SECURITY ADDENDUM - ENTERPRISE

State of Maryland

ADDENDUM TO MASTER SERVICES AGREEMENT

This Security Addendum ("Addendum") is entered into as of [__/__/____] ("Effective Date") by and between:

CUSTOMER:
Name: [________________________________]
Address: [________________________________]
City, State, ZIP: [________________________________]
("Customer" or "Data Controller")

SERVICE PROVIDER:
Name: [________________________________]
Address: [________________________________]
City, State, ZIP: [________________________________]
("Provider" or "Data Processor")

This Addendum supplements and is incorporated into the Master Services Agreement dated [__/__/____] between Customer and Provider ("Master Agreement"). In the event of any conflict between this Addendum and the Master Agreement regarding data security matters, this Addendum shall control.

ARTICLE 1: DEFINITIONS

1.1 "Authorized Personnel" means Provider's employees, contractors, and agents who (a) have a legitimate business need to access Personal Information, (b) have completed required security training, and (c) are bound by confidentiality obligations at least as protective as those in this Addendum.

1.2 "Biometric Data" means data generated by automatic measurements of an individual's biological characteristics, including fingerprints, voiceprints, genetic markers, retinal or iris images, or other unique biological patterns used for authentication purposes, as defined in Md. Code Com. Law § 14-3501(b).

1.3 "Breach of the Security of a System" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by Provider, as defined in Md. Code Com. Law § 14-3504(a).

1.4 "Customer Data" means all data, information, and materials provided by or on behalf of Customer to Provider in connection with the services, including Personal Information.

1.5 "Data Protection Impact Assessment" means a documented assessment of data processing activities that present a heightened risk of harm to consumers, as required under the Maryland Online Data Privacy Act.

1.6 "Genetic Information" means data, regardless of format, that results from the analysis of a biological sample of an individual or from another source enabling equivalent information to be obtained, and concerns genetic material including DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and any information extrapolated, derived, or inferred therefrom.

1.7 "Health Information" means any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, including mental health information.

1.8 "Maryland Attorney General" means the Office of the Attorney General of the State of Maryland, Consumer Protection Division.

1.9 "Personal Information" means, as defined in Md. Code Com. Law § 14-3501(e), an individual's first name or first initial and last name in combination with any one or more of the following unencrypted data elements:
- (a) Social Security number;
- (b) Individual Taxpayer Identification Number;
- (c) Passport number or other federal identification number;
- (d) Driver's license number or State identification card number;
- (e) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that permits access to an individual's financial account;
- (f) Health information;
- (g) Health insurance policy or certificate number, or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or employer;
- (h) Biometric data;
- (i) Genetic information (for breach notification purposes); or
- (j) A username or email address in combination with a password or security question and answer that permits access to an individual's email account.

1.10 "Processing" means any operation performed on Personal Information, including collection, storage, use, disclosure, transfer, modification, or destruction.

1.11 "Security Incident" means any actual or reasonably suspected unauthorized access to, acquisition of, disclosure of, or loss of Personal Information, or any security event that may compromise the confidentiality, integrity, or availability of Customer Data.

1.12 "Sensitive Personal Information" means Personal Information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification purposes, Personal Information of children, or precise geolocation data.

1.13 "Subcontractor" means any third party engaged by Provider to Process Personal Information on Provider's behalf in connection with the services.

ARTICLE 2: INFORMATION SECURITY PROGRAM

2.1 Security Program Requirements. Provider shall implement and maintain a comprehensive written information security program ("Security Program") that includes administrative, technical, and physical safeguards appropriate to the nature of the Personal Information and the nature and size of Provider's business, as required by Md. Code Com. Law § 14-3503.

