ENTERPRISE SECURITY ADDENDUM

LOUISIANA JURISDICTIONAL VERSION

DOCUMENT HEADER

SECURITY ADDENDUM (this "Addendum")

Effective Date: ______________________ ("Addendum Effective Date")

This Enterprise Security Addendum is entered into by and between:

SERVICE PROVIDER:
Name: ______________________________
Address: ______________________________
State of Organization: ______________________________
("Provider")

CUSTOMER:
Name: ______________________________
Address: ______________________________
State of Organization: ______________________________
("Customer")

This Addendum supplements and is incorporated into the Master Services Agreement dated ______________________ (the "Master Agreement") between Provider and Customer. In the event of any conflict between this Addendum and the Master Agreement regarding security matters, this Addendum shall control.

LOUISIANA CIVIL LAW NOTICE: Louisiana is a civil law jurisdiction. The parties acknowledge that Louisiana law, including the Louisiana Civil Code, shall govern the interpretation and enforcement of this Addendum.

ARTICLE 1: DEFINITIONS

1.1 "Authorized User" means any individual granted access to Customer Data by Customer or Provider pursuant to the Master Agreement.

1.2 "Confidential Information" means all non-public information disclosed by either party, including trade secrets protected under the Louisiana Trade Secrets Act (La. R.S. § 51:1431 et seq.).

1.3 "Customer Data" means all data, information, and materials provided by or on behalf of Customer to Provider in connection with the Services.

1.4 "Data Breach" or "Security Breach" means the compromise of security that results in unauthorized access to Personal Information, as defined under Louisiana law (La. R.S. § 51:3073).

1.5 "Personal Information" means an individual's first name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver's license number or Louisiana state identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password; (d) passport number; (e) biometric data.

1.6 "Security Incident" means any actual or suspected unauthorized access, acquisition, use, disclosure, modification, or destruction of Customer Data or any security system.

1.7 "Security Program" means Provider's comprehensive information security program as described in this Addendum.

1.8 "Subcontractor" means any third party engaged by Provider to perform services involving access to Customer Data.

ARTICLE 2: SECURITY PROGRAM REQUIREMENTS

2.1 General Obligation. Provider shall implement and maintain a comprehensive written information security program ("Security Program") that includes administrative, technical, and physical safeguards appropriate to:
(a) The size, scope, and type of Provider's business;
(b) The amount of resources available to Provider;
(c) The type of Customer Data that Provider stores or processes; and
(d) The need for security and confidentiality of such Customer Data.

2.2 Security Program Objectives. The Security Program shall be designed to:
(a) Ensure the security and confidentiality of Customer Data;
(b) Protect against anticipated threats or hazards to the security or integrity of Customer Data;
(c) Protect against unauthorized access, use, acquisition, destruction, modification, or disclosure of Customer Data; and
(d) Ensure the proper disposal of Customer Data.

2.3 Designated Security Officer. Provider shall designate a qualified individual responsible for the development, implementation, and maintenance of the Security Program.

2.4 Risk Assessment. Provider shall conduct periodic risk assessments to identify internal and external risks to the security, confidentiality, and integrity of Customer Data and evaluate the effectiveness of current safeguards.

ARTICLE 3: ADMINISTRATIVE SAFEGUARDS

3.1 Security Policies. Provider shall maintain comprehensive written security policies and procedures, including:
(a) Acceptable use policies;
(b) Data classification and handling procedures;
(c) Access control policies;
(d) Incident response procedures;
(e) Business continuity and disaster recovery plans.

3.2 Employee Training. Provider shall:
(a) Provide security awareness training to all personnel with access to Customer Data upon hire and at least annually thereafter;
(b) Train personnel on recognizing and reporting Security Incidents;
(c) Maintain records of security training completion.

3.3 Policy Review. Provider shall review and update security policies at least annually or upon material changes to systems, threats, or regulatory requirements.

ARTICLE 4: TECHNICAL SAFEGUARDS

4.1 System Security. Provider shall implement and maintain:
(a) Firewalls and intrusion detection/prevention systems;
(b) Anti-malware software with current definitions;
(c) Security event logging and monitoring;
(d) Regular security patches and updates;
(e) Secure configuration baselines for all systems.

4.2 Application Security. Provider shall:
(a) Follow secure software development lifecycle (SDLC) practices;
(b) Conduct security testing prior to production deployment;
(c) Perform code reviews for security vulnerabilities;
(d) Maintain separation between development, testing, and production environments.

ARTICLE 5: PHYSICAL SAFEGUARDS

5.1 Facility Security. Provider shall maintain physical security controls including:
(a) Controlled access to facilities housing Customer Data;
(b) Visitor management and escort policies;
(c) Security surveillance systems;
(d) Environmental controls (fire suppression, climate control, water detection).

