ENTERPRISE SECURITY ADDENDUM

Commonwealth of Kentucky — Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, [________________________________] ("Customer"), a [________________________________] organized under the laws of the [________________________________], with its principal place of business at [________________________________], and

WHEREAS, [________________________________] ("Provider"), a [________________________________] organized under the laws of the [________________________________], with its principal place of business at [________________________________], have entered into that certain Master Agreement referenced above (the "Master Agreement"); and

WHEREAS, the Master Agreement contemplates that Provider shall deliver certain enterprise software-as-a-service, cloud-hosted, or managed technology services (collectively, the "Services") to Customer that may involve the Processing of Customer Data, including Personally Identifiable Information of Kentucky residents as defined under KRS § 365.732; and

WHEREAS, Customer requires Provider to implement and maintain a comprehensive information security program that meets or exceeds industry standards and complies with the data protection and breach notification requirements of Kentucky law, including KRS § 365.732 and the Kentucky Consumer Data Protection Act (KRS § 367.700 et seq.); and

WHEREAS, the Parties desire to set forth the specific security obligations, controls, and procedures that Provider shall implement and maintain in connection with the Services;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below when used in this Addendum. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.2 "Access Credentials" means usernames, passwords, API keys, tokens, certificates, multi-factor authentication codes, biometric identifiers, and any other mechanism used to authenticate a user or system to Provider's infrastructure or the Services.

1.3 "Authorized Personnel" means employees, contractors, agents, or subprocessors of Provider who have undergone background screening and security training and have a demonstrated need to access Customer Data in the performance of the Services.

1.4 "Breach" or "Security Breach" means the unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of Personally Identifiable Information maintained by the information holder as part of a database regarding multiple individuals, and that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of the Commonwealth of Kentucky, consistent with the definition under KRS § 365.732.

1.5 "Business Continuity Plan" or "BCP" means Provider's documented plan for maintaining essential business functions during and after a disaster or disruption, including recovery procedures for the Services.

1.6 "Consumer Data" means personal data as defined under the Kentucky Consumer Data Protection Act (KRS § 367.700 et seq.), which includes data that is linked or reasonably linkable to an identified or identifiable individual, but excludes de-identified data or publicly available information.

1.7 "Customer Data" means all data, information, records, documents, files, and materials provided by or on behalf of Customer, or collected, generated, or processed by Provider in connection with the Services, including Personally Identifiable Information, Consumer Data, Confidential Information, and Trade Secrets.

1.8 "Data Processing" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.9 "Disaster Recovery Plan" or "DRP" means Provider's documented plan for the restoration of the Services, systems, and Customer Data following a disaster, outage, or material disruption.

1.10 "Encryption" means the process of converting data into a coded form using industry-standard cryptographic algorithms to prevent unauthorized access, rendering the data unreadable without the corresponding decryption key.

1.11 "Information Holder" means any person or business entity that conducts business in Kentucky and owns or licenses computerized data that includes Personally Identifiable Information, consistent with KRS § 365.732.

1.12 "Information Security Program" means Provider's comprehensive, written program of policies, procedures, standards, and technical, administrative, and physical safeguards designed to protect Customer Data, as more fully described in Article 3 of this Addendum.

1.13 "Key Personnel" means Provider's Chief Information Security Officer (CISO), Data Protection Officer (DPO), Security Operations Center (SOC) Manager, Incident Response Lead, and any other individuals designated by Provider as having primary responsibility for the security of Customer Data.

1.14 "NIST" means the National Institute of Standards and Technology, an agency of the United States Department of Commerce.

1.15 "Penetration Test" means a simulated cyberattack against Provider's systems, applications, and networks conducted by qualified third-party security professionals to evaluate the security posture and identify vulnerabilities.

1.16 "Personally Identifiable Information" means, consistent with the definition under KRS § 365.732(1)(c), an individual's first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name or the data elements are not encrypted or redacted:

(a) Social Security number;

(b) Driver's license number;

(c) Account number, or credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

The term does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

1.17 "Recovery Point Objective" or "RPO" means the maximum acceptable amount of data loss measured in time, establishing the point in time to which Customer Data must be recovered following a disruption.

1.18 "Recovery Time Objective" or "RTO" means the maximum acceptable duration of time within which the Services must be restored following a disruption.

1.19 "Security Incident" means any event that may compromise the confidentiality, integrity, or availability of Customer Data or Provider's systems, but that does not rise to the level of a confirmed Breach.

1.20 "Subprocessor" means any third party engaged by Provider that Processes Customer Data on behalf of Provider in connection with the Services.

1.21 "Trade Secret" means information as defined in the Kentucky Uniform Trade Secrets Act, KRS § 365.880(4), including a formula, pattern, compilation, program, device, method, technique, or process that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1.22 "Vulnerability" means a weakness in a system, application, network, or process that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of Customer Data or the Services.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Services provided under the Master Agreement that involve the Processing, storage, transmission, or access to Customer Data, including Personally Identifiable Information and Consumer Data of Kentucky residents. This Addendum establishes the minimum security obligations of Provider.