2.2 Security Program Components. The Security Program shall include, at minimum:

☐ Designated security personnel responsible for program oversight
☐ Regular risk assessments identifying internal and external threats
☐ Written policies and procedures for safeguarding Personal Information
☐ Employee security awareness training program
☐ Incident response and breach notification procedures
☐ Business continuity and disaster recovery plans
☐ Vendor management and third-party risk assessment program
☐ Regular program review and updates (at least annually)

2.3 Security Program Documentation. Provider shall maintain written documentation of its Security Program, including:

☐ Information security policies and procedures
☐ Risk assessment reports and remediation plans
☐ Security training records
☐ Incident response plans and procedures
☐ Audit reports and compliance certifications
☐ Vendor security assessments

2.4 Security Standards Alignment. Provider's Security Program shall align with recognized industry standards, including:

☐ NIST Cybersecurity Framework
☐ ISO/IEC 27001:2022
☐ SOC 2 Type II
☐ CIS Controls
☐ Other: [________________________________]

ARTICLE 3: ADMINISTRATIVE SAFEGUARDS

3.1 Security Governance. Provider shall maintain:

☐ Executive-level oversight of information security
☐ Defined roles and responsibilities for security personnel
☐ Security policies approved by management
☐ Regular security program reviews by leadership
☐ Adequate budget allocation for security measures

3.2 Personnel Security. Provider shall implement:

☐ Background checks for personnel with access to Personal Information
☐ Security awareness training upon hire and annually thereafter
☐ Acknowledgment of security policies by all personnel
☐ Disciplinary procedures for policy violations
☐ Termination procedures including immediate access revocation
☐ Non-disclosure agreements for all Authorized Personnel

3.3 Risk Management. Provider shall:

☐ Conduct annual risk assessments of systems processing Personal Information
☐ Document identified risks and vulnerabilities
☐ Implement risk mitigation measures
☐ Monitor risk treatment effectiveness
☐ Report significant risks to Customer upon request

3.4 Policy Framework. Provider shall maintain written policies addressing:

☐ Acceptable use of information systems
☐ Access control and identity management
☐ Data classification and handling
☐ Incident response procedures
☐ Business continuity and disaster recovery
☐ Mobile device and remote work security
☐ Third-party and vendor management
☐ Change management procedures

ARTICLE 4: TECHNICAL SAFEGUARDS

4.1 Access Controls. Provider shall implement:

☐ Unique user identification for all system access
☐ Role-based access control (RBAC) limiting access to minimum necessary
☐ Multi-factor authentication (MFA) for remote access and privileged accounts
☐ Strong password requirements (minimum 12 characters, complexity rules)
☐ Automatic session timeout after [____] minutes of inactivity
☐ Account lockout after [____] failed authentication attempts
☐ Regular access reviews (at least quarterly)
☐ Immediate access revocation upon role change or termination

4.2 Encryption Requirements. Provider shall encrypt Personal Information as follows:

Data at Rest:
☐ AES-256 encryption or equivalent for stored Personal Information
☐ Full disk encryption on all devices storing Personal Information
☐ Database-level encryption for production systems
☐ Encryption key management procedures with key rotation

Data in Transit:
☐ TLS 1.2 or higher for all network transmissions
☐ Secure protocols (SFTP, HTTPS, SSH) for file transfers
☐ Certificate management procedures
☐ Prohibition of unencrypted transmission of Personal Information

4.3 Network Security. Provider shall implement:

☐ Firewalls and network segmentation
☐ Intrusion detection and prevention systems (IDS/IPS)
☐ Network access controls and monitoring
☐ Secure configuration baselines for network devices
☐ Regular vulnerability scanning (at least monthly)
☐ Annual penetration testing by qualified third party
☐ Web application firewalls for internet-facing applications

4.4 Endpoint Security. Provider shall implement:

☐ Anti-malware/anti-virus software with automatic updates
☐ Host-based intrusion detection
☐ Endpoint detection and response (EDR) capabilities
☐ Mobile device management (MDM) for devices accessing Personal Information
☐ Application whitelisting on critical systems
☐ Patch management with timely application of security updates

4.5 Logging and Monitoring. Provider shall:

☐ Log all access to systems containing Personal Information
☐ Log authentication events (successful and failed)
☐ Log administrative and privileged actions
☐ Maintain logs for minimum of [____] months (minimum 12 months required)
☐ Implement centralized log management (SIEM)
☐ Monitor logs for security events and anomalies
☐ Protect logs from unauthorized modification or deletion

4.6 Application Security. Provider shall:

☐ Follow secure software development lifecycle (SDLC) practices
☐ Conduct code reviews for security vulnerabilities
☐ Perform application security testing (SAST/DAST)
☐ Address OWASP Top 10 vulnerabilities
☐ Maintain separate development, testing, and production environments
☐ Prohibit use of production Personal Information in non-production environments

