SECURITY ADDENDUM (ENTERPRISE SAAS)

Michigan Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

RECITALS

This Security Addendum ("Addendum") is entered into as of the Effective Date set forth above by and between:

Provider:
Name: [________________________________]
Address: [________________________________]
State of Organization: [________________________________]
("Provider" or "Service Provider")

AND

Customer:
Name: [________________________________]
Address: [________________________________]
State of Organization: [________________________________]
("Customer" or "Client")

Each individually a "Party" and collectively the "Parties."

WHEREAS, the Parties have entered into a Master Services Agreement, SaaS Subscription Agreement, or similar agreement dated [__/__/____] (the "Master Agreement") pursuant to which Provider delivers certain software-as-a-service and related technology services to Customer;

WHEREAS, the performance of services under the Master Agreement requires Provider to access, process, store, or transmit data belonging to or entrusted to Customer, including data that may be subject to protection under Michigan law, specifically the Identity Theft Protection Act (MCL §§ 445.61 to 445.79d) and the Michigan Insurance Data Security Law (MCL §§ 500.550 to 500.565);

WHEREAS, Customer requires that Provider implement and maintain comprehensive information security controls to protect Customer Data from unauthorized access, use, disclosure, alteration, or destruction;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below. Capitalized terms not defined herein have the meanings in the Master Agreement.

1.2 "Authorized Users" means individuals granted access to Provider Systems in accordance with this Addendum.

1.3 "Confidential Information" means all non-public information disclosed by one Party to the other, including trade secrets as defined under the Michigan Uniform Trade Secrets Act (MCL § 445.1902), meaning information, including a formula, pattern, compilation, program, device, method, technique, or process, that derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1.4 "Customer Data" means all data provided by or on behalf of Customer, or collected, generated, or processed by Provider on Customer's behalf under the Master Agreement.

1.5 "Data Breach" means a security breach as defined under MCL § 445.63(b), meaning the unauthorized access and acquisition of data that compromises the security or confidentiality of Personal Information maintained by a person or agency as part of a database of personal information. For purposes of this Addendum, "Data Breach" also includes any Security Incident resulting in unauthorized access to, acquisition of, or exfiltration of Customer Data, whether or not such incident meets the statutory threshold.

1.6 "Data Processing" means any operation performed on Customer Data, whether by automated means or otherwise.

1.7 "DPA" means a Data Processing Agreement addressing specific processing obligations.

1.8 "Encryption Standard" means AES-256 at rest and TLS 1.2+ in transit, at minimum.

1.9 "High-Risk Data" means Customer Data that, if compromised, could cause significant harm, including Social Security numbers, driver's license numbers, state identification card numbers, financial account numbers, and authentication credentials.

1.10 "Information Security Program" means Provider's comprehensive written security program as described in Article 3.

1.11 "Malware" means malicious software including viruses, worms, trojans, ransomware, spyware, rootkits, and keyloggers.

1.12 "Personal Information" means, consistent with MCL § 445.63(a), the first name or first initial and last name of a resident of Michigan linked to one or more of the following data elements of that resident:

(a) Social Security number;
(b) Driver license number or state personal identification card number;
(c) Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts.

Personal Information does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been encrypted.

1.13 "Provider Systems" means all IT infrastructure, platforms, applications, networks, servers, databases, and storage used to process Customer Data.

1.14 "Security Incident" means any event compromising or potentially compromising the confidentiality, integrity, or availability of Provider Systems or Customer Data.

1.15 "Subprocessor" means any third party engaged by Provider to process Customer Data.

1.16 "Vulnerability" means a weakness exploitable to compromise Customer Data.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all services involving Customer Data under the Master Agreement.

2.2 Order of Precedence. This Addendum prevails for information security, data protection, and breach notification matters.

2.3 Regulatory Compliance. Provider shall comply with applicable industry regulations (HIPAA, GLBA, PCI DSS, SOX, Michigan Insurance Data Security Law) as notified by Customer.

2.4 Michigan-Specific Context. Michigan imposes specific penalties for knowing failure to comply with breach notification requirements, including civil fines of up to $250 per failure with an aggregate cap of $750,000 per breach. MCL § 445.72(11). Michigan also has a specific Insurance Data Security Law (MCL §§ 500.550-565) imposing written information security program requirements on insurance licensees. The Parties shall ensure compliance with all applicable Michigan statutes.

