ENTERPRISE SECURITY ADDENDUM

Massachusetts Jurisdictional Version

Addendum Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) and the entity identified as "Provider" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) have entered into the Master Agreement referenced above (the "Master Agreement");

WHEREAS, Provider will Process, store, transmit, or otherwise have access to Customer Data, including Personal Information as defined under Massachusetts law, in connection with the services described in the Master Agreement;

WHEREAS, Massachusetts has enacted 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth), one of the most prescriptive state-level cybersecurity regulations in the United States, imposing specific, mandatory technical and organizational requirements on any person that owns or licenses Personal Information about a Massachusetts resident;

WHEREAS, Massachusetts General Laws Chapter 93H imposes specific obligations regarding notification to the Attorney General, the Office of Consumer Affairs and Business Regulation, and affected residents following a breach of security;

WHEREAS, 201 CMR 17.00 requires that every person who owns or licenses Personal Information develop, implement, and maintain a Comprehensive Written Information Security Program ("WISP") containing administrative, technical, and physical safeguards;

WHEREAS, the Parties desire to establish security standards that satisfy 201 CMR 17.00 and all other applicable Massachusetts requirements;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and in the Master Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized User" means any individual who has been granted access to Customer Data by Customer or through Customer's authorization, including employees, contractors, and agents operating under appropriate access controls.

1.2 "Business Day" means any day other than a Saturday, Sunday, or day on which banks in the Commonwealth of Massachusetts are authorized or required to be closed.

1.3 "Confidential Information" means all non-public information disclosed by either Party to the other, including but not limited to Trade Secrets as defined under M.G.L. c. 93, § 42, Customer Data, business plans, technical specifications, and security configurations.

1.4 "Customer Data" means all data, records, files, information, and materials provided by or on behalf of Customer or collected or generated by Provider on behalf of Customer in the course of performing services under the Master Agreement.

1.5 "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key, using methods consistent with current industry standards including AES-256 for data at rest and TLS 1.2 or higher for data in transit.

1.6 "Incident" means any event that results in, or has the reasonable potential to result in, unauthorized access to, disclosure of, or loss of Customer Data, including Security Breaches.

1.7 "Multi-Factor Authentication" or "MFA" means an authentication mechanism requiring at least two distinct factors from: (a) something the user knows; (b) something the user possesses; and (c) something the user is.

1.8 "OCABR" means the Massachusetts Office of Consumer Affairs and Business Regulation.

1.9 "Personal Information" means, as defined under M.G.L. c. 93H, § 1 and 201 CMR 17.02, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password, that would permit access to a resident's financial account; provided, however, that Personal Information shall not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

1.10 "Process" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification.

1.11 "Security Breach" or "Breach of Security" means the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of Personal Information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth, as defined under M.G.L. c. 93H, § 1.

1.12 "Subprocessor" means any third party engaged by Provider to Process Customer Data on behalf of Customer.

1.13 "Trade Secret" means information as defined under M.G.L. c. 93, § 42, including a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value from not being generally known to, and not being readily ascertainable through proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1.14 "WISP" or "Written Information Security Program" means a comprehensive, written information security program as required by 201 CMR 17.03, applicable to records containing Personal Information, that is consistent with industry standards and contains administrative, technical, and physical safeguards.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Customer Data that Provider Processes, accesses, stores, transmits, or otherwise handles in connection with the Master Agreement. This Addendum shall bind Provider and all Subprocessors.

2.2 Order of Precedence. In the event of a conflict between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and privacy matters. In the event of a conflict between this Addendum and applicable Massachusetts law, applicable law shall control.

2.3 201 CMR 17.00 Primacy. The Parties acknowledge that 201 CMR 17.00 imposes specific, mandatory requirements. Where this Addendum exceeds 201 CMR 17.00 requirements, the more stringent standard shall apply. Where 201 CMR 17.00 imposes a requirement not addressed in this Addendum, such requirement is incorporated by reference.

2.4 Regulatory Changes. Provider shall monitor changes to Massachusetts law, including amendments to 201 CMR 17.00, M.G.L. c. 93H, and related regulations, and shall notify Customer within thirty (30) days of any material change.