ARTICLE 5: PHYSICAL SAFEGUARDS

5.1 Facility Security. Provider shall implement:

☐ Physical access controls (key cards, biometrics, locks)
☐ Visitor management and escort procedures
☐ Video surveillance of entry points and sensitive areas
☐ Security personnel or monitoring services
☐ Environmental controls (fire suppression, climate control, water detection)
☐ Secure areas for systems processing Personal Information

5.2 Data Center Security. For facilities housing Customer Data, Provider shall maintain:

☐ 24/7 security monitoring and access control
☐ Multi-factor physical authentication for entry
☐ Mantrap or airlock entry systems
☐ Access logging and audit trails
☐ Redundant power and cooling systems
☐ Geographic separation for disaster recovery facilities

5.3 Media and Device Security. Provider shall:

☐ Maintain inventory of all media containing Personal Information
☐ Encrypt portable media and devices
☐ Secure storage of media when not in use
☐ Secure destruction of media per NIST SP 800-88 guidelines
☐ Track chain of custody for media transport
☐ Prohibit removal of Personal Information on unauthorized media

5.4 Workstation Security. Provider shall require:

☐ Clean desk policy for documents containing Personal Information
☐ Screen lock after brief periods of inactivity
☐ Physical security cables for portable devices
☐ Privacy screens for workstations in public areas
☐ Prohibition of unauthorized software installation

ARTICLE 6: INCIDENT RESPONSE AND BREACH NOTIFICATION

6.1 Incident Response Plan. Provider shall maintain a written incident response plan that includes:

☐ Incident classification and severity levels
☐ Roles and responsibilities of response team
☐ Detection and analysis procedures
☐ Containment, eradication, and recovery procedures
☐ Evidence preservation requirements
☐ Internal and external communication protocols
☐ Post-incident review and lessons learned

6.2 Incident Notification to Customer. Provider shall:

(a) Notify Customer of any Security Incident within twenty-four (24) hours of discovery;

(b) Provide Customer with the following information as it becomes available:
- Description of the incident and affected systems
- Types of Personal Information potentially compromised
- Number of individuals potentially affected
- Actions taken to contain and remediate the incident
- Point of contact for additional information

(c) Provide ongoing updates every twenty-four (24) hours until the incident is resolved.

6.3 Maryland Breach Notification Requirements. In the event of a Breach of the Security of a System involving Personal Information of Maryland residents, Provider shall comply with Md. Code Com. Law § 14-3504 as follows:

6.3.1 Investigation. Provider shall conduct a good faith, reasonable, and prompt investigation to determine the likelihood that Personal Information has been or will be misused as a result of the breach.

6.3.2 Attorney General Notification. Prior to notifying affected individuals, Provider shall (with Customer's coordination):

☐ Notify the Maryland Attorney General's Office at:
- Email: [email protected]
- Mail: Office of the Attorney General, Attn: Security Breach Notification, 200 St. Paul Place, Baltimore, MD 21202
- Fax: (410) 576-6566

☐ Include in the AG notification:
- Number of affected Maryland residents
- Description of the breach (when and how it occurred)
- Steps taken or planned relating to the breach
- Form and sample of notice to be sent to affected individuals

6.3.3 Consumer Notification Timeline. Notification to affected Maryland residents shall be provided as soon as reasonably practicable, but not later than forty-five (45) days after discovery of the breach.

6.3.4 Consumer Notice Content. Notice to affected individuals shall include:

☐ Description of the breach and types of information compromised
☐ Toll-free numbers and addresses for credit reporting agencies:
- Equifax: 1-800-685-1111
- Experian: 1-888-397-3742
- TransUnion: 1-800-916-8800
☐ Statement that individuals can obtain information about avoiding identity theft
☐ Contact information for Provider's point of contact
☐ Description of remediation services offered (if applicable)

6.3.5 Third-Party Data Maintainer Notification. If Provider maintains Personal Information on behalf of Customer, Provider shall notify Customer of the breach within ten (10) days of discovery.

6.3.6 Credit Monitoring Services. If the breach involves Social Security numbers or financial account information, Provider shall offer affected individuals, at Provider's expense:

☐ Credit monitoring services for a minimum of [____] months (recommended: 24 months)
☐ Identity theft protection services
☐ Instructions for placing fraud alerts and security freezes

6.4 Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Provider shall document any such request and resume notification promptly when permitted.