2.2 Order of Precedence. In the event of any conflict or inconsistency between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and breach notification matters. In the event of any conflict between this Addendum and applicable Kentucky law, the more protective provision shall apply.

2.3 Incorporation. This Addendum is incorporated into and forms an integral part of the Master Agreement. All terms and conditions of the Master Agreement that are not expressly modified by this Addendum shall remain in full force and effect.

2.4 Regulatory Floor. The security requirements set forth in this Addendum represent minimum standards. Provider shall comply with all applicable federal, state, and local laws, regulations, and industry standards that impose more stringent requirements.

2.5 Kentucky Consumer Data Protection Act Compliance. The Parties acknowledge that the Kentucky Consumer Data Protection Act (KRS § 367.700 et seq.), effective January 1, 2026, establishes consumer rights including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of processing for targeted advertising, sale of personal data, and profiling. Provider shall implement and maintain technical and organizational measures sufficient to enable Customer to comply with all obligations under the Kentucky Consumer Data Protection Act.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 General Obligation. Provider shall establish, implement, maintain, and continuously improve a comprehensive, written Information Security Program designed to protect Customer Data against unauthorized access, acquisition, use, disclosure, modification, destruction, or other compromise.

3.2 Framework Alignment. Provider's Information Security Program shall be aligned with and shall materially conform to the following frameworks:

(a) ISO/IEC 27001:2022 — Information Security Management System (ISMS);

(b) SOC 2 Type II — Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy);

(c) NIST Cybersecurity Framework (CSF) 2.0 — Identify, Protect, Detect, Respond, Recover, and Govern functions.

3.3 Certifications. Provider shall maintain current:

(a) ISO/IEC 27001:2022 certification covering all systems and environments used to Process Customer Data;

(b) SOC 2 Type II report covering the most recent twelve (12) month period;

(c) Provider shall furnish copies of all certifications and reports to Customer within thirty (30) days of issuance and promptly upon request.

3.4 Security Policies. Provider shall maintain documented security policies addressing, at a minimum: acceptable use, access control, asset management, business continuity, change management, cryptography, data classification, human resources security, incident management, network security, operations security, physical security, supplier relationships, and system acquisition and development.

3.5 Risk Assessments. Provider shall conduct comprehensive risk assessments at least annually, and additionally upon any material change to the Services, infrastructure, or threat landscape. Risk assessments shall follow NIST SP 800-30 or ISO 27005 methodology and shall be documented and made available to Customer upon request.

3.6 Insurance Data Security Alignment. To the extent Customer is a licensee subject to the Kentucky Insurance Data Security Act (KRS § 304.3-750 et seq.), Provider shall implement and maintain security controls that comply with the requirements of said Act, including maintaining an information security program and conducting risk assessments as required thereunder.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement and enforce role-based access controls ensuring that Authorized Personnel are granted access to Customer Data solely on a need-to-know, least-privilege basis commensurate with their job responsibilities.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to systems containing Customer Data;

(b) All administrative and privileged access to production environments;

(c) All access to Provider's management console or control plane;

(d) All VPN and remote desktop connections;

(e) All access to code repositories containing application code for the Services.

4.3 Access Reviews. Provider shall conduct formal access reviews on a quarterly basis to verify that:

(a) Access rights remain appropriate and are consistent with the principle of least privilege;

(b) Terminated or transferred personnel have had access promptly revoked;

(c) Dormant accounts (inactive for more than thirty (30) days) are disabled;

(d) Privileged accounts are inventoried and justified.

4.4 Password and Credential Management. Provider shall enforce password policies requiring:

(a) Minimum length of fourteen (14) characters;

(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;

(c) Password expiration no less frequently than every ninety (90) days for non-MFA accounts;

(d) Account lockout after no more than five (5) consecutive failed authentication attempts;

(e) Prohibition on the reuse of the last twelve (12) passwords.

4.5 Privileged Access Management. Provider shall implement a privileged access management (PAM) solution with session recording, just-in-time access provisioning, and automatic credential rotation for all administrative and service accounts.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using:

(a) TLS 1.2 or higher for all web-based and API communications;

(b) IPsec or WireGuard VPN for site-to-site and remote connections;

(c) SFTP or SCP for file transfers (FTP is prohibited);

(d) Provider shall disable support for SSL, TLS 1.0, and TLS 1.1.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using:

(a) AES-256 (or equivalent) for databases, file systems, storage volumes, and backups;

(b) Full-disk encryption on all endpoints, workstations, and portable media;

(c) Envelope encryption with hardware security modules (HSMs) for key wrapping.

5.3 Key Management. Provider shall implement a key management program that includes:

(a) Generation of cryptographic keys using FIPS 140-2 Level 3 (or higher) validated modules;

(b) Separation of key management duties with dual control and split knowledge;

(c) Automated key rotation at least annually, and upon compromise or suspected compromise;

(d) Secure key storage in dedicated HSMs or equivalent FIPS-validated devices;

(e) Key revocation and destruction procedures in accordance with NIST SP 800-57.