5.2 Media Handling. Provider shall implement secure handling, transport, and disposal procedures for all media containing Customer Data, including secure destruction or sanitization in accordance with NIST SP 800-88 guidelines.

ARTICLE 6: ACCESS CONTROLS

6.1 Access Management. Provider shall implement access controls that:
(a) Restrict access to Customer Data to Authorized Users on a need-to-know basis;
(b) Implement role-based access controls (RBAC);
(c) Require unique user identification for each individual;
(d) Implement automatic session timeout after periods of inactivity;
(e) Promptly revoke access upon termination or role change.

6.2 Authentication Requirements. Provider shall require:
(a) Multi-factor authentication (MFA) for all remote access and privileged accounts;
(b) Strong password policies (minimum 12 characters, complexity requirements);
(c) Account lockout after failed authentication attempts;
(d) Prohibition on sharing credentials.

6.3 Privileged Access. Provider shall implement enhanced controls for privileged accounts, including privileged access management (PAM), session recording, and regular access reviews.

ARTICLE 7: ENCRYPTION REQUIREMENTS

7.1 Encryption Standards. Provider shall encrypt Customer Data as follows:
(a) Data at Rest: AES-256 encryption or equivalent;
(b) Data in Transit: TLS 1.2 or higher for all network transmissions;
(c) Key Management: Secure key generation, storage, rotation, and destruction procedures.

7.2 Cryptographic Controls. Provider shall:
(a) Use industry-standard cryptographic algorithms;
(b) Protect encryption keys from unauthorized access;
(c) Rotate encryption keys at least annually or upon suspected compromise;
(d) Maintain documented key management procedures.

ARTICLE 8: NETWORK SECURITY

8.1 Network Architecture. Provider shall implement:
(a) Network segmentation to isolate Customer Data;
(b) Demilitarized zones (DMZ) for public-facing systems;
(c) Secure wireless network configurations;
(d) Network access control (NAC) mechanisms.

8.2 Network Monitoring. Provider shall:
(a) Monitor network traffic for anomalies and threats;
(b) Maintain centralized logging of network events;
(c) Implement alerting for suspicious activities;
(d) Retain network logs for a minimum of one (1) year.

ARTICLE 9: VULNERABILITY MANAGEMENT

9.1 Vulnerability Scanning. Provider shall:
(a) Conduct vulnerability scans at least quarterly and after significant changes;
(b) Prioritize remediation based on risk severity;
(c) Remediate critical vulnerabilities within thirty (30) days;
(d) Remediate high-severity vulnerabilities within sixty (60) days.

9.2 Penetration Testing. Provider shall:
(a) Conduct penetration testing at least annually by qualified third parties;
(b) Provide Customer with executive summary of results upon request;
(c) Remediate identified vulnerabilities in accordance with agreed timelines.

ARTICLE 10: INCIDENT RESPONSE PROCEDURES

10.1 Incident Response Plan. Provider shall maintain a documented incident response plan that includes:
(a) Incident detection and identification procedures;
(b) Incident classification and severity levels;
(c) Escalation procedures and contact information;
(d) Containment, eradication, and recovery procedures;
(e) Post-incident review and lessons learned.

10.2 Incident Notification to Customer. Provider shall notify Customer of any Security Incident involving Customer Data within forty-eight (48) hours of discovery, including:
(a) Description of the incident;
(b) Types of data potentially affected;
(c) Actions taken to contain and remediate;
(d) Recommended actions for Customer;
(e) Contact information for further inquiries.

10.3 Cooperation. Provider shall cooperate with Customer in investigating and responding to Security Incidents, including preserving evidence and providing reasonable assistance.

ARTICLE 11: DATA BREACH NOTIFICATION - LOUISIANA REQUIREMENTS

11.1 Louisiana Data Breach Law Compliance. Provider acknowledges that Customer may have notification obligations under the Louisiana Database Security Breach Notification Law (La. R.S. § 51:3074) and agrees to assist Customer in complying with such obligations.

11.2 Notification Timeline. In the event of a Data Breach involving Personal Information of Louisiana residents:
(a) Provider shall notify Customer within forty-eight (48) hours of discovery;
(b) Customer shall notify affected Louisiana residents within sixty (60) days of discovery of the breach as required by La. R.S. § 51:3074;
(c) Notification may be delayed at the request of law enforcement.

11.3 Attorney General Notification. If the breach affects more than 500 Louisiana residents, Customer must also notify the Louisiana Attorney General pursuant to La. R.S. § 51:3074(I).