6.5 Record Retention for Non-Notification. If Provider determines notification is not required, Provider shall maintain records reflecting such determination for three (3) years after the determination.

6.6 Cooperation. Provider shall cooperate fully with Customer in:

☐ Investigating the breach
☐ Preparing required notifications
☐ Responding to regulatory inquiries
☐ Implementing remediation measures
☐ Litigation support if required

ARTICLE 7: AUDIT AND COMPLIANCE

7.1 Audit Rights. Customer shall have the right to:

(a) Conduct audits of Provider's Security Program [____] times per year upon [____] business days' written notice;

(b) Engage qualified third-party auditors to conduct security assessments;

(c) Review Provider's security policies, procedures, and documentation;

(d) Interview Provider personnel regarding security practices;

(e) Inspect facilities where Customer Data is processed or stored.

7.2 Audit Scope. Audits may include:

☐ Review of security policies and procedures
☐ Assessment of technical controls
☐ Review of access control records
☐ Evaluation of incident response capabilities
☐ Physical security inspection
☐ Personnel security verification
☐ Subcontractor management review

7.3 Third-Party Audit Reports. Provider shall provide Customer, upon request, with copies of:

☐ SOC 2 Type II reports (annual)
☐ ISO 27001 certification (if applicable)
☐ Penetration testing reports (redacted as necessary)
☐ Vulnerability assessment summaries
☐ Compliance audit reports

7.4 Remediation. Provider shall:

(a) Remediate critical findings within [____] days;
(b) Remediate high-risk findings within [____] days;
(c) Remediate medium-risk findings within [____] days;
(d) Provide Customer with remediation plans and status updates;
(e) Allow Customer to verify remediation completion.

7.5 Audit Costs. Audit costs shall be borne as follows:

☐ Customer bears costs for Customer-initiated audits
☐ Provider bears costs for audits required due to security incidents
☐ Provider bears costs for providing third-party audit reports
☐ Other: [________________________________]

ARTICLE 8: SUBCONTRACTOR REQUIREMENTS

8.1 Subcontractor Approval. Provider shall:

(a) Obtain Customer's prior written approval before engaging any Subcontractor to Process Personal Information;

(b) Provide Customer with the following information for each proposed Subcontractor:
- Name and location
- Services to be provided
- Types of Personal Information to be accessed
- Security certifications and compliance status

(c) Maintain a current list of approved Subcontractors and provide updates to Customer.

8.2 Subcontractor Agreements. Provider shall ensure all Subcontractors are bound by written agreements that:

☐ Impose data protection obligations at least as protective as this Addendum
☐ Require implementation of reasonable security procedures per Md. Code Com. Law § 14-3503
☐ Grant Customer audit rights over Subcontractor
☐ Require prompt notification of Security Incidents
☐ Require compliance with applicable Maryland data protection laws
☐ Permit termination for material security breaches

8.3 Subcontractor Oversight. Provider shall:

☐ Conduct initial security assessments of all Subcontractors
☐ Perform annual security reviews of Subcontractors
☐ Monitor Subcontractor compliance with security requirements
☐ Promptly notify Customer of any Subcontractor security issues

8.4 Liability. Provider shall remain fully liable for the acts and omissions of its Subcontractors regarding Personal Information.

8.5 Current Approved Subcontractors. The following Subcontractors are approved as of the Effective Date:

ARTICLE 9: DATA HANDLING AND RESTRICTIONS

9.1 Permitted Use. Provider shall Process Personal Information only:

☐ As necessary to perform the services under the Master Agreement
☐ In accordance with Customer's documented instructions
☐ As required by applicable law (with advance notice to Customer where permitted)

9.2 Prohibited Activities. Provider shall NOT:

☐ Sell Personal Information
☐ Share Personal Information for targeted advertising purposes
☐ Use Personal Information for purposes unrelated to the contracted services
☐ Process Sensitive Personal Information except as strictly necessary
☐ Transfer Personal Information to unauthorized third parties
☐ Combine Personal Information with data from other sources without consent

9.3 Data Minimization. Provider shall:

☐ Collect only Personal Information necessary for the specified purpose
☐ Retain Personal Information only for the duration required
☐ Limit access to Personal Information on a need-to-know basis
☐ Anonymize or pseudonymize Personal Information where feasible

9.4 Data Location. Personal Information shall be processed and stored only in the following locations:

☐ United States
☐ Specific states: [________________________________]
☐ Specific facilities: [________________________________]
☐ Other approved locations: [________________________________]

9.5 Cross-Border Transfers. Provider shall not transfer Personal Information outside the approved locations without Customer's prior written consent and appropriate safeguards.