5.4 Kentucky Encryption Safe Harbor. The Parties acknowledge that under KRS § 365.732, the breach notification obligation applies to unencrypted and unredacted Personally Identifiable Information. Encryption of Personally Identifiable Information in accordance with this Article provides a safe harbor from breach notification requirements under Kentucky law, provided the encryption keys have not been compromised.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate Customer Data environments from corporate networks, development environments, and other customer environments. Segmentation shall be enforced through firewalls, VLANs, or software-defined networking controls.

6.2 Firewalls and Access Control Lists. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny inbound and outbound rules;

(b) Stateful packet inspection;

(c) Application-layer filtering;

(d) Rule reviews at least quarterly with documentation of business justification for each rule;

(e) Geo-blocking of traffic from jurisdictions not required for the Services.

6.3 Intrusion Detection and Prevention. Provider shall deploy and maintain network-based and host-based intrusion detection and prevention systems (IDS/IPS) that:

(a) Monitor all network traffic to and from Customer Data environments;

(b) Are updated with current threat signatures and behavioral analytics;

(c) Generate alerts that are monitored by Provider's Security Operations Center (SOC) on a 24/7/365 basis;

(d) Integrate with Provider's SIEM platform for correlation and analysis.

6.4 DDoS Mitigation. Provider shall implement distributed denial-of-service (DDoS) mitigation measures including volumetric, protocol, and application-layer protections through dedicated DDoS mitigation services or content delivery networks (CDNs).

6.5 Wireless Security. Provider shall secure all wireless networks using WPA3 Enterprise or equivalent, with separate SSIDs for corporate and guest networks, and no wireless access to Customer Data environments.

6.6 DNS Security. Provider shall implement DNSSEC, DNS filtering, and monitoring of DNS queries for indicators of compromise.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle (SDLC). Provider shall maintain a secure software development lifecycle that incorporates security at every phase:

(a) Requirements — Security and privacy requirements defined and documented;

(b) Design — Threat modeling conducted for all new features and material changes;

(c) Development — Secure coding standards (OWASP, CERT) enforced via automated tooling;

(d) Testing — Security testing integrated into CI/CD pipeline;

(e) Deployment — Hardened configurations, least-privilege service accounts;

(f) Maintenance — Patch management and ongoing vulnerability monitoring.

7.2 OWASP Compliance. Provider shall test for and remediate all vulnerabilities identified in the current OWASP Top 10 and OWASP API Security Top 10 prior to production deployment.

7.3 Static Application Security Testing (SAST). Provider shall perform automated SAST on all application code at each build, with blocking rules for critical and high-severity findings.

7.4 Dynamic Application Security Testing (DAST). Provider shall perform DAST scans against staging and production environments at least monthly, with remediation in accordance with the timelines set forth in Article 8.

7.5 Software Composition Analysis (SCA). Provider shall maintain an inventory of all third-party and open-source components, monitor for known vulnerabilities (CVEs), and remediate or replace vulnerable components in accordance with Article 8.

7.6 Code Reviews. All code changes to production systems shall undergo peer review by at least one developer other than the author, with documented approval prior to merge.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Scanning. Provider shall conduct authenticated vulnerability scans of all systems, networks, and applications in the Customer Data environment at least weekly, using industry-recognized scanning tools.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities within the following timelines measured from the date of discovery or notification:

(a) Critical Severity (CVSS 9.0–10.0): Twenty-four (24) hours;

(b) High Severity (CVSS 7.0–8.9): Seven (7) calendar days;

(c) Medium Severity (CVSS 4.0–6.9): Thirty (30) calendar days;

(d) Low Severity (CVSS 0.1–3.9): Ninety (90) calendar days.

8.3 Zero-Day Vulnerabilities. Upon identification of a zero-day vulnerability affecting systems Processing Customer Data, Provider shall implement compensating controls (e.g., WAF rules, network isolation, access restrictions) within four (4) hours and permanent remediation within forty-eight (48) hours, or as soon as a patch becomes available.

8.4 Patch Management. Provider shall maintain a formal patch management program with:

(a) Automated patch deployment where feasible;

(b) Testing of patches in a staging environment prior to production deployment;

(c) Emergency patching procedures for critical vulnerabilities;

(d) Documentation of patching decisions, including risk acceptance for deferred patches.

8.5 Vulnerability Reporting. Provider shall furnish Customer with monthly vulnerability summary reports, including metrics on scan coverage, identified vulnerabilities, remediation rates, and open items.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Logging Requirements. Provider shall generate and maintain comprehensive audit logs for all systems Processing Customer Data, including:

(a) Authentication events (successful and failed);

(b) Authorization changes and privilege escalations;

(c) Data access, creation, modification, and deletion events;

(d) Administrative and configuration changes;

(e) Network traffic logs (flow and connection logs);

(f) Application-level events and errors;

(g) Security events (firewall, IDS/IPS, anti-malware).