ARTICLE 3 — 201 CMR 17.00 COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM (WISP)

THIS ARTICLE IS THE CORE COMPLIANCE SECTION FOR MASSACHUSETTS LAW AND MUST BE STRICTLY OBSERVED.

3.1 WISP Requirement

Pursuant to 201 CMR 17.03, Provider shall develop, implement, maintain, and monitor a Comprehensive Written Information Security Program (WISP) applicable to any records containing Personal Information of Massachusetts residents. Provider's WISP shall be reasonably consistent with industry standards and shall contain administrative, technical, and physical safeguards that are appropriate to:

(a) The size, scope, and type of Provider's business;
(b) The amount of resources available to Provider;
(c) The amount of data stored by Provider;
(d) The need for security and confidentiality of both consumer and employee information.

3.2 WISP — Mandatory Administrative Safeguards (201 CMR 17.03(2))

Provider's WISP shall include, at minimum, the following administrative safeguards:

(a) Designated Security Coordinator. Designation of one or more employees to maintain the WISP (201 CMR 17.03(2)(a));

(b) Risk Identification. Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing Personal Information, and evaluation and improvement of the effectiveness of current safeguards for limiting such risks (201 CMR 17.03(2)(b)), including but not limited to:
- Ongoing employee (including temporary and contract employee) training on security program procedures;
- Employee compliance with policies and procedures;
- Means for detecting and preventing security system failures;

(c) Employee Training. Development of security policies for employees relating to the storage, access, and transportation of records containing Personal Information outside of business premises (201 CMR 17.03(2)(c));

(d) Disciplinary Measures. Imposition of disciplinary measures for violations of the WISP rules (201 CMR 17.03(2)(d));

(e) Terminated Employee Procedures. Prevention of access to records containing Personal Information by terminated employees, including immediate termination of physical and electronic access, including deactivating passwords and user names (201 CMR 17.03(2)(e));

(f) Third-Party Service Providers. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect Personal Information consistent with 201 CMR 17.00 and any applicable federal regulations, and requiring such providers by contract to implement and maintain such appropriate security measures (201 CMR 17.03(2)(f));

(g) Physical Access Restrictions. Reasonable restrictions on physical access to records containing Personal Information and storage of such records in locked facilities, rooms, or containers (201 CMR 17.03(2)(g));

(h) WISP Review. Regular monitoring to ensure the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Personal Information; and upgrading information safeguards as necessary to limit risks (201 CMR 17.03(2)(h));

(i) Incident Review. Review of the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Personal Information (201 CMR 17.03(2)(i));

(j) Incident Documentation. Documentation of responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of Personal Information (201 CMR 17.03(2)(j)).

3.3 WISP — Mandatory Technical Safeguards (201 CMR 17.04)

Provider's WISP shall include, at minimum, the following computer system security requirements, to the extent technically feasible:

(a) Secure User Authentication Protocols. Control of user IDs and other identifiers (201 CMR 17.04(1)(a)), including:
- A reasonably secure method of assigning and selecting passwords or use of unique identifier technologies (such as biometrics or tokens);
- Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- Restricting access to active users and active user accounts only;
- Blocking access after multiple unsuccessful attempts to gain access;

(b) Secure Access Control Measures. Restricting access to records and files containing Personal Information to those who need such information to perform their job duties, and assigning unique identifications plus passwords which are not vendor-supplied default passwords to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls (201 CMR 17.04(2));

(c) Encryption of Transmitted Records. Encryption of all transmitted records and files containing Personal Information that will travel across public networks, and encryption of all data containing Personal Information to be transmitted wirelessly (201 CMR 17.04(3));

(d) Monitoring Systems. Reasonable monitoring of systems for unauthorized use of or access to Personal Information (201 CMR 17.04(4));

(e) Encryption of Personal Information on Portable Devices. Encryption of all Personal Information stored on laptops or other portable devices (201 CMR 17.04(5));

(f) Firewall Protection. Reasonably up-to-date firewall protection and operating system security patches on systems connected to the Internet that are designed to maintain the integrity of the Personal Information (201 CMR 17.04(6));

(g) Antivirus and Malware Protection. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis (201 CMR 17.04(7));

(h) Education and Training. Education and training of employees on the proper use of the computer security system and the importance of personal information security (201 CMR 17.04(8)).

