ENTERPRISE SECURITY ADDENDUM

State of Minnesota — Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of [________________________________], with its principal place of business at [________________________________], and

WHEREAS, [________________________________] ("Provider"), a [________________________________] organized under the laws of the State of [________________________________], with its principal place of business at [________________________________], have entered into that certain Master Agreement referenced above (the "Master Agreement"); and

WHEREAS, the Master Agreement contemplates that Provider shall deliver certain enterprise software-as-a-service, cloud-hosted, or managed technology services (collectively, the "Services") to Customer that may involve the Processing of Customer Data, including Personal Information of Minnesota residents as defined under Minn. Stat. § 325E.61; and

WHEREAS, Customer requires Provider to implement and maintain a comprehensive information security program that meets or exceeds industry standards and complies with the data protection, breach notification, and consumer privacy requirements of Minnesota law, including Minn. Stat. § 325E.61 and the Minnesota Consumer Data Privacy Act (Minn. Stat. Ch. 325M); and

WHEREAS, the Parties desire to set forth the specific security obligations, controls, and procedures that Provider shall implement and maintain in connection with the Services;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below when used in this Addendum. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.2 "Access Credentials" means usernames, passwords, API keys, tokens, certificates, multi-factor authentication codes, biometric identifiers, and any other mechanism used to authenticate a user or system to Provider's infrastructure or the Services.

1.3 "Authorized Personnel" means employees, contractors, agents, or subprocessors of Provider who have undergone background screening and security training and have a demonstrated need to access Customer Data in the performance of the Services.

1.4 "Breach" or "Security Breach" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by the person or business, consistent with the definition of "breach of the security of the system" under Minn. Stat. § 325E.61, Subd. 1(c). Good faith acquisition of Personal Information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the Personal Information is not used or subject to further unauthorized disclosure.

1.5 "Business Continuity Plan" or "BCP" means Provider's documented plan for maintaining essential business functions during and after a disaster or disruption, including recovery procedures for the Services.

1.6 "Consumer Data" means personal data as defined under the Minnesota Consumer Data Privacy Act (Minn. Stat. Ch. 325M), which includes data that is linked or reasonably linkable to an identified or identifiable individual.

1.7 "Customer Data" means all data, information, records, documents, files, and materials provided by or on behalf of Customer, or collected, generated, or processed by Provider in connection with the Services, including Personal Information, Consumer Data, Confidential Information, and Trade Secrets.

1.8 "Data Processing" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.9 "Disaster Recovery Plan" or "DRP" means Provider's documented plan for the restoration of the Services, systems, and Customer Data following a disaster, outage, or material disruption.

1.10 "Encryption" means the process of converting data into a coded form using industry-standard cryptographic algorithms to prevent unauthorized access, rendering the data unreadable without the corresponding decryption key.

1.11 "Information Security Program" means Provider's comprehensive, written program of policies, procedures, standards, and technical, administrative, and physical safeguards designed to protect Customer Data, as more fully described in Article 3 of this Addendum.

1.12 "Key Personnel" means Provider's Chief Information Security Officer (CISO), Data Protection Officer (DPO), Security Operations Center (SOC) Manager, Incident Response Lead, and any other individuals designated by Provider as having primary responsibility for the security of Customer Data.

1.13 "NIST" means the National Institute of Standards and Technology, an agency of the United States Department of Commerce.

1.14 "Penetration Test" means a simulated cyberattack against Provider's systems, applications, and networks conducted by qualified third-party security professionals to evaluate the security posture and identify vulnerabilities.

1.15 "Personal Information" means, consistent with the definition under Minn. Stat. § 325E.61, Subd. 1(e), an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that renders the element unreadable or unusable:

(a) Social Security number;

(b) Driver's license number or Minnesota identification card number;

(c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;

(d) Any security code, access code, or password that would permit access to an individual's financial account.

The term does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

1.16 "Recovery Point Objective" or "RPO" means the maximum acceptable amount of data loss measured in time, establishing the point in time to which Customer Data must be recovered following a disruption.

1.17 "Recovery Time Objective" or "RTO" means the maximum acceptable duration of time within which the Services must be restored following a disruption.

1.18 "Security Incident" means any event that may compromise the confidentiality, integrity, or availability of Customer Data or Provider's systems, but that does not rise to the level of a confirmed Breach.