9.2 Log Integrity. Provider shall ensure the integrity of audit logs through:

(a) Write-once or append-only storage mechanisms;

(b) Cryptographic hash verification;

(c) Centralized log aggregation to prevent local tampering;

(d) Separation of duties between log administrators and system administrators.

9.3 SIEM Platform. Provider shall operate a Security Information and Event Management (SIEM) platform that:

(a) Aggregates and correlates logs from all systems in real-time;

(b) Applies behavioral analytics and threat intelligence feeds;

(c) Generates automated alerts for anomalous or suspicious activity;

(d) Is monitored by qualified security analysts on a 24/7/365 basis.

9.4 Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in immediately accessible online storage, and for an additional twelve (12) months in secure archival storage, for a total retention period of twenty-four (24) months.

9.5 Log Access. Customer shall have the right to request and receive relevant log data pertaining to Customer Data and Customer's use of the Services within five (5) business days of such request.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Provider shall maintain logical segregation of Customer Data from the data of other customers and Provider's own corporate data at all layers of the architecture (application, database, storage, network, and backup).

10.2 Tenant Isolation. Where multi-tenant architecture is employed, Provider shall implement tenant isolation controls that prevent any cross-tenant data access, including through application logic, database schemas or separate databases, encryption with customer-specific keys, and network-level isolation.

10.3 Data Residency. Provider shall store and process Customer Data solely within the continental United States unless Customer provides prior written consent to a specific alternative location. Provider shall promptly notify Customer of any proposed change to data storage or processing locations.

10.4 Data Classification. Provider shall apply Customer's data classification scheme (or a comparable scheme agreed upon by the Parties) to Customer Data and implement security controls proportionate to the classification level.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Provider shall engage an independent, qualified third-party security firm to conduct comprehensive penetration testing at least annually. Testing shall include:

(a) External network penetration testing;

(b) Internal network penetration testing;

(c) Web application penetration testing (all customer-facing applications);

(d) API security testing;

(e) Social engineering and phishing assessments;

(f) Wireless network penetration testing.

11.2 Scope. Penetration testing shall cover all systems, applications, networks, and infrastructure used to Process, store, or transmit Customer Data.

11.3 Methodology. Penetration testing shall follow industry-recognized methodologies (e.g., PTES, OWASP Testing Guide, NIST SP 800-115) and shall simulate realistic threat scenarios.

11.4 Reporting. Provider shall furnish Customer with complete, unredacted penetration test reports within thirty (30) days of test completion, subject to Provider's execution of a mutual non-disclosure agreement with the testing firm where required.

11.5 Remediation. Provider shall remediate all findings in accordance with the timelines set forth in Article 8 (Vulnerability Management), measured from the date of the final penetration test report.

11.6 Customer Testing. Customer shall have the right to conduct or commission its own penetration testing of Provider's environments used for the Services, upon thirty (30) days' written notice and subject to reasonable scheduling coordination, at Customer's expense.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan covering all aspects of the Services, including:

(a) Business impact analysis (BIA) identifying critical functions and dependencies;

(b) Succession planning for Key Personnel;

(c) Communication plans for Customer and other stakeholders;

(d) Alternative processing capabilities and facilities;

(e) Supply chain continuity measures.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan providing for the recovery of the Services, systems, and Customer Data following a disaster or material disruption.

12.3 Recovery Objectives. Provider shall achieve the following recovery objectives:

(a) Recovery Point Objective (RPO): [____] hours — the maximum data loss measured in time;

(b) Recovery Time Objective (RTO): [____] hours — the maximum downtime for the Services.

12.4 Backup and Restoration. Provider shall:

(a) Perform automated backups of all Customer Data at least daily;

(b) Store backups in a geographically separate facility at least [____] miles from the primary data center;

(c) Encrypt all backups using AES-256 or equivalent;

(d) Test backup restoration at least quarterly and document results;

(e) Retain backups for a minimum of thirty (30) days.

12.5 Annual Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises, functional tests, or full-scale simulations, and shall furnish Customer with a written summary of test results, findings, and corrective actions within thirty (30) days of each test.

12.6 Notification. Provider shall notify Customer within one (1) hour of declaring a disaster or invoking the DRP, and shall provide ongoing status updates at least every four (4) hours until full restoration.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

13.1 Incident Response Plan

Provider shall maintain a documented Incident Response Plan that includes:

(a) Defined incident classification and severity levels;

(b) Roles and responsibilities of the incident response team;

(c) Escalation procedures and communication protocols;

(d) Containment, eradication, and recovery procedures;

(e) Evidence preservation and chain of custody procedures;

(f) Post-incident review and lessons-learned processes;

(g) Integration with Kentucky-specific breach notification requirements under KRS § 365.732.

13.2 Incident Notification to Customer

Provider shall notify Customer of any Security Incident or Breach as follows:

(a) Initial Notification: Within twenty-four (24) hours of Provider's confirmation of a Security Incident that may involve Customer Data;

(b) Detailed Notification: Within seventy-two (72) hours, including a description of the incident, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address the incident;

(c) Ongoing Updates: At least daily until the incident is resolved.