3.4 Framework Alignment

In addition to 201 CMR 17.00 compliance, Provider's ISP shall align with one or more recognized frameworks:

☐ ISO/IEC 27001:2022 — Information Security Management System
☐ SOC 2 Type II — Trust Services Criteria
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 Rev. 5 — Security and Privacy Controls
☐ CIS Controls v8

3.5 Risk Assessment

Provider shall conduct a comprehensive risk assessment at least annually and whenever material changes occur, identifying threats, evaluating impact, and documenting risk treatment decisions.

3.6 Security Policies

Provider shall maintain documented security policies covering access control, encryption, incident response, vulnerability management, change management, acceptable use, data classification, and business continuity. Annual review.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control. Provider shall implement RBAC ensuring access is limited to personnel whose job functions require it, consistent with 201 CMR 17.04(2).

4.2 Principle of Least Privilege. Need-to-know access. No standing administrative access where just-in-time access is feasible.

4.3 Multi-Factor Authentication. Provider shall require MFA for:

(a) All remote access to systems containing Customer Data;
(b) All administrative or privileged access to production environments;
(c) Access to security infrastructure including firewalls, SIEM, and identity management systems;
(d) Access to cloud management consoles and dashboards;
(e) VPN connections to Provider's network.

4.4 Authentication Standards (201 CMR 17.04(1)). Provider shall enforce:

(a) Minimum password length of fourteen (14) characters with complexity requirements;
(b) Account lockout after no more than five (5) consecutive failed authentication attempts, consistent with 201 CMR 17.04(1)(a);
(c) Assignment of unique identifications and passwords to each person with computer access, which are NOT vendor-supplied default passwords, per 201 CMR 17.04(2);
(d) Automatic session timeout after fifteen (15) minutes of inactivity for privileged sessions and thirty (30) minutes for standard sessions;
(e) Restriction of access to active users and active user accounts only, per 201 CMR 17.04(1)(a);
(f) Prohibition of shared or generic accounts for access to Customer Data.

4.5 Access Reviews. Provider shall conduct access reviews on the following schedule:

(a) Quarterly — Review of all user access rights to systems containing Customer Data;
(b) Monthly — Review of privileged and administrative access;
(c) Immediately upon termination — Revocation of all physical and electronic access, including deactivation of passwords and user names, per 201 CMR 17.03(2)(e);
(d) Within five (5) Business Days — Adjustment of access for personnel who change roles.

4.6 Access Logging. All access to Customer Data shall be logged with twelve (12) month minimum retention.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 MANDATORY — Encryption of Transmitted Records (201 CMR 17.04(3)). Provider MUST encrypt ALL transmitted records and files containing Personal Information that will travel across public networks, and encrypt ALL data containing Personal Information that is transmitted wirelessly. This is a mandatory requirement under Massachusetts law.

5.2 MANDATORY — Encryption on Portable Devices (201 CMR 17.04(5)). Provider MUST encrypt ALL Personal Information stored on laptops or other portable devices. This is a mandatory requirement under Massachusetts law.

5.3 Data in Transit. All Customer Data transmitted over any network shall be encrypted using TLS 1.2 or higher with cipher suites supporting forward secrecy. TLS 1.0 and 1.1 are prohibited.

5.4 Data at Rest. All Customer Data stored in any medium shall be encrypted using AES-256 or equivalent, including production databases, backup media, file systems, object storage, removable media, and workstations.

5.5 Massachusetts Encryption Safe Harbor. Under M.G.L. c. 93H, encrypted data is excluded from breach notification requirements unless the encryption key is also compromised. Provider shall maintain encryption at all times.

5.6 Key Management. Provider shall implement a key management program with cryptographically secure generation, separation of duties, HSM storage, annual rotation, and secure destruction.

5.7 Prohibition. No unencrypted transmission of Customer Data without written authorization.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Architecture. Segmented network architecture for Customer Data environments.

6.2 Firewall Protection (201 CMR 17.04(6)). Provider MUST maintain reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of Personal Information, on all systems connected to the Internet. This is a mandatory requirement under Massachusetts law.