11.4 Content of Notification. Breach notifications shall include:
(a) Description of the breach;
(b) Type of Personal Information compromised;
(c) Steps taken to address the breach;
(d) Contact information for inquiries;
(e) Advice on protective measures.

11.5 Provider Assistance. Provider shall provide reasonable assistance to Customer in fulfilling notification obligations, including providing necessary information for notifications at no additional cost to Customer.

ARTICLE 12: BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented business continuity plan that:
(a) Identifies critical systems and processes;
(b) Defines recovery time objectives (RTO) and recovery point objectives (RPO);
(c) Establishes procedures for maintaining operations during disruptions.

12.2 Disaster Recovery. Provider shall:
(a) Maintain redundant systems and data backups;
(b) Store backups in geographically separate locations;
(c) Test backup restoration procedures at least annually;
(d) Encrypt all backup media.

12.3 Testing. Provider shall test business continuity and disaster recovery plans at least annually and provide Customer with test results upon request.

ARTICLE 13: PERSONNEL SECURITY

13.1 Background Checks. Provider shall conduct background checks on personnel with access to Customer Data, to the extent permitted by applicable law.

13.2 Confidentiality Agreements. All Provider personnel with access to Customer Data shall execute confidentiality agreements.

13.3 Termination Procedures. Provider shall implement procedures to promptly revoke access for terminated personnel and recover Provider-issued devices and credentials.

ARTICLE 14: THIRD-PARTY AND SUBCONTRACTOR SECURITY

14.1 Subcontractor Restrictions. Provider shall not engage Subcontractors to process Customer Data without Customer's prior written consent, except as identified in the Master Agreement.

14.2 Subcontractor Due Diligence. Provider shall:
(a) Conduct security assessments of Subcontractors prior to engagement;
(b) Require Subcontractors to maintain security controls substantially equivalent to this Addendum;
(c) Include appropriate security provisions in Subcontractor agreements;
(d) Monitor Subcontractor compliance with security requirements.

14.3 Provider Liability. Provider shall remain responsible and liable to Customer for the acts and omissions of its Subcontractors regarding Customer Data.

ARTICLE 15: AUDIT RIGHTS

15.1 Right to Audit. Customer shall have the right, upon thirty (30) days' prior written notice, to:
(a) Audit Provider's security controls and compliance with this Addendum;
(b) Review security policies, procedures, and documentation;
(c) Conduct on-site inspections of facilities housing Customer Data.

15.2 Frequency. Customer may conduct audits no more than once per calendar year, unless a Security Incident or material breach of this Addendum has occurred.

15.3 Third-Party Audits. In lieu of Customer audits, Provider may provide:
(a) SOC 2 Type II reports;
(b) ISO 27001 certification and most recent audit results;
(c) Other third-party security assessments acceptable to Customer.

15.4 Cooperation. Provider shall cooperate with Customer audits and provide reasonable access to personnel, facilities, and documentation. Customer audits shall be conducted during normal business hours and shall not unreasonably interfere with Provider's operations.

ARTICLE 16: SECURITY CERTIFICATIONS

16.1 Current Certifications. Provider represents that it currently maintains the following security certifications:
[ ] SOC 2 Type II
[ ] ISO 27001
[ ] ISO 27017 (Cloud Security)
[ ] ISO 27018 (Cloud Privacy)
[ ] PCI DSS (if applicable)
[ ] FedRAMP (if applicable)
[ ] Other: ______________________________

16.2 Certification Maintenance. Provider shall:
(a) Maintain the certifications identified above throughout the term of the Master Agreement;
(b) Notify Customer within thirty (30) days of any certification suspension, revocation, or material change;
(c) Provide copies of certification reports and audit summaries upon Customer request.

16.3 Certification Reports. Provider shall provide Customer with copies of SOC 2 Type II reports and ISO 27001 certification documentation annually or upon request.

ARTICLE 17: COMPLIANCE WITH LAWS

17.1 General Compliance. Provider shall comply with all applicable federal, state, and local laws, regulations, and industry standards relating to data security and privacy.

17.2 Louisiana-Specific Compliance. Provider specifically acknowledges and shall comply with:
(a) Louisiana Database Security Breach Notification Law (La. R.S. § 51:3074);
(b) Louisiana Trade Secrets Act (La. R.S. § 51:1431 et seq.);
(c) Louisiana Uniform Electronic Transactions Act (La. R.S. § 9:2601 et seq.);
(d) Other applicable Louisiana statutes and regulations.

17.3 Changes in Law. Provider shall promptly notify Customer of any changes in law that materially affect Provider's obligations under this Addendum and shall implement necessary changes to maintain compliance.