13.3 Kentucky Breach Notification — KRS § 365.732

This section establishes obligations specific to compliance with Kentucky's security breach notification statute.

13.3.1 Notification Trigger. Under KRS § 365.732(1)(a), any person or business entity that conducts business in Kentucky and owns or licenses computerized data that includes unencrypted and unredacted Personally Identifiable Information shall, following discovery or notification of a breach of the security of the system, notify any affected resident of the Commonwealth of Kentucky whose unencrypted Personally Identifiable Information was or is reasonably believed to have been accessed and acquired by an unauthorized person, and that the unauthorized acquisition actually causes, or the information holder reasonably believes has caused or will cause, identity theft or fraud.

13.3.2 Notification Timeline. Notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system. Provider shall use commercially reasonable efforts to issue notifications within forty-five (45) days of discovery.

13.3.3 Consumer Reporting Agencies. Under KRS § 365.732(3), if notification is required to more than one thousand (1,000) persons at one time, the information holder shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice to the affected individuals.

13.3.4 Kentucky Attorney General. Provider shall cooperate with Customer in notifying the Kentucky Attorney General of any breach affecting Kentucky residents if such notification is required or advisable.

13.3.5 Notice Content. The breach notification shall include, at a minimum:

(a) A description of the categories of Personally Identifiable Information that were the subject of the breach;

(b) The date or estimated date range of the breach;

(c) A description of the actions taken to investigate and remediate the breach;

(d) Contact information for the notifying entity, including toll-free telephone number, mailing address, and email address;

(e) The toll-free telephone numbers, addresses, and websites for the three major credit reporting agencies;

(f) Advice that the individual is entitled to obtain a free credit report and should remain vigilant by reviewing account statements and monitoring credit reports;

(g) Contact information for the Kentucky Attorney General's Office of Consumer Protection.

13.3.6 Methods of Notice. Notice may be provided by:

(a) Written notice sent to the most recent address the information holder has on file for the affected individual;

(b) Electronic notice, if the information holder's primary method of communication with the affected individual is by electronic means, consistent with 15 U.S.C. § 7001 (E-SIGN Act);

(c) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed Two Hundred Fifty Thousand Dollars ($250,000) or the affected class exceeds five hundred thousand (500,000) persons, or the information holder does not have sufficient contact information, consisting of: (i) email notice when available, (ii) conspicuous posting of the notice on the information holder's website, and (iii) notice to major statewide media.

13.3.7 Enforcement and Remedies. KRS § 365.732 does not establish new penalties or create a new cause of action specific to the statute. However, under KRS § 446.070, a person injured by the violation of any Kentucky statute may recover damages sustained by reason of the violation. Additionally, the Kentucky Attorney General may enforce the statute under the Kentucky Consumer Protection Act (KRS § 367.110 et seq.).

13.3.8 Third-Party Data Maintainers. Under KRS § 365.732(2), any person or business entity that maintains computerized data that includes Personally Identifiable Information but does not own or license such data shall notify the owner or licensee of the data following discovery or notification of a breach of the security of the system.

13.4 Provider Obligations During a Breach

Provider shall:

(a) Immediately contain and investigate the Breach;

(b) Preserve all evidence and maintain chain of custody documentation;

(c) Engage qualified forensic investigators at Provider's expense;

(d) Provide Customer with complete forensic reports within thirty (30) days of incident closure;

(e) Implement corrective measures to prevent recurrence;

(f) Fund credit monitoring and identity theft protection services for affected individuals for a period of at least twenty-four (24) months;

(g) Coordinate with law enforcement as appropriate;

(h) Not issue any public statement or notification regarding the Breach without Customer's prior written approval unless legally compelled.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain a current list of all approved Subprocessors, including their identity, location, and scope of processing.

14.2 Due Diligence. Before engaging any Subprocessor, Provider shall conduct a thorough security assessment of the Subprocessor's security practices, policies, and technical controls to ensure they meet or exceed the requirements of this Addendum.

14.3 Contractual Flow-Down. Provider shall impose on each Subprocessor, by written contract, data protection and security obligations no less protective than those imposed on Provider under this Addendum, including compliance with KRS § 365.732(2) third-party notification requirements.

14.4 Oversight and Audit. Provider shall monitor and audit each Subprocessor's compliance with security requirements at least annually and shall promptly address any deficiencies.

14.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors in relation to Customer Data, as if such acts or omissions were Provider's own.

14.6 Notification of Changes. Provider shall notify Customer at least thirty (30) days in advance of any proposed addition or replacement of a Subprocessor. Customer shall have the right to object to any proposed Subprocessor and, if the objection cannot be resolved, to terminate the affected Services without penalty.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct comprehensive background checks on all Authorized Personnel prior to granting access to Customer Data, including criminal history, employment verification, and education verification, to the extent permitted by Kentucky law.