6.3 Firewall and Perimeter Controls. In addition to 201 CMR 17.04(6), Provider shall deploy:

(a) Default-deny ingress and egress rules;
(b) Documented rule sets reviewed at least quarterly;
(c) Intrusion detection and prevention systems ("IDS/IPS");
(d) Web application firewalls ("WAFs").

6.4 Network Monitoring. Continuous monitoring with real-time traffic analysis, NetFlow logging, DNS monitoring, and automated alerting.

6.5 Wireless Security. WPA3-Enterprise or equivalent. All Personal Information transmitted wirelessly MUST be encrypted per 201 CMR 17.04(3).

6.6 Remote Access. VPN with MFA, logged and monitored.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle. Documented SSDLC incorporating security at every phase.

7.2 OWASP Compliance. OWASP Top Ten addressed in all applications Processing Customer Data.

7.3 Code Review and Testing. Peer review, SAST in CI/CD, quarterly DAST, IAST where feasible, SCA for dependencies.

7.4 Change Management. Documented requests, risk assessment, non-production testing, segregation of duties, rollback procedures.

7.5 API Security. Authentication, authorization, rate limiting, input validation, and logging.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Weekly automated scans and upon significant changes.

8.2 Remediation Timelines.

8.3 Antivirus and Malware Protection (201 CMR 17.04(7)). Provider MUST maintain reasonably up-to-date versions of system security agent software including malware protection and reasonably up-to-date patches and virus definitions, set to receive the most current security updates on a regular basis.

8.4 Operating System Security Patches (201 CMR 17.04(6)). Provider MUST maintain reasonably up-to-date operating system security patches on all systems connected to the Internet.

8.5 Patch Management. Provider shall maintain a documented patch management program with advisory monitoring, pre-deployment testing, emergency procedures, and documentation.

8.6 Exception Management. Documented exceptions with Customer notification for Critical/High within five (5) Business Days.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 SIEM. Centralized SIEM system for security event aggregation and correlation.

9.2 Monitoring Requirement (201 CMR 17.04(4)). Provider MUST implement reasonable monitoring of systems for unauthorized use of or access to Personal Information. This is a mandatory requirement under Massachusetts law.

9.3 Log Collection. Authentication, privileged activities, system events, network traffic, data access, security alerts, and cloud API events.

9.4 Log Retention. Twelve (12) months active, twelve (12) months archival, twenty-four (24) months total.

9.5 Log Integrity. Write-once storage, restricted access, NTP synchronization, tamper alerting.

9.6 Monitoring and Alerting. 24/7/365 monitoring. Critical alerts investigated within fifteen (15) minutes.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Customer Data segregated from other customers' data.

10.2 Environment Segregation. No Customer Data in non-production without anonymization and Customer approval.

10.3 Data Residency. Continental United States unless otherwise agreed. Sixty (60) days' notice of location changes.

10.4 Cross-Border Transfers. Prior consent and appropriate safeguards required.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual independent third-party testing of external, internal, web application, and API components.

11.2 PTES, OWASP Testing Guide, or NIST SP 800-115 methodologies.

11.3 Report to Customer within thirty (30) days.

11.4 Remediation per Article 8 timelines.

11.5 Customer testing upon sixty (60) days' notice at Customer's expense.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Documented BCP. 12.2 DRP with RPO of [____] hours and RTO of [____] hours. 12.3 Annual tabletop exercises, biennial functional tests. 12.4 Encrypted, geographically separate backups. 12.5 Redundant infrastructure to eliminate single points of failure.

ARTICLE 13 — INCIDENT RESPONSE AND MASSACHUSETTS BREACH NOTIFICATION

13.1 Incident Response Plan. Documented IRP with classification, escalation, containment, eradication, recovery, evidence preservation, and post-incident review. Consistent with 201 CMR 17.03(2)(j), Provider shall document responsive actions taken in connection with any incident and conduct mandatory post-incident review.

13.2 Notification to Customer.

(a) Confirmed Security Breach: Within twenty-four (24) hours of confirmation;
(b) Suspected Security Breach: Within forty-eight (48) hours of detection;
(c) Other Security Incidents: Within seventy-two (72) hours of detection.