1.19 "Subprocessor" means any third party engaged by Provider that Processes Customer Data on behalf of Provider in connection with the Services.

1.20 "Trade Secret" means information as defined in the Minnesota Uniform Trade Secrets Act, Minn. Stat. § 325C.01, Subd. 5, including a formula, pattern, compilation, program, device, method, technique, or process that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1.21 "Vulnerability" means a weakness in a system, application, network, or process that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of Customer Data or the Services.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Services provided under the Master Agreement that involve the Processing, storage, transmission, or access to Customer Data, including Personal Information and Consumer Data of Minnesota residents. This Addendum establishes the minimum security obligations of Provider.

2.2 Order of Precedence. In the event of any conflict or inconsistency between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and breach notification matters. In the event of any conflict between this Addendum and applicable Minnesota law, the more protective provision shall apply.

2.3 Incorporation. This Addendum is incorporated into and forms an integral part of the Master Agreement. All terms and conditions of the Master Agreement that are not expressly modified by this Addendum shall remain in full force and effect.

2.4 Regulatory Floor. The security requirements set forth in this Addendum represent minimum standards. Provider shall comply with all applicable federal, state, and local laws, regulations, and industry standards that impose more stringent requirements.

2.5 Minnesota Consumer Data Privacy Act (MCDPA) Compliance. The Parties acknowledge that the Minnesota Consumer Data Privacy Act (Minn. Stat. Ch. 325M), effective July 31, 2025, establishes consumer rights including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of processing for targeted advertising, sale of personal data, and profiling. The MCDPA also provides consumers the right to request a list of specific third parties to whom the controller has disclosed the consumer's personal data. Provider shall implement and maintain technical and organizational measures sufficient to enable Customer to comply with all obligations under the MCDPA. Violations are enforceable by the Minnesota Attorney General with fines of up to $7,500 per violation.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 General Obligation. Provider shall establish, implement, maintain, and continuously improve a comprehensive, written Information Security Program designed to protect Customer Data against unauthorized access, acquisition, use, disclosure, modification, destruction, or other compromise.

3.2 Framework Alignment. Provider's Information Security Program shall be aligned with and shall materially conform to the following frameworks:

(a) ISO/IEC 27001:2022 — Information Security Management System (ISMS);

(b) SOC 2 Type II — Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy);

(c) NIST Cybersecurity Framework (CSF) 2.0 — Identify, Protect, Detect, Respond, Recover, and Govern functions.

3.3 Certifications. Provider shall maintain current:

(a) ISO/IEC 27001:2022 certification covering all systems and environments used to Process Customer Data;

(b) SOC 2 Type II report covering the most recent twelve (12) month period;

(c) Provider shall furnish copies of all certifications and reports to Customer within thirty (30) days of issuance and promptly upon request.

3.4 Security Policies. Provider shall maintain documented security policies addressing, at a minimum: acceptable use, access control, asset management, business continuity, change management, cryptography, data classification, human resources security, incident management, network security, operations security, physical security, supplier relationships, and system acquisition and development.

3.5 Risk Assessments. Provider shall conduct comprehensive risk assessments at least annually, and additionally upon any material change to the Services, infrastructure, or threat landscape. Risk assessments shall follow NIST SP 800-30 or ISO 27005 methodology and shall be documented and made available to Customer upon request.

3.6 Data Protection Assessments. To the extent required by the MCDPA, Provider shall assist Customer in conducting data protection assessments for processing activities that present a heightened risk of harm to consumers, including processing for targeted advertising, profiling, sale of personal data, or processing of sensitive data.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement and enforce role-based access controls ensuring that Authorized Personnel are granted access to Customer Data solely on a need-to-know, least-privilege basis commensurate with their job responsibilities.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to systems containing Customer Data;

(b) All administrative and privileged access to production environments;

(c) All access to Provider's management console or control plane;

(d) All VPN and remote desktop connections;

(e) All access to code repositories containing application code for the Services.

4.3 Access Reviews. Provider shall conduct formal access reviews on a quarterly basis to verify that:

(a) Access rights remain appropriate and are consistent with the principle of least privilege;

(b) Terminated or transferred personnel have had access promptly revoked;

(c) Dormant accounts (inactive for more than thirty (30) days) are disabled;

(d) Privileged accounts are inventoried and justified.