15.2 Security Training. Provider shall require all Authorized Personnel to complete:

(a) Security awareness training upon hiring and at least annually thereafter;

(b) Role-specific security training for personnel with elevated access privileges;

(c) Phishing simulation exercises at least quarterly;

(d) Training on Kentucky-specific data protection requirements, including KRS § 365.732 and KRS § 367.700 et seq. (Kentucky Consumer Data Protection Act).

15.3 Confidentiality Agreements. All Authorized Personnel shall execute written confidentiality and non-disclosure agreements prior to accessing Customer Data.

15.4 Termination Procedures. Upon termination or transfer of any Authorized Personnel, Provider shall:

(a) Revoke all access to Customer Data and related systems within four (4) hours of termination;

(b) Collect and secure all company-issued devices, badges, and credentials;

(c) Conduct an exit interview addressing confidentiality obligations.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. Provider shall ensure that all data centers and facilities housing Customer Data maintain the following physical security controls:

(a) 24/7/365 on-site security personnel or remote monitoring;

(b) Multi-layered perimeter security with barriers, fencing, and controlled entry points;

(c) Biometric and multi-factor authentication for facility access;

(d) Mantrap or airlock entry systems for sensitive areas;

(e) Closed-circuit television (CCTV) surveillance with recording and at least ninety (90) days retention;

(f) Environmental controls including fire suppression, climate control, water detection, and redundant power;

(g) Visitor management with photo identification, escort requirements, and access logs;

(h) SOC 2 Type II or ISO 27001 certification for all data center facilities.

16.2 Media Handling. Provider shall implement secure media handling procedures including:

(a) Encryption of all portable media containing Customer Data;

(b) Tracking and inventory of all media;

(c) Secure disposal of media using NIST SP 800-88 methods (Clear, Purge, or Destroy as appropriate);

(d) Certificates of destruction furnished to Customer upon request.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall obtain and maintain throughout the term of the Master Agreement and this Addendum, at its own expense, the following insurance coverage:

(a) Cyber Liability / Technology Errors and Omissions Insurance: No less than Five Million Dollars ($5,000,000) per occurrence and in the aggregate, covering:
- Data breach response costs, including notification, credit monitoring, and forensic investigation;
- Network security liability;
- Privacy liability;
- Media liability;
- Regulatory defense and penalties;
- PCI-DSS fines and assessments;
- Cyber extortion and ransomware;

(b) Professional Liability / Errors and Omissions Insurance: No less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: No less than One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate;

(d) Workers' Compensation Insurance: As required by Kentucky law (KRS Ch. 342).

17.2 Policy Requirements. All insurance policies shall:

(a) Be issued by insurers with an A.M. Best rating of A- VII or better;

(b) Name Customer as an additional insured on the CGL policy;

(c) Provide a waiver of subrogation in favor of Customer;

(d) Require the insurer to provide Customer with thirty (30) days' prior written notice of cancellation or material modification;

(e) Be primary and non-contributory with respect to any insurance maintained by Customer.

17.3 Evidence of Insurance. Provider shall furnish certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right, at its own expense and upon thirty (30) days' prior written notice, to audit Provider's compliance with this Addendum. Such audit may include:

(a) On-site inspection of facilities, systems, and records;

(b) Review of policies, procedures, and security documentation;

(c) Interviews with Key Personnel and Authorized Personnel;

(d) Review of penetration test reports, vulnerability scan results, and incident response records;

(e) Testing of technical controls.

18.2 Frequency. Customer may conduct audits up to once per year under normal circumstances, and at any time following a Security Incident, Breach, or material change in Provider's security posture.

18.3 Third-Party Auditors. Customer may engage qualified third-party auditors to conduct audits on its behalf, subject to such auditors executing a non-disclosure agreement acceptable to Provider.

18.4 Cooperation. Provider shall cooperate fully with all audits, provide timely access to facilities, systems, records, and personnel, and respond to audit findings with a remediation plan within fifteen (15) business days.

18.5 Regulatory Audits. Provider shall cooperate with audits or examinations by any regulatory authority with jurisdiction over Customer, including the Kentucky Attorney General's Office of Consumer Protection and the Kentucky Department of Financial Institutions.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Governance Committee. The Parties shall establish a joint Security Governance Committee consisting of designated representatives from each Party, which shall meet at least quarterly to:

(a) Review Provider's security posture and compliance with this Addendum;

(b) Discuss emerging threats, vulnerabilities, and security trends;

(c) Review incident reports and security metrics;

(d) Address any security concerns raised by either Party;

(e) Review and approve changes to security policies and procedures.

19.2 Security Reporting. Provider shall furnish Customer with the following reports:

(a) Monthly: Vulnerability scan summaries, patch compliance metrics, and security incident summaries;

(b) Quarterly: Access review results, security awareness training completion rates, and KPI dashboards;

(c) Annually: Penetration test reports, risk assessment results, BCP/DRP test results, SOC 2 Type II reports, and ISO 27001 certification status;

(d) Ad Hoc: Any material change in security posture, key personnel, or Subprocessor arrangements.