13.3 Massachusetts Breach Notification Requirements (M.G.L. c. 93H, § 3).

(a) Trigger. Notification is required when a person who owns or licenses data including Personal Information about a Massachusetts resident knows or has reason to know of a breach of security, or when Personal Information was acquired or used by an unauthorized person or used for an unauthorized purpose.

(b) Timeline. Notice must be provided AS SOON AS PRACTICABLE AND WITHOUT UNREASONABLE DELAY. Massachusetts does not impose a specific day count but requires immediacy. Provider acknowledges this standard and shall implement expedited notification processes.

(c) Attorney General Notification. Provider shall notify the Massachusetts Attorney General as soon as practicable and without unreasonable delay. The AG notice must include:
- The nature of the breach of security or unauthorized acquisition or use;
- The number of Massachusetts residents affected;
- The steps Provider has taken or plans to take relating to the incident;
- Whether Provider maintains a WISP at the time of the breach (required under 201 CMR 17.00).

(d) Office of Consumer Affairs and Business Regulation (OCABR) Notification. Provider shall simultaneously notify the Massachusetts OCABR with the same information required for the AG notice.

(e) Content of Notice to Individuals. Notice to affected Massachusetts residents shall include:
- The resident's right to obtain a police report;
- How the resident may request a security freeze and that there is no charge for the freeze;
- The name and address of the entity providing the notice;
- The type of Personal Information compromised.

NOTE: Under Massachusetts law, the notice to individuals shall NOT include the nature of the breach or the number of residents affected. This differs from most state notification laws.

(f) Credit Monitoring Services (M.G.L. c. 93H, § 3; M.G.L. c. 93I). If Social Security numbers are compromised, Provider MUST offer affected Massachusetts residents free credit monitoring services for a minimum of eighteen (18) months through a third-party vendor. If Provider is a consumer reporting agency, the period extends to forty-two (42) months.

(g) Methods of Notice. Written notice, electronic notice (consistent with E-SIGN Act), or substitute notice if cost exceeds $250,000, more than 500,000 residents affected, or insufficient contact information.

(h) 93A Enforcement. Violations of M.G.L. c. 93H may be actionable under the Massachusetts Consumer Protection Act, M.G.L. c. 93A, which provides for private rights of action, treble damages, and attorneys' fees. Provider acknowledges this heightened exposure.

13.4 201 CMR 17.00 Incident Documentation (201 CMR 17.03(2)(j)). Provider shall document responsive actions taken in connection with any incident involving a breach of security and conduct mandatory post-incident review to determine whether changes in business practices are needed.

13.5 Cooperation. Provider shall fully cooperate with Customer, the Massachusetts Attorney General, and the OCABR. Evidence preserved for a minimum of three (3) years.

13.6 Responsibility. Provider shall bear all costs from Security Breaches caused by non-compliance, including eighteen (18) month credit monitoring services.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. No Subprocessor engagement without Customer's prior written approval.

14.2 201 CMR 17.00 Third-Party Requirements (201 CMR 17.03(2)(f)). Provider MUST take reasonable steps to select and retain Subprocessors that are capable of maintaining appropriate security measures to protect Personal Information consistent with 201 CMR 17.00 and any applicable federal regulations, AND Provider MUST require such Subprocessors BY CONTRACT to implement and maintain such appropriate security measures. This is a mandatory Massachusetts requirement.

14.3 Due Diligence. Verification of security capability and 201 CMR 17.00 compliance before engagement.

14.4 Contractual Requirements. Written agreements requiring compliance with 201 CMR 17.00, M.G.L. c. 93H, and all obligations no less stringent than this Addendum.

14.5 Ongoing Monitoring. Annual compliance monitoring with prompt deficiency notification.

14.6 Liability. Provider fully liable for Subprocessor acts and omissions.

14.7 Objection Right. Fifteen (15) Business Day objection period.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Pre-access background checks to the extent permitted by Massachusetts law, including M.G.L. c. 151B and applicable CORI regulations.

15.2 Security Training (201 CMR 17.03(2)(b); 201 CMR 17.04(8)). Provider MUST provide education and training of employees on:

(a) The proper use of the computer security system;
(b) The importance of Personal Information security;
(c) Information security policies and procedures;
(d) Identification and reporting of security incidents;
(e) Phishing and social engineering awareness;
(f) Data handling, storage, access, and transportation requirements;
(g) 201 CMR 17.00 and M.G.L. c. 93H compliance obligations.