2.5 Incorporation. This Addendum forms part of the Master Agreement.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Written Security Program. Provider shall maintain a comprehensive Information Security Program designed to protect the security, confidentiality, integrity, and availability of Customer Data.

3.2 Framework Alignment.

☐ ISO/IEC 27001:2022
☐ SOC 2 Type II
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53
☐ CIS Critical Security Controls (v8)

3.3 Risk Assessment. Annual comprehensive risk assessment with documented treatment plans.

3.4 Security Officer.

Name: [________________________________]
Title: [________________________________]
Contact: [________________________________]

3.5 Annual Review. Annual program review; material change summaries within thirty (30) days.

3.6 Policy Documentation. Written policies for access control, asset management, business continuity, cryptography, HR security, incident management, network security, operational security, physical security, supplier relationships, system development, and compliance.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control. Least-privilege RBAC.

4.2 Multi-Factor Authentication. Required for remote access, administrative access, management consoles, customer portals, and VPN.

4.3 Privileged Access Management. Unique identification, time-limited elevation, session logging, separation of duties, ninety (90) day credential rotation.

4.4 Access Reviews. Quarterly reviews.

4.5 Onboarding and Offboarding. Twenty-four (24) hour revocation; four (4) hours for involuntary terminations.

4.6 Password Policies. Fourteen (14) characters, complexity, twenty-four (24) history, five (5) attempt lockout, ninety (90) day expiration for non-MFA.

4.7 Session Management. Fifteen (15) minute inactivity timeout.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Encryption in Transit. TLS 1.2+ with strong cipher suites.

5.2 Encryption at Rest. AES-256 for all Customer Data.

5.3 Key Management. HSM storage, separation, annual rotation, documented procedures.

5.4 Certificate Management. Inventory, monitoring, timely renewal.

5.5 Encryption of Backups. Equal to production standards.

5.6 Field-Level Encryption. For Social Security numbers, driver's license numbers, financial account numbers, and other High-Risk Data.

5.7 Encryption and Michigan Breach Notification. Under MCL § 445.63(a), encrypted data is excluded from the Personal Information definition. However, MCL § 445.72(1)(b) requires notification when encrypted Personal Information is accessed by a person with unauthorized access to the encryption key. Provider shall protect both encrypted data and encryption keys.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Isolation of Customer Data environments.

6.2 Firewalls. Enterprise-grade with default-deny, quarterly reviews.

6.3 Intrusion Detection and Prevention. IDS/IPS with daily updates.

6.4 DDoS Mitigation. Traffic scrubbing, rate limiting, capacity planning.

6.5 VPN Requirements. Encrypted VPN; no split tunneling.

6.6 Wireless Security. WPA3 or WPA2-Enterprise minimum, segmented.

6.7 DMZ Architecture. Internet-facing systems separated; no Customer Data in DMZ.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure SDLC. Security throughout development.

7.2 OWASP Top 10. Testing against OWASP Top 10 and API Security Top 10.

7.3 Code Reviews. Mandatory peer reviews.

7.4 SAST/DAST. SAST before production; DAST quarterly.

7.5 Dependency Scanning. SBOM and automated scanning.

7.6 API Security. Authentication, authorization, rate limiting, validation, logging.

7.7 Input Validation. Server-side validation.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Weekly external; monthly internal.

8.2 Remediation SLAs.

8.3 Patch Management. Monitoring, testing, emergency procedures, documentation.

8.4 Zero-Day Response. Assessment, controls within four (4) hours, notification within twenty-four (24) hours, permanent fix upon availability.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Centralized Logging. SIEM or equivalent.

9.2 Logging Requirements. Authentication, authorization changes, data access, admin changes, security events, system events, file integrity alerts.

9.3 Log Retention. Twelve (12) months accessible; twelve (12) months archived. Thirty-six (36) months for incidents.

9.4 Log Integrity. Write-once or cryptographic hashing.

9.5 Real-Time Alerting. 24/7 security operations.

9.6 Audit Trail. Complete, immutable trail.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Tenant Isolation. Segregation from other customer data.