9.6 MODPA Compliance. Provider acknowledges that the Maryland Online Data Privacy Act imposes additional requirements effective October 1, 2025, including:

☐ Data protection impact assessments for high-risk processing
☐ Prohibition on selling sensitive personal information
☐ Consumer rights to access, correct, delete, and port personal data
☐ Opt-out rights for targeted advertising
☐ Enhanced protections for children's data

ARTICLE 10: DATA RETURN AND DESTRUCTION

10.1 Return of Data. Upon termination or expiration of the Master Agreement, or upon Customer's request, Provider shall:

(a) Return all Customer Data in a format reasonably requested by Customer within [____] business days;

(b) Provide Customer with documentation confirming the data returned;

(c) Cooperate with Customer in transitioning data to a successor provider.

10.2 Destruction Requirements. Following return of data (or upon Customer's instruction), Provider shall:

(a) Securely destroy all remaining copies of Customer Data within [____] business days;

(b) Use destruction methods compliant with NIST SP 800-88 Guidelines for Media Sanitization:
☐ Clear (for reusable media)
☐ Purge (for media to be reused in less secure environments)
☐ Destroy (for media not to be reused)

(c) Require Subcontractors to destroy Customer Data in their possession;

(d) Provide Customer with a written certificate of destruction that includes:
☐ Description of data destroyed
☐ Destruction method used
☐ Date of destruction
☐ Name and signature of responsible personnel

10.3 Exceptions. Provider may retain Customer Data only:

☐ As required by applicable law or regulation
☐ In encrypted backup archives for disaster recovery purposes (subject to continued protection)
☐ As necessary to resolve pending disputes

10.4 Ongoing Obligations. Provider's obligations under this Addendum shall survive with respect to any retained Customer Data until such data is destroyed.

ARTICLE 11: INSURANCE

11.1 Required Coverage. Provider shall maintain the following insurance coverage:

Cyber Liability / Technology Errors & Omissions Insurance:
☐ Minimum coverage: $[________________________________] per occurrence
☐ Minimum aggregate: $[________________________________]
☐ Coverage for: data breaches, network security failures, privacy violations, regulatory defense costs, notification costs, credit monitoring costs

Professional Liability Insurance:
☐ Minimum coverage: $[________________________________] per occurrence

General Commercial Liability Insurance:
☐ Minimum coverage: $[________________________________] per occurrence

11.2 Insurance Requirements. All policies shall:

☐ Be issued by insurers with A.M. Best rating of A- VII or better
☐ Name Customer as additional insured (where applicable)
☐ Include waiver of subrogation in favor of Customer
☐ Provide thirty (30) days' notice of cancellation or material change
☐ Be primary and non-contributory

11.3 Evidence of Coverage. Provider shall provide Customer with:

☐ Certificates of insurance upon execution of this Addendum
☐ Updated certificates upon policy renewal
☐ Copies of policies upon Customer's request

ARTICLE 12: COMPLIANCE CERTIFICATIONS

12.1 Certifications. Provider represents and certifies that it:

☐ Maintains a Security Program compliant with Md. Code Com. Law § 14-3503
☐ Has not experienced a material security breach in the past [____] months
☐ Is not aware of any pending regulatory actions related to data security
☐ Has the technical capability to fulfill its obligations under this Addendum
☐ Will promptly notify Customer of any material changes to its Security Program

12.2 Compliance Frameworks. Provider maintains compliance with the following (check all that apply):

☐ SOC 2 Type II
☐ ISO/IEC 27001:2022
☐ HIPAA (if applicable)
☐ PCI DSS (if applicable)
☐ NIST Cybersecurity Framework
☐ FedRAMP (if applicable)
☐ Other: [________________________________]

12.3 Gramm-Leach-Bliley Act Compliance. If Provider is subject to GLBA, Provider certifies compliance with GLBA security requirements, which satisfies the requirements of Md. Code Com. Law § 14-3503(c).

12.4 Annual Certification. Provider shall provide Customer with an annual written certification confirming continued compliance with this Addendum.