Training shall be provided at onboarding and at least annually thereafter. This is a mandatory Massachusetts requirement.

15.3 Confidentiality Agreements. Required before access to Customer Data.

15.4 Disciplinary Measures (201 CMR 17.03(2)(d)). Provider MUST impose disciplinary measures for violations of the WISP. This is a mandatory Massachusetts requirement.

15.5 Terminated Employee Access (201 CMR 17.03(2)(e)). Provider MUST prevent terminated employees from accessing records containing Personal Information, including IMMEDIATE termination of physical and electronic access, including deactivating their passwords and user names. This is a mandatory Massachusetts requirement with an immediacy standard.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Physical Access Restrictions (201 CMR 17.03(2)(g)). Provider MUST implement reasonable restrictions on physical access to records containing Personal Information and store such records and data in locked facilities, rooms, or containers. This is a mandatory Massachusetts requirement.

16.2 Data Center Security. In addition to 201 CMR 17.03(2)(g), all facilities shall implement:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Access control systems requiring badge, biometric, or multi-factor authentication;
(c) Visitor management and escort procedures;
(d) Video surveillance with ninety (90) day retention;
(e) Intrusion detection and alarm systems;
(f) Environmental controls (fire suppression, HVAC, water detection);
(g) Redundant power with UPS and generator backup.

16.3 Transportation of Records (201 CMR 17.03(2)(c)). Provider shall implement policies for the storage, access, and transportation of records containing Personal Information outside of business premises.

16.4 Media Handling. Encrypted, tracked, tamper-evident transport, proper destruction.

16.5 Clean Desk Policy. Enforced in all areas with Customer Data access.

ARTICLE 17 — INSURANCE

17.1 Required Coverage.

(a) Cyber Liability / Technology E&O Insurance: Minimum $5,000,000;
(b) Professional Liability / E&O Insurance: Minimum $2,000,000;
(c) Commercial General Liability Insurance: Minimum $1,000,000 per occurrence / $2,000,000 aggregate;
(d) Workers' Compensation Insurance: As required by Massachusetts law (M.G.L. c. 152).

17.2 Policy Requirements. AM Best A- VII or better, additional insured, thirty (30) days' cancellation notice, waiver of subrogation.

17.3 Certificates. Upon execution and annually.

ARTICLE 18 — AUDIT RIGHTS

18.1 Audit Right. Annual audits upon thirty (30) days' notice (additional post-Incident).

18.2 201 CMR 17.00 Audit Scope. Audits may specifically evaluate Provider's compliance with 201 CMR 17.00, including review of the WISP, administrative safeguards, technical safeguards, training records, terminated employee procedures, and third-party service provider contracts.

18.3 General Scope. Access control records, vulnerability scans, penetration tests, incident records, Subprocessor agreements, training records, and BCP/DRP documentation.

18.4 Third-Party Reports. SOC 2 Type II, ISO 27001, penetration test summaries.

18.5 Remediation. Thirty (30) days general; fifteen (15) days critical.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Designated Security Coordinator (201 CMR 17.03(2)(a)). Provider MUST designate one or more employees to maintain the WISP. Provider shall provide Customer with the name and contact information of the designated employee(s).

19.2 WISP Review (201 CMR 17.03(2)(h)(i)). Provider shall regularly monitor the WISP to ensure it operates to prevent unauthorized access and shall review the scope of security measures at least annually or whenever there is a material change in business practices.

19.3 Reporting. Quarterly security reports, annual security assessments (including WISP compliance status), incident reports, and ad hoc reports upon request.

19.4 Security Meetings. Semi-annual security review meetings.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Industry-standard format within thirty (30) days.

20.2 Data Destruction. All copies within sixty (60) days per NIST SP 800-88 Rev. 1.

20.3 Destruction Methods. Cryptographic erasure, degaussing, physical destruction, cross-cut shredding (DIN 66399 Level P-4), or cryptographic key destruction.