10.2 Data Residency. United States unless otherwise agreed. Sixty (60) days' notice of changes.

10.3 Cross-Border Transfer Restrictions. No transfer outside US without consent.

10.4 Data Classification. Public, Internal, Confidential, Restricted levels.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Independent third-party testing.

11.2 Scope. All systems processing Customer Data.

11.3 Methodology. OWASP Testing Guide, PTES, or NIST SP 800-115.

11.4 Reporting. Under NDA within thirty (30) days.

11.5 Remediation Tracking. Per Article 8 SLAs; status within sixty (60) days.

11.6 Customer Testing. Permitted upon thirty (30) days' notice.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 BC/DR Plans. Written, tested plans.

12.2 Recovery Objectives.

(a) RPO: [____] hours;
(b) RTO: [____] hours.

12.3 Geographic Redundancy. Minimum [____] miles separation.

12.4 Annual Testing. Results shared within thirty (30) days.

12.5 Failover Procedures. Automated where feasible.

12.6 Customer Notification. Within one (1) hour of unplanned DR invocation.

ARTICLE 13 — INCIDENT RESPONSE AND MICHIGAN-SPECIFIC BREACH NOTIFICATION

13.1 Incident Response Plan. Written plan tested annually.

13.2 Incident Classification.

13.3 Customer Notification of Security Incidents. P1/P2 per Section 13.2:

Primary Security Contact: [________________________________]
Phone: [________________________________]
Email: [________________________________]

Secondary Security Contact: [________________________________]
Phone: [________________________________]
Email: [________________________________]

13.4 Incident Notification Contents. Date/time, nature, data types, records/individuals, containment, impact assessment, incident lead contact.

13.5 Michigan Statutory Breach Notification Requirements. In the event of a Data Breach involving Personal Information of Michigan residents, the following requirements apply under the Michigan Identity Theft Protection Act (MCL §§ 445.61 to 445.79d):

(a) Investigation and Harm Assessment. Upon discovering a security breach, a person or agency must determine whether the breach has or is likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents. MCL § 445.72(1). If the person or agency determines that the breach has not and is not likely to cause substantial loss or injury or identity theft, no individual notification is required. This harm assessment is a critical initial step under Michigan law.

(b) Notification Timeline. Provider shall assist Customer in providing notification to affected individuals without unreasonable delay. A person or agency may delay providing notice to take measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. MCL § 445.72(4). Michigan law does not prescribe a fixed number of days for general notification, but delay must not be unreasonable.

(c) Notification Triggers. Notification is required when:
- A resident's unencrypted and unredacted Personal Information was accessed and acquired by an unauthorized person; OR
- A resident's Personal Information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key. MCL § 445.72(1).

This dual trigger means encryption alone is not a complete safe harbor if the encryption key is also compromised.

(d) Written Notice Content. Under MCL § 445.72(5), the written notice to affected individuals must include, at minimum:
- (i) A description of the security breach in general terms;
- (ii) A description of the type of Personal Information that is the subject of the unauthorized access or use;
- (iii) A general description of the actions taken to protect the Personal Information from further security breach;
- (iv) A telephone number where the individual can obtain assistance or additional information;
- (v) Reminder to remain vigilant by reviewing account statements and monitoring credit reports.

(e) Notification Recipients.
- Affected Individuals: Written notice to each Michigan resident whose Personal Information was subject to the breach.
- Consumer Reporting Agencies: After providing notice to individuals, the person or agency must also notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis (as defined in 15 U.S.C. § 1681a(p)) without unreasonable delay. MCL § 445.72(6). Note: Michigan requires CRA notification for all breaches requiring individual notice, not just those exceeding a threshold number.

(f) Third-Party Data Holder Notification. If Provider maintains a database that includes Personal Information on behalf of Customer, and Provider discovers a security breach or receives notice of a breach, Provider must notify Customer immediately after the discovery or receipt of notification of the security breach. MCL § 445.72(2). Provider shall cooperate with Customer and Customer has the right to take independent action to provide notice.