ARTICLE 13: INDEMNIFICATION

13.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

(a) Provider's breach of this Addendum;

(b) Provider's failure to comply with applicable Maryland data protection laws;

(c) Any Security Incident caused by Provider's negligence or willful misconduct;

(d) Any regulatory fines or penalties assessed against Customer due to Provider's acts or omissions;

(e) Third-party claims arising from Provider's Processing of Personal Information.

13.2 Indemnification Procedures. Customer shall:

(a) Promptly notify Provider of any claim;
(b) Allow Provider to control the defense (subject to Customer's approval of settlements affecting Customer);
(c) Cooperate with Provider in the defense;
(d) Not make admissions without Provider's consent.

ARTICLE 14: LIMITATION OF LIABILITY

14.1 Exclusions from Limitation. The limitations of liability in the Master Agreement shall NOT apply to:

(a) Provider's indemnification obligations under Article 13;

(b) Damages arising from Provider's gross negligence or willful misconduct;

(c) Damages arising from Provider's breach of confidentiality obligations;

(d) Costs of breach notification, credit monitoring, and remediation required under Maryland law;

(e) Regulatory fines and penalties.

14.2 Liability Cap for Security Matters. Notwithstanding any limitation in the Master Agreement, Provider's total liability for claims arising under this Addendum shall not exceed the greater of:

☐ $[________________________________]; or
☐ [____] times the fees paid or payable under the Master Agreement in the [____] months preceding the claim; or
☐ The limits of Provider's applicable insurance coverage.

ARTICLE 15: TERM AND TERMINATION

15.1 Term. This Addendum shall remain in effect for the duration of the Master Agreement and any period during which Provider retains Customer Data.

15.2 Termination for Breach. Customer may terminate this Addendum and the Master Agreement immediately upon written notice if:

(a) Provider experiences a material Security Incident affecting Customer Data;

(b) Provider materially breaches this Addendum and fails to cure within [____] days of notice;

(c) Provider fails to maintain required certifications or insurance.

15.3 Effect of Termination. Upon termination:

(a) Provider shall comply with the data return and destruction requirements of Article 10;

(b) Provisions of this Addendum that by their nature should survive shall survive termination;

(c) Customer's audit rights shall continue for [____] years following termination.

ARTICLE 16: GENERAL PROVISIONS

16.1 Governing Law. This Addendum shall be governed by the laws of the State of Maryland without regard to conflict of laws principles.

16.2 Dispute Resolution. Any dispute arising under this Addendum shall be resolved in accordance with the dispute resolution provisions of the Master Agreement, provided that any dispute shall be subject to the exclusive jurisdiction of the state and federal courts located in Maryland.

16.3 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the parties regarding data security and supersedes all prior agreements on this subject.

16.4 Amendments. This Addendum may be amended only by written agreement signed by authorized representatives of both parties.

16.5 Severability. If any provision of this Addendum is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.

16.6 Waiver. No waiver of any provision shall be effective unless in writing and signed by the waiving party.

16.7 Notices. All notices under this Addendum shall be in writing and delivered to the addresses set forth above or as otherwise designated in writing.

16.8 Assignment. Provider shall not assign this Addendum without Customer's prior written consent.

16.9 Counterparts. This Addendum may be executed in counterparts, each of which shall be deemed an original.

ARTICLE 17: EXHIBITS AND ATTACHMENTS

The following exhibits are incorporated into this Addendum:

☐ Exhibit A: Detailed Security Requirements
☐ Exhibit B: Approved Subcontractor List
☐ Exhibit C: Data Processing Details
☐ Exhibit D: Incident Response Contacts
☐ Exhibit E: [________________________________]

EXECUTION

The parties have executed this Security Addendum as of the Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SERVICE PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

COMPLIANCE CHECKLIST

Prior to execution, verify completion of the following:

☐ Master Agreement executed and in effect
☐ Provider security documentation reviewed
☐ SOC 2 or equivalent audit report obtained
☐ Insurance certificates verified
☐ Subcontractor list reviewed and approved
☐ Data processing locations confirmed
☐ Breach notification procedures documented
☐ Contact information for incident response exchanged
☐ Maryland-licensed counsel review completed

KEY MARYLAND STATUTORY REQUIREMENTS SUMMARY