ARTICLE 18: INSURANCE REQUIREMENTS

18.1 Insurance Coverage. Provider shall maintain, at its own expense, the following insurance coverage:
(a) Cyber Liability Insurance: Minimum $5,000,000 per occurrence;
(b) Technology Errors and Omissions: Minimum $2,000,000 per occurrence;
(c) Commercial General Liability: Minimum $1,000,000 per occurrence;
(d) Workers' Compensation: As required by Louisiana law.

18.2 Policy Requirements. All insurance policies shall:
(a) Be issued by insurers with an A.M. Best rating of A- or better;
(b) Name Customer as an additional insured where applicable;
(c) Provide thirty (30) days' notice of cancellation or material change.

18.3 Evidence of Insurance. Provider shall provide certificates of insurance upon request.

ARTICLE 19: REPRESENTATIONS AND WARRANTIES

19.1 Provider Representations. Provider represents and warrants that:
(a) It has implemented and maintains a Security Program in accordance with this Addendum;
(b) It has the authority to enter into this Addendum and perform its obligations;
(c) Its personnel are qualified and trained to handle Customer Data securely;
(d) It will promptly notify Customer of any material changes to its Security Program;
(e) All certifications and attestations provided to Customer are accurate and current.

19.2 Customer Representations. Customer represents and warrants that:
(a) It has the authority to enter into this Addendum;
(b) Customer Data provided to Provider is collected and shared in compliance with applicable law.

19.3 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THIS ADDENDUM AND THE MASTER AGREEMENT, NEITHER PARTY MAKES ANY WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

ARTICLE 20: LIMITATION OF LIABILITY AND INDEMNIFICATION

20.1 Liability Cap. Except for breaches of confidentiality obligations, Data Breaches caused by gross negligence or willful misconduct, and indemnification obligations, liability under this Addendum shall be subject to the limitations set forth in the Master Agreement.

20.2 Indemnification. Provider shall indemnify, defend, and hold harmless Customer from and against all claims, damages, losses, and expenses (including reasonable attorney's fees) arising from Provider's breach of this Addendum or any Data Breach caused by Provider's failure to maintain the Security Program.

20.3 Late Payment. Any amounts owed under this Addendum not paid when due shall bear interest at the Louisiana legal rate as set forth in La. R.S. § 13:4202.

ARTICLE 21: TERM AND TERMINATION

21.1 Term. This Addendum shall be effective as of the Addendum Effective Date and shall continue in effect for the duration of the Master Agreement.

21.2 Survival. The obligations set forth in Articles 11 (Data Breach Notification), 15 (Audit Rights), 19 (Representations and Warranties), and 20 (Limitation of Liability and Indemnification) shall survive termination of this Addendum.

21.3 Data Return/Destruction. Upon termination, Provider shall, at Customer's election, return or securely destroy all Customer Data in accordance with the Master Agreement and this Addendum.

ARTICLE 22: MISCELLANEOUS

22.1 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of Louisiana, without regard to conflict of laws principles. The parties acknowledge that Louisiana is a civil law jurisdiction and that Louisiana Civil Code provisions shall apply to interpretation of this Addendum.

22.2 Exclusive Jurisdiction. Any disputes arising under this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in Louisiana.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY LOUISIANA LAW, EACH PARTY HEREBY WAIVES ITS RIGHT TO A JURY TRIAL IN ANY ACTION ARISING OUT OF OR RELATING TO THIS ADDENDUM.

22.4 Electronic Signatures. The parties agree that this Addendum may be executed by electronic signature in accordance with the Louisiana Uniform Electronic Transactions Act (La. R.S. § 9:2601 et seq.), and such electronic signatures shall have the same legal effect as original signatures.

22.5 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements and understandings.

22.6 Amendments. This Addendum may only be amended by a written instrument signed by both parties.

22.7 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

SIGNATURES

IN WITNESS WHEREOF, the parties have executed this Enterprise Security Addendum as of the Addendum Effective Date.

PROVIDER:

Signature: ______________________________

Printed Name: ______________________________

Title: ______________________________

Date: ______________________________

CUSTOMER:

Signature: ______________________________

Printed Name: ______________________________

Title: ______________________________

Date: ______________________________

EXECUTION CHECKLIST

• [ ] Master Agreement referenced and attached
• [ ] Addendum Effective Date inserted
• [ ] Party information completed
• [ ] Security certifications identified in Article 16
• [ ] Insurance requirements verified
• [ ] Louisiana-licensed counsel review completed
• [ ] Both parties executed

This template is provided for informational purposes only and does not constitute legal advice. Louisiana is a civil law jurisdiction with unique legal traditions distinct from common law states. You must have this template reviewed and customized by a qualified attorney licensed in Louisiana before use.