4.4 Password and Credential Management. Provider shall enforce password policies requiring:

(a) Minimum length of fourteen (14) characters;

(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;

(c) Password expiration no less frequently than every ninety (90) days for non-MFA accounts;

(d) Account lockout after no more than five (5) consecutive failed authentication attempts;

(e) Prohibition on the reuse of the last twelve (12) passwords.

4.5 Privileged Access Management. Provider shall implement a privileged access management (PAM) solution with session recording, just-in-time access provisioning, and automatic credential rotation for all administrative and service accounts.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using:

(a) TLS 1.2 or higher for all web-based and API communications;

(b) IPsec or WireGuard VPN for site-to-site and remote connections;

(c) SFTP or SCP for file transfers (FTP is prohibited);

(d) Provider shall disable support for SSL, TLS 1.0, and TLS 1.1.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using:

(a) AES-256 (or equivalent) for databases, file systems, storage volumes, and backups;

(b) Full-disk encryption on all endpoints, workstations, and portable media;

(c) Envelope encryption with hardware security modules (HSMs) for key wrapping.

5.3 Key Management. Provider shall implement a key management program that includes:

(a) Generation of cryptographic keys using FIPS 140-2 Level 3 (or higher) validated modules;

(b) Separation of key management duties with dual control and split knowledge;

(c) Automated key rotation at least annually, and upon compromise or suspected compromise;

(d) Secure key storage in dedicated HSMs or equivalent FIPS-validated devices;

(e) Key revocation and destruction procedures in accordance with NIST SP 800-57.

5.4 Minnesota Encryption Safe Harbor. The Parties acknowledge that under Minn. Stat. § 325E.61, Subd. 1(e), the definition of Personal Information does not include data that is secured by encryption or another method of technology that renders the element unreadable or unusable, so long as the encryption key has not also been acquired. Encryption of Personal Information in accordance with this Article provides a safe harbor from breach notification requirements under Minnesota law.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate Customer Data environments from corporate networks, development environments, and other customer environments. Segmentation shall be enforced through firewalls, VLANs, or software-defined networking controls.

6.2 Firewalls and Access Control Lists. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny inbound and outbound rules;

(b) Stateful packet inspection;

(c) Application-layer filtering;

(d) Rule reviews at least quarterly with documentation of business justification for each rule;

(e) Geo-blocking of traffic from jurisdictions not required for the Services.

6.3 Intrusion Detection and Prevention. Provider shall deploy and maintain network-based and host-based intrusion detection and prevention systems (IDS/IPS) that:

(a) Monitor all network traffic to and from Customer Data environments;

(b) Are updated with current threat signatures and behavioral analytics;

(c) Generate alerts that are monitored by Provider's Security Operations Center (SOC) on a 24/7/365 basis;

(d) Integrate with Provider's SIEM platform for correlation and analysis.

6.4 DDoS Mitigation. Provider shall implement distributed denial-of-service (DDoS) mitigation measures including volumetric, protocol, and application-layer protections through dedicated DDoS mitigation services or content delivery networks (CDNs).

6.5 Wireless Security. Provider shall secure all wireless networks using WPA3 Enterprise or equivalent, with separate SSIDs for corporate and guest networks, and no wireless access to Customer Data environments.

6.6 DNS Security. Provider shall implement DNSSEC, DNS filtering, and monitoring of DNS queries for indicators of compromise.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle (SDLC). Provider shall maintain a secure software development lifecycle that incorporates security at every phase:

(a) Requirements — Security and privacy requirements defined and documented;

(b) Design — Threat modeling conducted for all new features and material changes;

(c) Development — Secure coding standards (OWASP, CERT) enforced via automated tooling;

(d) Testing — Security testing integrated into CI/CD pipeline;

(e) Deployment — Hardened configurations, least-privilege service accounts;

(f) Maintenance — Patch management and ongoing vulnerability monitoring.

7.2 OWASP Compliance. Provider shall test for and remediate all vulnerabilities identified in the current OWASP Top 10 and OWASP API Security Top 10 prior to production deployment.

7.3 Static Application Security Testing (SAST). Provider shall perform automated SAST on all application code at each build, with blocking rules for critical and high-severity findings.

