officer Designated	☐ Yes ☐ No	[__/__/____]	[________________________________]
Risk Assessment Program	☐ Yes ☐ No	[__/__/____]	[________________________________]
Security Awareness Training	☐ Yes ☐ No	[__/__/____]	[________________________________]
Background Check Program	☐ Yes ☐ No	[__/__/____]	[________________________________]
Incident Response Plan	☐ Yes ☐ No	[__/__/____]	[________________________________]
Business Continuity Plan	☐ Yes ☐ No	[__/__/____]	[________________________________]
Vendor Security Program	☐ Yes ☐ No	[__/__/____]	[________________________________]
Change Management Process	☐ Yes ☐ No	[__/__/____]	[________________________________]

B.2 Technical Safeguards

Control	Implemented	Standard/Version	Notes
Encryption at Rest (AES-256)	☐ Yes ☐ No	[________________________________]	[________________________________]
Encryption in Transit (TLS 1.2+)	☐ Yes ☐ No	[________________________________]	[________________________________]
Multi-Factor Authentication	☐ Yes ☐ No	[________________________________]	[________________________________]
Firewall Protection	☐ Yes ☐ No	[________________________________]	[________________________________]
Intrusion Detection/Prevention	☐ Yes ☐ No	[________________________________]	[________________________________]
SIEM/Centralized Logging	☐ Yes ☐ No	[________________________________]	[________________________________]
Vulnerability Scanning	☐ Yes ☐ No	[________________________________]	[________________________________]
Penetration Testing	☐ Yes ☐ No	[________________________________]	[________________________________]
Anti-Malware Protection	☐ Yes ☐ No	[________________________________]	[________________________________]
Data Loss Prevention (DLP)	☐ Yes ☐ No	[________________________________]	[________________________________]
Endpoint Detection & Response	☐ Yes ☐ No	[________________________________]	[________________________________]
Network Segmentation	☐ Yes ☐ No	[________________________________]	[________________________________]
Database Activity Monitoring	☐ Yes ☐ No	[________________________________]	[________________________________]
Secure Backup/Recovery	☐ Yes ☐ No	[________________________________]	[________________________________]

B.3 Physical Safeguards

Control	Implemented	Description
Facility Access Controls	☐ Yes ☐ No	[________________________________]
Video Surveillance	☐ Yes ☐ No	[________________________________]
Visitor Management	☐ Yes ☐ No	[________________________________]
Environmental Controls	☐ Yes ☐ No	[________________________________]
Data Center Security	☐ Yes ☐ No	[________________________________]
Secure Media Disposal	☐ Yes ☐ No	[________________________________]

B.4 Certifications

Certification	Status	Expiration	Scope
SOC 2 Type II	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]
ISO 27001	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]
ISO 27017	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]
ISO 27018	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]
PCI DSS	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]
HITRUST	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]
Other: [____]	☐ Current ☐ In Progress ☐ N/A	[__/__/____]	[________________________________]

---

EXHIBIT C: CUSTOMER SECURITY CONTACTS

Primary Security Contact

Name: [________________________________]

Title: [________________________________]

Email: [________________________________]

Phone: [________________________________]

Secondary Security Contact

Name: [________________________________]

Title: [________________________________]

Email: [________________________________]

Phone: [________________________________]

Legal/Privacy Contact

Name: [________________________________]

Title: [________________________________]

Email: [________________________________]

Phone: [________________________________]

---

EXHIBIT D: DATA PROCESSING SPECIFICATIONS

D.1 Description of Processing

Purpose of Processing: [________________________________]

[________________________________]

[________________________________]

D.2 Data Retention Schedule

Data Category	Retention Period	Destruction Method
[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]
[________________________________]	[________________________________]	[________________________________]

D.3 Data Transfer Locations

☐ Data will be stored and processed only within the United States

☐ Data may be transferred to the following locations: [________________________________]

D.4 Special Processing Requirements

[________________________________]

[________________________________]

[________________________________]

---

End of Enterprise Security Addendum