(g) Form of Notification. Notice may be provided by:
- Written notice sent to the affected individual at the individual's last known mailing address;
- Written notice sent electronically if the individual has expressly consented to receive electronic notice;
- Substitute Notice — if the person or agency demonstrates that the cost of notice will exceed $250,000, the affected class exceeds 500,000 individuals, or the person does not have sufficient contact information. Substitute notice consists of: (i) email notice if available; (ii) conspicuous posting on the person's website; and (iii) notification to major statewide media. MCL § 445.72(5)(d).

(h) Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notice may impede a criminal investigation or homeland security investigation and provides a written request for a delay. MCL § 445.72(4).

(i) Enforcement and Penalties. Under MCL § 445.72(11):
- A person that knowingly fails to provide any notice required under MCL § 445.72 may be ordered to pay a civil fine of not more than $250 for each failure to provide notice;
- The aggregate liability for civil fines arising from the same security breach shall not exceed $750,000;
- The Michigan Attorney General or a prosecuting attorney may bring an action to recover civil fines;
- The statute does not explicitly create a private right of action for breach notification violations, though affected individuals may pursue claims under other theories including common law negligence.

(j) Residual Liability. A person or agency that provides notice and acts in good faith compliance with MCL § 445.72 is not liable in a civil action for a security breach. MCL § 445.72(10). This good-faith compliance safe harbor is a significant Michigan-specific provision.

13.6 Michigan Insurance Data Security Law. If Customer is a licensee subject to the Michigan Insurance Data Security Law (MCL §§ 500.550 to 500.565), Provider shall cooperate with Customer in:

(a) Maintaining a written information security program as required by MCL § 500.555 (required for licensees with 25 or more employees);
(b) Conducting risk assessments as required by the Act;
(c) Notifying the Michigan Director of the Department of Insurance and Financial Services (DIFS) within ten (10) days after determining that a cybersecurity event has occurred. MCL § 500.561;
(d) Complying with third-party service provider due diligence and oversight requirements;
(e) Providing annual compliance certifications where applicable.

13.7 Cooperation with Customer's Incident Response. Full cooperation including access to logs, personnel availability, evidence preservation, and communications support.

13.8 Forensic Investigation. Independent forensic firm for P1 incidents; cost borne by Provider if caused by non-compliance.

13.9 Root Cause Analysis. For P1/P2 incidents: analysis within thirty (30) days, corrective actions, written report, post-incident review.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Approval Process. Prior written consent; thirty (30) days' advance notice.

14.2 Current Subprocessor List. Exhibit A or: [________________________________].

14.3 Flow-Down Requirements. Obligations no less protective than this Addendum, including the immediate notification obligation under MCL § 445.72(2) for third-party data holders and compliance with the Michigan Insurance Data Security Law's third-party service provider requirements if applicable.

14.4 Right to Object. Fifteen (15) day objection; thirty (30) day resolution; termination right.

14.5 Subprocessor Audit Rights. Annual audit exercise.

14.6 Provider Responsibility. Full responsibility for Subprocessor acts and omissions.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Conducted to the extent permitted by Michigan and federal law.

15.2 Security Training. Annual training covering Michigan-specific requirements, including the harm assessment requirement, immediate third-party notification, CRA notification for all breaches, and the $750,000 aggregate penalty cap for knowing non-compliance.

15.3 Acceptable Use Policies. Written and enforced.

15.4 Non-Disclosure Agreements. All personnel bound by NDAs consistent with the Michigan Uniform Trade Secrets Act (MCL §§ 445.1901 to 445.1910).

15.5 Termination Procedures. Prompt revocation, device return, data handling.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. 24/7 security, multi-factor physical access, video surveillance (ninety (90) day retention), mantrap entry, perimeter security.

16.2 SOC 2 Type II Certification. Required for all facilities.

16.3 Visitor Management. ID verification, logging, escort, badges.

16.4 Environmental Controls. Redundant HVAC, fire detection/suppression, water detection, UPS/generators, redundant network.

16.5 Media Destruction. Per NIST SP 800-88 Rev. 1 with certificates.

ARTICLE 17 — INSURANCE REQUIREMENTS

17.1 Cyber Liability Insurance. Five Million Dollars ($5,000,000) minimum, covering breach response, regulatory proceedings, cyber extortion, business interruption, and third-party claims.