20.4 Certification. Written certification within ten (10) Business Days.

20.5 Retention Exception. Only as required by law, subject to ongoing obligations.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer from all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees and treble damages under M.G.L. c. 93A) arising from:

(a) Any Security Breach caused by Provider's failure to comply with this Addendum;
(b) Any violation of M.G.L. c. 93H attributable to Provider;
(c) Any failure to comply with 201 CMR 17.00 attributable to Provider;
(d) Any M.G.L. c. 93A claims arising from breach notification failures;
(e) Costs of eighteen (18) month credit monitoring services;
(f) Any regulatory fines, penalties, or enforcement actions.

21.2 Customer Indemnification. Customer shall indemnify Provider from claims arising from Customer's violations, provided Provider has complied.

21.3 Indemnification Procedures. Prompt notice, sole control of defense, reasonable cooperation.

ARTICLE 22 — MASSACHUSETTS-SPECIFIC LEGAL PROVISIONS

22.1 201 CMR 17.00 Compliance Certification

(a) WISP Representation. Provider represents and warrants that it maintains a Comprehensive Written Information Security Program (WISP) that complies with 201 CMR 17.00 in all material respects.

(b) Ongoing Compliance. Provider shall continuously maintain 201 CMR 17.00 compliance throughout the term of this Addendum and shall promptly notify Customer of any material deficiency in its WISP.

(c) WISP Availability. Provider shall make its WISP available to Customer for review upon reasonable request, subject to reasonable redaction of information unrelated to Customer Data. Provider shall provide a summary of WISP compliance annually.

(d) Annual WISP Review. Per 201 CMR 17.03(2)(i), Provider shall review the scope of security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Personal Information.

(e) Third-Party Compliance Chain. Per 201 CMR 17.03(2)(f), Provider shall ensure that all Subprocessors are contractually required to implement and maintain appropriate security measures consistent with 201 CMR 17.00.

22.2 201 CMR 17.00 Technical Safeguards Summary

For clarity, Provider represents and warrants compliance with all of the following mandatory technical requirements under 201 CMR 17.04:

☐ Secure user authentication protocols with unique IDs and passwords (not vendor defaults)
☐ Control of data security passwords in secure locations/formats
☐ Restriction of access to active users and active accounts only
☐ Blocking access after multiple unsuccessful attempts
☐ Unique identifications and passwords assigned to each person with access
☐ Encryption of all Personal Information transmitted across public networks
☐ Encryption of all Personal Information transmitted wirelessly
☐ Encryption of all Personal Information stored on laptops and portable devices
☐ Reasonable monitoring for unauthorized use or access
☐ Reasonably up-to-date firewall protection on Internet-connected systems
☐ Reasonably up-to-date operating system security patches
☐ Reasonably up-to-date malware protection with current patches and virus definitions
☐ Employee education and training on computer security and Personal Information protection

22.3 Massachusetts 93A Exposure

The Parties acknowledge that violations of M.G.L. c. 93H may constitute unfair or deceptive acts under M.G.L. c. 93A, which provides:

(a) Private rights of action for consumers and businesses;
(b) Treble damages for willful or knowing violations;
(c) Reasonable attorneys' fees and costs;
(d) Injunctive relief.

Provider acknowledges this heightened exposure and shall maintain rigorous compliance to minimize 93A liability.

22.4 Massachusetts Trade Secret Protections

Provider acknowledges that Customer Data may contain Trade Secrets as defined by the Massachusetts Uniform Trade Secrets Act (M.G.L. c. 93, §§ 42 through 42G). Provider shall:

(a) Implement reasonable measures to maintain secrecy;
(b) Limit access to personnel with a need to know;
(c) Not use Trade Secrets beyond performing services;
(d) Cooperate with Customer in seeking injunctive relief under M.G.L. c. 93, § 42C;
(e) Acknowledge that MUTSA permits up to double damages for willful and malicious misappropriation under M.G.L. c. 93, § 42B.

22.5 Governing Law and Forum

(a) This Addendum shall be governed by the laws of the Commonwealth of Massachusetts, without regard to conflict-of-law principles.

(b) Exclusive jurisdiction in the state and federal courts located in the Commonwealth of Massachusetts.

(c) JURY WAIVER. EACH PARTY HEREBY WAIVES ANY RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING OUT OF THIS ADDENDUM.