7.4 Dynamic Application Security Testing (DAST). Provider shall perform DAST scans against staging and production environments at least monthly, with remediation in accordance with the timelines set forth in Article 8.

7.5 Software Composition Analysis (SCA). Provider shall maintain an inventory of all third-party and open-source components, monitor for known vulnerabilities (CVEs), and remediate or replace vulnerable components in accordance with Article 8.

7.6 Code Reviews. All code changes to production systems shall undergo peer review by at least one developer other than the author, with documented approval prior to merge.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Scanning. Provider shall conduct authenticated vulnerability scans of all systems, networks, and applications in the Customer Data environment at least weekly, using industry-recognized scanning tools.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities within the following timelines measured from the date of discovery or notification:

(a) Critical Severity (CVSS 9.0–10.0): Twenty-four (24) hours;

(b) High Severity (CVSS 7.0–8.9): Seven (7) calendar days;

(c) Medium Severity (CVSS 4.0–6.9): Thirty (30) calendar days;

(d) Low Severity (CVSS 0.1–3.9): Ninety (90) calendar days.

8.3 Zero-Day Vulnerabilities. Upon identification of a zero-day vulnerability affecting systems Processing Customer Data, Provider shall implement compensating controls (e.g., WAF rules, network isolation, access restrictions) within four (4) hours and permanent remediation within forty-eight (48) hours, or as soon as a patch becomes available.

8.4 Patch Management. Provider shall maintain a formal patch management program with:

(a) Automated patch deployment where feasible;

(b) Testing of patches in a staging environment prior to production deployment;

(c) Emergency patching procedures for critical vulnerabilities;

(d) Documentation of patching decisions, including risk acceptance for deferred patches.

8.5 Vulnerability Reporting. Provider shall furnish Customer with monthly vulnerability summary reports, including metrics on scan coverage, identified vulnerabilities, remediation rates, and open items.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Logging Requirements. Provider shall generate and maintain comprehensive audit logs for all systems Processing Customer Data, including:

(a) Authentication events (successful and failed);

(b) Authorization changes and privilege escalations;

(c) Data access, creation, modification, and deletion events;

(d) Administrative and configuration changes;

(e) Network traffic logs (flow and connection logs);

(f) Application-level events and errors;

(g) Security events (firewall, IDS/IPS, anti-malware).

9.2 Log Integrity. Provider shall ensure the integrity of audit logs through:

(a) Write-once or append-only storage mechanisms;

(b) Cryptographic hash verification;

(c) Centralized log aggregation to prevent local tampering;

(d) Separation of duties between log administrators and system administrators.

9.3 SIEM Platform. Provider shall operate a Security Information and Event Management (SIEM) platform that:

(a) Aggregates and correlates logs from all systems in real-time;

(b) Applies behavioral analytics and threat intelligence feeds;

(c) Generates automated alerts for anomalous or suspicious activity;

(d) Is monitored by qualified security analysts on a 24/7/365 basis.

9.4 Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in immediately accessible online storage, and for an additional twelve (12) months in secure archival storage, for a total retention period of twenty-four (24) months.

9.5 Log Access. Customer shall have the right to request and receive relevant log data pertaining to Customer Data and Customer's use of the Services within five (5) business days of such request.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Provider shall maintain logical segregation of Customer Data from the data of other customers and Provider's own corporate data at all layers of the architecture (application, database, storage, network, and backup).

10.2 Tenant Isolation. Where multi-tenant architecture is employed, Provider shall implement tenant isolation controls that prevent any cross-tenant data access, including through application logic, database schemas or separate databases, encryption with customer-specific keys, and network-level isolation.

10.3 Data Residency. Provider shall store and process Customer Data solely within the continental United States unless Customer provides prior written consent to a specific alternative location. Provider shall promptly notify Customer of any proposed change to data storage or processing locations.

10.4 Data Classification. Provider shall apply Customer's data classification scheme (or a comparable scheme agreed upon by the Parties) to Customer Data and implement security controls proportionate to the classification level.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Provider shall engage an independent, qualified third-party security firm to conduct comprehensive penetration testing at least annually. Testing shall include:

(a) External network penetration testing;

(b) Internal network penetration testing;

(c) Web application penetration testing (all customer-facing applications);

(d) API security testing;

(e) Social engineering and phishing assessments;

(f) Wireless network penetration testing.