17.2 Errors and Omissions Insurance. Two Million Dollars ($2,000,000) minimum.

17.3 General Commercial Liability. One Million Dollars ($1,000,000) per occurrence; Two Million Dollars ($2,000,000) aggregate.

17.4 Evidence of Coverage. Certificates within ten (10) business days and annually.

17.5 Notice of Cancellation. Thirty (30) days' prior written notice.

17.6 No Limitation of Liability. Insurance does not limit Provider's liability.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Annual upon thirty (30) days' notice; additional for incidents or deficiencies.

18.2 Audit Scope. Policies, facilities, personnel, logs, testing, compliance.

18.3 Third-Party Audit Acceptance.

☐ SOC 2 Type II Report
☐ ISO/IEC 27001 Certification
☐ SOC 1 Type II Report
☐ PCI DSS Report on Compliance
☐ HITRUST CSF Certification

18.4 Regulatory Audit Cooperation. Full cooperation with the Michigan Attorney General, Michigan Department of Insurance and Financial Services (DIFS), and applicable federal regulators.

18.5 Audit Cost Allocation. Customer bears costs unless material failure found.

18.6 Remediation. Written plan within fifteen (15) business days.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Quarterly Security Reviews. Joint meetings.

19.2 Annual Security Assessment. Program effectiveness, risk assessments, testing results, incidents, framework compliance, policy changes, roadmap.

19.3 Security Metrics and KPIs. Quarterly: MTTD, MTTR, vulnerability remediation, patch compliance, training, incidents, uptime.

19.4 Executive Security Briefings. CISO available upon request.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Industry-standard format within thirty (30) days.

20.2 Data Destruction. All copies within sixty (60) days.

20.3 Destruction Standards. NIST SP 800-88 Rev. 1.

20.4 Certification. Written within ten (10) business days.

20.5 Retention Exceptions. Only as required by law.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Claims arising from non-compliance, Data Breaches from negligence or misconduct, failure to comply with MCL §§ 445.61-445.79d or MCL §§ 500.550-565, and regulatory actions.

21.2 Notification and Remediation Costs. Includes:

(a) Notification to affected individuals per MCL § 445.72;
(b) Consumer reporting agency notification per MCL § 445.72(6);
(c) Credit monitoring and identity theft protection for twenty-four (24) months minimum;
(d) Forensic investigation;
(e) Public relations and crisis communications;
(f) Civil fines of up to $250 per failure / $750,000 aggregate under MCL § 445.72(11);
(g) Michigan DIFS penalties if applicable under the Insurance Data Security Law;
(h) Other regulatory fines to the extent insurable.

21.3 Carve-Out from Liability Cap. Indemnification, confidentiality breaches, willful misconduct, gross negligence, and Article 13 obligations exempt from caps.

21.4 Customer Indemnification. Customer indemnifies Provider from Customer's non-compliance.

ARTICLE 22 — MICHIGAN-SPECIFIC LEGAL PROVISIONS

22.1 Governing Law. Michigan law, without conflict of laws principles.

22.2 Venue and Jurisdiction. Exclusive jurisdiction in Michigan state or federal courts in:

County: [________________________________]

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY IRREVOCABLY WAIVES ANY RIGHT TO JURY TRIAL IN ANY PROCEEDING ARISING FROM THIS ADDENDUM.

22.4 Injunctive Relief. Either Party may seek injunctive relief without proving actual damages or posting bond, to the extent permitted by Michigan law.

22.5 Alternative Dispute Resolution. Binding arbitration under AAA Commercial Rules in [________________________________], Michigan, at either Party's election.

22.6 Michigan Identity Theft Protection Act. The Parties acknowledge that the Michigan Attorney General and prosecuting attorneys enforce MCL § 445.72, with civil fines of up to $250 per failure and $750,000 aggregate per breach. A person acting in good faith compliance with MCL § 445.72 is not liable in a civil action for the security breach. MCL § 445.72(10). Provider shall cooperate with Customer in any enforcement action or investigation.