22.6 Late Payment

Interest at six percent (6%) per annum for non-business debt, or eighteen percent (18%) per annum for business transactions, consistent with M.G.L. c. 231, § 6C, or the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 This Addendum may be executed electronically per the Massachusetts Uniform Electronic Transactions Act (M.G.L. c. 110G) and the federal E-SIGN Act (15 U.S.C. § 7001 et seq.).

23.2 Electronic signatures shall have the same legal effect as handwritten signatures.

23.3 Each Party consents to electronic execution.

23.4 Each Party shall retain an electronic copy.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire agreement for security and data protection with the Master Agreement. 24.2 Written amendments only. 24.3 Severability. 24.4 Written waiver required. 24.5 Written notices per Master Agreement. 24.6 Term coextensive with Master Agreement, surviving for remaining data. 24.7 Counterparts permitted.

EXECUTION

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SCHEDULE A — SECURITY CONTACTS

SCHEDULE B — APPROVED SUBPROCESSORS

SCHEDULE C — 201 CMR 17.00 COMPLIANCE ATTESTATION

Provider hereby attests that the following mandatory 201 CMR 17.00 requirements are satisfied:

Administrative Safeguards (201 CMR 17.03(2)):
☐ Designated WISP coordinator(s) appointed
☐ Risk identification and assessment completed
☐ Employee security training program in place
☐ Disciplinary measures established for WISP violations
☐ Terminated employee access procedures implemented
☐ Third-party service providers contractually required to maintain security
☐ Physical access restrictions in place
☐ Regular WISP monitoring established
☐ Annual security measure review conducted
☐ Incident documentation and post-incident review procedures in place

Technical Safeguards (201 CMR 17.04):
☐ Secure user authentication protocols implemented
☐ Secure access control measures with unique IDs/passwords (no vendor defaults)
☐ Encryption of all Personal Information transmitted across public networks
☐ Encryption of all Personal Information transmitted wirelessly
☐ Reasonable monitoring for unauthorized access implemented
☐ Encryption on all laptops and portable devices
☐ Reasonably up-to-date firewall protection on Internet-connected systems
☐ Reasonably up-to-date malware protection with current definitions
☐ Employee education and training on security

Last WISP Review Date: [__/__/____]

WISP Coordinator Signature: [________________________________]

Date: [__/__/____]

PRE-EXECUTION CHECKLIST

☐ Master Agreement fully executed and referenced above
☐ All blanks and variable fields completed
☐ RPO and RTO values agreed upon and inserted in Article 12
☐ Approved Subprocessor list completed in Schedule B
☐ Security contact information completed in Schedule A
☐ 201 CMR 17.00 Compliance Attestation completed in Schedule C
☐ Provider's WISP reviewed and verified
☐ Insurance certificates obtained and reviewed
☐ Provider's SOC 2 Type II or ISO 27001 certification reviewed
☐ 201 CMR 17.00 third-party service provider contract requirements met
☐ Terminated employee procedures verified for immediacy
☐ Encryption verified for all transmissions, wireless, and portable devices
☐ Credit monitoring service provider identified (for breach response)
☐ Massachusetts-licensed counsel review completed
☐ Both Parties' authorized signatories confirmed

SOURCES AND REFERENCES

1. 201 CMR 17.00 — Standards for the Protection of Personal Information of Residents of the Commonwealth
   https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth
2. 201 CMR 17.00 — Full Regulation Text
   https://www.mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth/download
3. M.G.L. c. 93H — Security Breaches
   https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93h
4. M.G.L. c. 93H, § 3 — Notice Requirements
   https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section3
5. Massachusetts Requirements for Data Breach Notifications
   https://www.mass.gov/info-details/requirements-for-data-breach-notifications
6. M.G.L. c. 93, §§ 42–42G — Massachusetts Uniform Trade Secrets Act (MUTSA)
   https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93/Section42
7. M.G.L. c. 110G — Uniform Electronic Transactions Act
   https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter110G
8. M.G.L. c. 93A — Consumer Protection Act
   https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93A
9. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
10. NIST Cybersecurity Framework 2.0
    https://www.nist.gov/cyberframework
11. ISO/IEC 27001:2022
    https://www.iso.org/standard/27001
12. OWASP Top Ten
    https://owasp.org/www-project-top-ten/