11.2 Scope. Penetration testing shall cover all systems, applications, networks, and infrastructure used to Process, store, or transmit Customer Data.

11.3 Methodology. Penetration testing shall follow industry-recognized methodologies (e.g., PTES, OWASP Testing Guide, NIST SP 800-115) and shall simulate realistic threat scenarios.

11.4 Reporting. Provider shall furnish Customer with complete, unredacted penetration test reports within thirty (30) days of test completion, subject to Provider's execution of a mutual non-disclosure agreement with the testing firm where required.

11.5 Remediation. Provider shall remediate all findings in accordance with the timelines set forth in Article 8 (Vulnerability Management), measured from the date of the final penetration test report.

11.6 Customer Testing. Customer shall have the right to conduct or commission its own penetration testing of Provider's environments used for the Services, upon thirty (30) days' written notice and subject to reasonable scheduling coordination, at Customer's expense.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan covering all aspects of the Services, including:

(a) Business impact analysis (BIA) identifying critical functions and dependencies;

(b) Succession planning for Key Personnel;

(c) Communication plans for Customer and other stakeholders;

(d) Alternative processing capabilities and facilities;

(e) Supply chain continuity measures.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan providing for the recovery of the Services, systems, and Customer Data following a disaster or material disruption.

12.3 Recovery Objectives. Provider shall achieve the following recovery objectives:

(a) Recovery Point Objective (RPO): [____] hours — the maximum data loss measured in time;

(b) Recovery Time Objective (RTO): [____] hours — the maximum downtime for the Services.

12.4 Backup and Restoration. Provider shall:

(a) Perform automated backups of all Customer Data at least daily;

(b) Store backups in a geographically separate facility at least [____] miles from the primary data center;

(c) Encrypt all backups using AES-256 or equivalent;

(d) Test backup restoration at least quarterly and document results;

(e) Retain backups for a minimum of thirty (30) days.

12.5 Annual Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises, functional tests, or full-scale simulations, and shall furnish Customer with a written summary of test results, findings, and corrective actions within thirty (30) days of each test.

12.6 Notification. Provider shall notify Customer within one (1) hour of declaring a disaster or invoking the DRP, and shall provide ongoing status updates at least every four (4) hours until full restoration.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

13.1 Incident Response Plan

Provider shall maintain a documented Incident Response Plan that includes:

(a) Defined incident classification and severity levels;

(b) Roles and responsibilities of the incident response team;

(c) Escalation procedures and communication protocols;

(d) Containment, eradication, and recovery procedures;

(e) Evidence preservation and chain of custody procedures;

(f) Post-incident review and lessons-learned processes;

(g) Integration with Minnesota-specific breach notification requirements under Minn. Stat. § 325E.61.

13.2 Incident Notification to Customer

Provider shall notify Customer of any Security Incident or Breach as follows:

(a) Initial Notification: Within twenty-four (24) hours of Provider's confirmation of a Security Incident that may involve Customer Data;

(b) Detailed Notification: Within seventy-two (72) hours, including a description of the incident, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address the incident;

(c) Ongoing Updates: At least daily until the incident is resolved.

13.3 Minnesota Breach Notification — Minn. Stat. § 325E.61

This section establishes obligations specific to compliance with Minnesota's breach notification statute (Data Warehouses; Notice Required for Certain Disclosures).

13.3.1 Notification Trigger. Under Minn. Stat. § 325E.61, Subd. 1, any person or business that conducts business in Minnesota and that owns or licenses data that includes Personal Information shall disclose any breach of the security of the system following discovery or notification of the breach to any resident of Minnesota whose unencrypted Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person.

13.3.2 Notification Timeline. Notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the data system. Provider shall use commercially reasonable efforts to issue notifications within forty-five (45) days of discovery.

13.3.3 Consumer Reporting Agency Notification. Under Minn. Stat. § 325E.61, Subd. 2, if notification is required to more than five hundred (500) persons at one time, the person or business shall also notify, within forty-eight (48) hours, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices. This forty-eight (48) hour CRA notification requirement is a distinctive feature of Minnesota law.