22.7 Michigan Uniform Trade Secrets Act. Confidential Information may constitute trade secrets under MCL §§ 445.1901 to 445.1910. Remedies include injunctive relief (MCL § 445.1903), compensatory damages (MCL § 445.1904), and in cases of willful and malicious misappropriation, exemplary damages not exceeding twice the compensatory damages. The statute of limitations is three (3) years after the misappropriation is discovered or should have been discovered. MCL § 445.1906.

22.8 Michigan Insurance Data Security Law. If Customer is subject to the Michigan Insurance Data Security Law (MCL §§ 500.550-565), Provider shall comply with all applicable third-party service provider requirements, including maintaining appropriate security measures and cooperating with Customer's oversight obligations. Insurance licensees with 25 or more employees must maintain a written information security program (WISP). Cybersecurity events must be reported to DIFS within ten (10) days.

22.9 Statutory Interest Rate. Unpaid amounts shall bear interest at five percent (5%) per annum, or such rate not exceeding seven percent (7%) per annum as may be agreed in writing, or at the maximum rate permitted by Michigan law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 UETA Compliance. This Addendum may be executed by electronic signature in accordance with the Michigan Uniform Electronic Transactions Act (MCL §§ 450.831 to 450.849). Electronic signatures shall have the same legal effect as manual signatures pursuant to MCL § 450.837.

23.2 Federal E-SIGN Act. Also subject to 15 U.S.C. § 7001 et seq.

23.3 Electronic Records. Electronic records satisfy writing requirements per MCL § 450.837.

23.4 Consent to Electronic Delivery. Each Party consents to electronic delivery except where physical delivery is required.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum and the Master Agreement constitute the complete agreement.

24.2 Amendments. Written agreement signed by both Parties.

24.3 Severability. Invalid provisions modified; remaining provisions continue.

24.4 Assignment. No assignment without consent, except for merger or acquisition.

24.5 Notices. Written by personal delivery, certified mail, or overnight courier.

24.6 Survival. Articles 1, 13, 14.6, 15.4, 20, 21, 22, 23, and 24 survive termination.

24.7 Counterparts. Execution in counterparts permitted.

24.8 Force Majeure. No liability for causes beyond reasonable control, excluding payment and breach notification obligations.

ARTICLE 25 — SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have executed this Security Addendum as of the Effective Date.

PROVIDER

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Email: [________________________________]

Representation of Authority: The undersigned represents and warrants full legal authority to bind Provider.

CUSTOMER

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Email: [________________________________]

Representation of Authority: The undersigned represents and warrants full legal authority to bind Customer.

EXHIBIT A — SUBPROCESSOR LIST

EXHIBIT B — SECURITY CONTACT INFORMATION

Provider Security Contacts:

Customer Security Contacts:

SOURCES AND REFERENCES

1. Michigan Identity Theft Protection Act — MCL §§ 445.61 to 445.79d
   https://www.legislature.mi.gov/Laws/MCL?objectName=MCL-ACT-452-OF-2004

2. Michigan Breach Notification — MCL § 445.72
   https://www.legislature.mi.gov/Laws/MCL?objectName=MCL-445-72

3. Michigan Personal Information Definition — MCL § 445.63
   https://www.legislature.mi.gov/Laws/MCL?objectName=MCL-445-63

4. Michigan Insurance Data Security Law — MCL §§ 500.550 to 500.565
   https://www.michigan.gov/difs/industry/licensing-ins/data-security/main-page

5. Michigan Uniform Trade Secrets Act — MCL §§ 445.1901 to 445.1910
   https://www.legislature.mi.gov/Laws/MCL?objectName=mcl-Act-448-of-1998

6. Michigan Uniform Electronic Transactions Act — MCL §§ 450.831 to 450.849

7. Michigan DIFS — Cybersecurity Event Reporting
   https://www.michigan.gov/difs/industry/industry-news/cybersecurity-event-and-attestation-update-notification

8. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

9. OWASP Top 10 — https://owasp.org/www-project-top-ten/

This template is provided for informational purposes only and does not constitute legal advice. An attorney licensed in Michigan must review and customize this document before execution. Legal requirements may change over time; verify all statutory citations before use.

Prepared for use on the ezel.ai platform.