19.3 Key Performance Indicators. Provider shall track and report on the following security KPIs:

(a) Mean time to detect (MTTD) security incidents;

(b) Mean time to respond (MTTR) to security incidents;

(c) Vulnerability remediation rates by severity;

(d) Patch compliance percentage;

(e) Security training completion rates;

(f) Uptime and availability of the Services.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request at any time, Provider shall:

(a) Return all Customer Data to Customer in a mutually agreed-upon, industry-standard, machine-readable format within thirty (30) calendar days;

(b) Provide reasonable assistance to Customer in migrating Customer Data, at Provider's standard professional services rates (unless termination is due to Provider's breach, in which case at no charge).

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall:

(a) Securely destroy all copies of Customer Data in Provider's possession or control, including copies in backup systems, disaster recovery environments, and archival storage;

(b) Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 guidelines (Clear, Purge, or Destroy as appropriate to the media type);

(c) Provider shall furnish Customer with a written certificate of destruction, signed by an authorized officer of Provider, within fifteen (15) calendar days of destruction;

(d) The certificate shall specify the data destroyed, the method of destruction, the date of destruction, and the identity of the person who performed the destruction.

20.3 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law, regulation, or court order, provided that Provider: (a) notifies Customer of such retention requirement, (b) limits retention to the minimum data and duration required, and (c) continues to protect such retained data in accordance with this Addendum.

20.4 Subprocessor Data. Provider shall ensure that all Subprocessors return or destroy Customer Data in accordance with the same standards set forth in this Article.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall defend, indemnify, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against all claims, demands, actions, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees and court costs) arising from or related to:

(a) Any Breach of Customer Data caused by Provider's negligence, willful misconduct, or failure to comply with this Addendum;

(b) Provider's failure to comply with KRS § 365.732 or the Kentucky Consumer Data Protection Act (KRS § 367.700 et seq.), or any other applicable data protection law;

(c) Any unauthorized access to, acquisition of, or disclosure of Customer Data resulting from Provider's failure to implement or maintain the security controls required by this Addendum;

(d) Any regulatory investigation, enforcement action, fine, or penalty arising from Provider's acts or omissions with respect to Customer Data;

(e) Any third-party claims arising from a Breach, including claims under KRS § 446.070, class action lawsuits, individual claims, and regulatory proceedings.

21.2 Costs and Expenses. Provider's indemnification obligations shall include, without limitation:

(a) Costs of breach notification to affected individuals and consumer reporting agencies;

(b) Credit monitoring and identity theft protection services;

(c) Forensic investigation costs;

(d) Public relations and crisis management costs;

(e) Call center costs for affected individuals;

(f) Regulatory fines and penalties;

(g) Costs of litigation defense and settlement.

21.3 Limitation. The indemnification obligations under this Article shall not be subject to any limitation of liability caps set forth in the Master Agreement, unless expressly stated otherwise in a separate written amendment executed by both Parties.

ARTICLE 22 — STATE-SPECIFIC LEGAL PROVISIONS — KENTUCKY

22.1 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the Commonwealth of Kentucky, without regard to its conflict of laws principles.

22.2 Venue and Jurisdiction. Any dispute, claim, or controversy arising out of or relating to this Addendum shall be brought exclusively in the state or federal courts located in Franklin County, Kentucky, or such other county as may be agreed by the Parties. Each Party irrevocably consents to the exclusive jurisdiction and venue of such courts.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY KENTUCKY LAW, EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ALL RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY.

22.4 Trade Secret Protection. Provider acknowledges that Customer Data may contain Trade Secrets as defined in the Kentucky Uniform Trade Secrets Act (KRS § 365.880 et seq.). Provider shall maintain all such Trade Secrets in strict confidence and shall implement protections consistent with KRS § 365.880(4), including reasonable measures to maintain secrecy. In the event of misappropriation, Customer shall be entitled to all remedies available under the Act, including injunctive relief (KRS § 365.882), damages (KRS § 365.884), and attorneys' fees (KRS § 365.886).

22.5 Computer Crimes. Provider acknowledges that unauthorized access to or modification of Customer Data may constitute unlawful access to a computer (KRS § 434.845) or other computer-related offenses under Kentucky law, which may give rise to both criminal penalties and civil liability.

22.6 Kentucky Consumer Data Protection Act. Provider shall cooperate with Customer in complying with the Kentucky Consumer Data Protection Act (KRS § 367.700 et seq., effective January 1, 2026), including but not limited to:

(a) Honoring consumer rights to access, correct, delete, and obtain a portable copy of personal data;

(b) Implementing mechanisms to facilitate consumer opt-out requests for targeted advertising, sale of personal data, and profiling;

(c) Conducting data protection assessments as required;

(d) Maintaining appropriate technical and organizational safeguards for consumer data;

(e) Complying with data minimization and purpose limitation requirements;

(f) Providing transparency through privacy notices regarding data collection and processing practices.