13.3.4 Minnesota Attorney General Notification. If the breach affects five hundred (500) or more Minnesota residents, Provider shall cooperate with Customer in notifying the Minnesota Attorney General without unreasonable delay, providing the required information about the timing, distribution, and content of notifications to affected individuals.

13.3.5 Notice Content. The breach notification shall include, at a minimum:

(a) A description of the categories of Personal Information that were the subject of the breach;

(b) The date or estimated date range of the breach;

(c) A general description of the breach incident;

(d) A description of the remedial actions taken by the entity;

(e) Contact information for the notifying entity, including toll-free telephone number, mailing address, and email address;

(f) The toll-free telephone numbers, addresses, and websites for the three major credit reporting agencies;

(g) Advice directing the individual to remain vigilant by reviewing account statements and monitoring credit reports;

(h) Contact information for the Minnesota Attorney General's Office.

13.3.6 Methods of Notice. Notice may be provided by:

(a) Written notice to the last known address of the affected individual;

(b) Electronic notice, if the person's primary method of communication with the affected individual is electronic and the notice is consistent with the provisions of 15 U.S.C. § 7001 (E-SIGN Act);

(c) Substitute notice, if the person demonstrates that the cost of providing notice would exceed Two Hundred Fifty Thousand Dollars ($250,000) or the affected class exceeds five hundred thousand (500,000) persons, or the person does not have sufficient contact information, consisting of: (i) email notice when available, (ii) conspicuous posting on the person's website, and (iii) notice to major statewide media.

13.3.7 Enforcement and Penalties. The Minnesota Attorney General has enforcement authority under Minn. Stat. § 325E.61 and may pursue civil penalties, injunctive relief, and costs. Violations may also be enforceable under the Minnesota Prevention of Consumer Fraud Act (Minn. Stat. § 325F.69) and through private rights of action. Aggrieved individuals may also pursue remedies under Minnesota common law.

13.3.8 Third-Party Data Maintainers. Under Minn. Stat. § 325E.61, Subd. 1(b), any person or business that maintains data but does not own or license the data containing Personal Information shall notify the owner or licensee of the data following discovery of a breach of the security of the data.

13.3.9 Card Issuer Notification. Under Minn. Stat. § 325E.64, in breaches involving payment card information, the entity responsible for the breach may bear liability for costs to card issuers, including costs of reissuing cards and fraudulent charges. Provider shall cooperate with Customer in complying with any such obligations.

13.4 Provider Obligations During a Breach

Provider shall:

(a) Immediately contain and investigate the Breach;

(b) Preserve all evidence and maintain chain of custody documentation;

(c) Engage qualified forensic investigators at Provider's expense;

(d) Provide Customer with complete forensic reports within thirty (30) days of incident closure;

(e) Implement corrective measures to prevent recurrence;

(f) Fund credit monitoring and identity theft protection services for affected individuals for a period of at least twenty-four (24) months;

(g) Coordinate with law enforcement as appropriate;

(h) Not issue any public statement or notification regarding the Breach without Customer's prior written approval unless legally compelled.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain a current list of all approved Subprocessors, including their identity, location, and scope of processing.

14.2 Due Diligence. Before engaging any Subprocessor, Provider shall conduct a thorough security assessment of the Subprocessor's security practices, policies, and technical controls to ensure they meet or exceed the requirements of this Addendum.

14.3 Contractual Flow-Down. Provider shall impose on each Subprocessor, by written contract, data protection and security obligations no less protective than those imposed on Provider under this Addendum, including compliance with Minn. Stat. § 325E.61 third-party notification requirements.

14.4 Oversight and Audit. Provider shall monitor and audit each Subprocessor's compliance with security requirements at least annually and shall promptly address any deficiencies.

14.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors in relation to Customer Data, as if such acts or omissions were Provider's own.

14.6 Notification of Changes. Provider shall notify Customer at least thirty (30) days in advance of any proposed addition or replacement of a Subprocessor. Customer shall have the right to object to any proposed Subprocessor and, if the objection cannot be resolved, to terminate the affected Services without penalty.

14.7 MCDPA Third-Party Disclosure Lists. Provider shall maintain records sufficient to enable Customer to respond to consumer requests under the MCDPA for a list of specific third parties to whom the consumer's personal data has been disclosed.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct comprehensive background checks on all Authorized Personnel prior to granting access to Customer Data, including criminal history, employment verification, and education verification, to the extent permitted by Minnesota law (Minn. Stat. Ch. 364).

15.2 Security Training. Provider shall require all Authorized Personnel to complete:

(a) Security awareness training upon hiring and at least annually thereafter;

(b) Role-specific security training for personnel with elevated access privileges;

(c) Phishing simulation exercises at least quarterly;

(d) Training on Minnesota-specific data protection requirements, including Minn. Stat. § 325E.61 and the MCDPA.

15.3 Confidentiality Agreements. All Authorized Personnel shall execute written confidentiality and non-disclosure agreements prior to accessing Customer Data.

15.4 Termination Procedures. Upon termination or transfer of any Authorized Personnel, Provider shall:

(a) Revoke all access to Customer Data and related systems within four (4) hours of termination;

(b) Collect and secure all company-issued devices, badges, and credentials;

(c) Conduct an exit interview addressing confidentiality obligations.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. Provider shall ensure that all data centers and facilities housing Customer Data maintain the following physical security controls:

(a) 24/7/365 on-site security personnel or remote monitoring;

(b) Multi-layered perimeter security with barriers, fencing, and controlled entry points;

(c) Biometric and multi-factor authentication for facility access;

(d) Mantrap or airlock entry systems for sensitive areas;

(e) Closed-circuit television (CCTV) surveillance with recording and at least ninety (90) days retention;

(f) Environmental controls including fire suppression, climate control, water detection, and redundant power;

(g) Visitor management with photo identification, escort requirements, and access logs;

(h) SOC 2 Type II or ISO 27001 certification for all data center facilities.

16.2 Media Handling. Provider shall implement secure media handling procedures including:

(a) Encryption of all portable media containing Customer Data;

(b) Tracking and inventory of all media;

(c) Secure disposal of media using NIST SP 800-88 methods (Clear, Purge, or Destroy as appropriate);

(d) Certificates of destruction furnished to Customer upon request.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall obtain and maintain throughout the term of the Master Agreement and this Addendum, at its own expense, the following insurance coverage:

(a) Cyber Liability / Technology Errors and Omissions Insurance: No less than Five Million Dollars ($5,000,000) per occurrence and in the aggregate, covering:
- Data breach response costs, including notification, credit monitoring, and forensic investigation;
- Network security liability;
- Privacy liability;
- Media liability;
- Regulatory defense and penalties;
- PCI-DSS fines and assessments;
- Cyber extortion and ransomware;
- Payment card industry liability, including costs to card issuers under Minn. Stat. § 325E.64;

(b) Professional Liability / Errors and Omissions Insurance: No less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: No less than One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate;

(d) Workers' Compensation Insurance: As required by Minnesota law (Minn. Stat. Ch. 176).

17.2 Policy Requirements. All insurance policies shall:

(a) Be issued by insurers with an A.M. Best rating of A- VII or better;

(b) Name Customer as an additional insured on the CGL policy;

(c) Provide a waiver of subrogation in favor of Customer;

(d) Require the insurer to provide Customer with thirty (30) days' prior written notice of cancellation or material modification;

(e) Be primary and non-contributory with respect to any insurance maintained by Customer.

17.3 Evidence of Insurance. Provider shall furnish certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right, at its own expense and upon thirty (30) days' prior written notice, to audit Provider's compliance with this Addendum. Such audit may include:

(a) On-site inspection of facilities, systems, and records;

(b) Review of policies, procedures, and security documentation;

(c) Interviews with Key Personnel and Authorized Personnel;

(d) Review of penetration test reports, vulnerability scan results, and incident response records;

(e) Testing of technical controls.

18.2 Frequency. Customer may conduct audits up to once per year under normal circumstances, and at any time following a Security Incident, Breach, or material change in Provider's security posture.

18.3 Third-Party Auditors. Customer may engage qualified third-party auditors to conduct audits on its behalf, subject to such auditors executing a non-disclosure agreement acceptable to Provider.

18.4 Cooperation. Provider shall cooperate fully with all audits, provide timely access to facilities, systems, records, and personnel, and respond to audit findings with a remediation plan within fifteen (15) business days.