22.7 Insurance Data Security. To the extent applicable, Provider shall comply with the Kentucky Insurance Data Security Act (KRS § 304.3-750 et seq.), including requirements for information security programs, risk assessments, and notification to the Commissioner of Insurance of cybersecurity events.

22.8 Late Payment Interest. Any amounts due under this Addendum that are not paid when due shall bear interest at the rate of eight percent (8%) per annum, in accordance with KRS § 360.010 (Kentucky statutory default interest rate).

22.9 Consumer Protection. This Addendum shall be interpreted consistently with the Kentucky Consumer Protection Act (KRS § 367.110 et seq.), and Provider shall not engage in any unfair, false, misleading, or deceptive acts or practices in connection with its handling of Customer Data.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Kentucky Uniform Electronic Transactions Act, KRS § 369.101 et seq. The Parties agree that electronic signatures shall have the same legal effect, validity, and enforceability as manual ink signatures.

23.2 Legal Recognition. Pursuant to the Kentucky UETA, a record or signature may not be denied legal effect or enforceability solely because it is in electronic form. A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.

23.3 Consent to Electronic Records. Each Party consents to the use of electronic records and electronic signatures in connection with this Addendum and all related communications and documents, in accordance with Kentucky UETA.

23.4 Retention of Electronic Records. Electronic records of this Addendum shall be retained in accordance with the Kentucky UETA and shall be accessible and capable of being accurately reproduced for later reference.

23.5 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Delivery of an executed counterpart by electronic transmission (including PDF, DocuSign, or other secure electronic signature platform) shall be effective as delivery of a manually executed counterpart.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement and all exhibits, schedules, and attachments hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written, relating to the security of Customer Data.

24.2 Amendment. This Addendum may not be amended, modified, or supplemented except by a written instrument executed by authorized representatives of both Parties.

24.3 Waiver. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the Party against whom the waiver is sought to be enforced. No failure or delay by either Party in exercising any right or remedy shall operate as a waiver thereof.

24.4 Severability. If any provision of this Addendum is held to be invalid, illegal, or unenforceable under Kentucky law, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.

24.5 Assignment. Neither Party may assign this Addendum or any of its rights or obligations hereunder without the prior written consent of the other Party, which consent shall not be unreasonably withheld; provided, however, that either Party may assign this Addendum to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets.

24.6 Notices. All notices required or permitted under this Addendum shall be in writing and shall be delivered by hand, certified mail (return receipt requested), or recognized overnight courier service to the addresses set forth below, or to such other address as a Party may designate by written notice.

24.7 Survival. The provisions of this Addendum that by their nature should survive expiration or termination of the Master Agreement shall so survive, including without limitation the obligations related to data return/destruction, indemnification, confidentiality, breach notification, and audit rights.

ARTICLE 25 — EXECUTION

Compliance Checklist (Pre-Execution):

☐ Master Agreement fully executed and referenced herein

☐ Provider's Information Security Program documentation reviewed by Customer

☐ Provider's most recent SOC 2 Type II report reviewed by Customer

☐ Provider's ISO 27001 certification verified

☐ Provider's most recent penetration test report reviewed by Customer

☐ Subprocessor list reviewed and approved by Customer

☐ Insurance certificates reviewed and verified by Customer

☐ RPO and RTO values agreed upon and documented in Section 12.3

☐ Data residency requirements confirmed

☐ Kentucky Consumer Data Protection Act compliance measures reviewed

☐ Kentucky-licensed legal counsel has reviewed this Addendum for both Parties

☐ Key Personnel and escalation contacts identified

☐ Security Governance Committee members designated

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Effective Date.

CUSTOMER

PROVIDER

EXHIBIT A — SECURITY CONTACT INFORMATION

EXHIBIT B — APPROVED SUBPROCESSOR LIST

SOURCES AND REFERENCES

1. Kentucky Security Breach Notification — KRS § 365.732: https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=43326
2. Kentucky Uniform Trade Secrets Act — KRS § 365.880 et seq.: https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=34868
3. Kentucky Consumer Data Protection Act — KRS § 367.700 et seq.: https://apps.legislature.ky.gov/law/statutes/chapter.aspx?id=39074
4. Kentucky Uniform Electronic Transactions Act — KRS § 369.101 et seq.: https://apps.legislature.ky.gov/law/statutes/chapter.aspx?id=39080
5. Kentucky Insurance Data Security Act — KRS § 304.3-750 et seq.: https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=53296
6. Kentucky Private Right of Action — KRS § 446.070: https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=46070
7. NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
8. NIST SP 800-88 Rev. 1 — Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
9. ISO/IEC 27001:2022: https://www.iso.org/standard/27001
10. SOC 2 Trust Services Criteria: https://www.aicpa.org/soc2

This Enterprise Security Addendum is intended for use on the ezel.ai platform and must be reviewed by Kentucky-licensed legal counsel before execution. Last updated: 2026-02-21.