18.5 Regulatory Audits. Provider shall cooperate with audits or examinations by any regulatory authority with jurisdiction over Customer, including the Minnesota Attorney General's Office and the Minnesota Department of Commerce.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Governance Committee. The Parties shall establish a joint Security Governance Committee consisting of designated representatives from each Party, which shall meet at least quarterly to:

(a) Review Provider's security posture and compliance with this Addendum;

(b) Discuss emerging threats, vulnerabilities, and security trends;

(c) Review incident reports and security metrics;

(d) Address any security concerns raised by either Party;

(e) Review and approve changes to security policies and procedures.

19.2 Security Reporting. Provider shall furnish Customer with the following reports:

(a) Monthly: Vulnerability scan summaries, patch compliance metrics, and security incident summaries;

(b) Quarterly: Access review results, security awareness training completion rates, and KPI dashboards;

(c) Annually: Penetration test reports, risk assessment results, BCP/DRP test results, SOC 2 Type II reports, and ISO 27001 certification status;

(d) Ad Hoc: Any material change in security posture, key personnel, or Subprocessor arrangements.

19.3 Key Performance Indicators. Provider shall track and report on the following security KPIs:

(a) Mean time to detect (MTTD) security incidents;

(b) Mean time to respond (MTTR) to security incidents;

(c) Vulnerability remediation rates by severity;

(d) Patch compliance percentage;

(e) Security training completion rates;

(f) Uptime and availability of the Services.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request at any time, Provider shall:

(a) Return all Customer Data to Customer in a mutually agreed-upon, industry-standard, machine-readable format within thirty (30) calendar days;

(b) Provide reasonable assistance to Customer in migrating Customer Data, at Provider's standard professional services rates (unless termination is due to Provider's breach, in which case at no charge).

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall:

(a) Securely destroy all copies of Customer Data in Provider's possession or control, including copies in backup systems, disaster recovery environments, and archival storage;

(b) Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 guidelines (Clear, Purge, or Destroy as appropriate to the media type);

(c) Provider shall furnish Customer with a written certificate of destruction, signed by an authorized officer of Provider, within fifteen (15) calendar days of destruction;

(d) The certificate shall specify the data destroyed, the method of destruction, the date of destruction, and the identity of the person who performed the destruction.

20.3 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law, regulation, or court order, provided that Provider: (a) notifies Customer of such retention requirement, (b) limits retention to the minimum data and duration required, and (c) continues to protect such retained data in accordance with this Addendum.

20.4 Subprocessor Data. Provider shall ensure that all Subprocessors return or destroy Customer Data in accordance with the same standards set forth in this Article.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall defend, indemnify, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against all claims, demands, actions, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees and court costs) arising from or related to:

(a) Any Breach of Customer Data caused by Provider's negligence, willful misconduct, or failure to comply with this Addendum;

(b) Provider's failure to comply with Minn. Stat. § 325E.61, the Minnesota Consumer Data Privacy Act (Minn. Stat. Ch. 325M), or any other applicable data protection law;

(c) Any unauthorized access to, acquisition of, or disclosure of Customer Data resulting from Provider's failure to implement or maintain the security controls required by this Addendum;

(d) Any regulatory investigation, enforcement action, fine, or penalty arising from Provider's acts or omissions with respect to Customer Data, including fines of up to $7,500 per violation under the MCDPA;

(e) Any third-party claims arising from a Breach, including card issuer claims under Minn. Stat. § 325E.64, class action lawsuits, individual claims, and regulatory proceedings.

21.2 Costs and Expenses. Provider's indemnification obligations shall include, without limitation:

(a) Costs of breach notification to affected individuals, the Attorney General, and consumer reporting agencies;

(b) Credit monitoring and identity theft protection services;

(c) Forensic investigation costs;

(d) Public relations and crisis management costs;

(e) Call center costs for affected individuals;

(f) Regulatory fines and penalties;

(g) Card reissuance and fraud liability costs under Minn. Stat. § 325E.64;

(h) Costs of litigation defense and settlement.

21.3 Limitation. The indemnification obligations under this Article shall not be subject to any limitation of liability caps set forth in the Master Agreement, unless expressly stated otherwise in a separate written amendment executed by both Parties.

ARTICLE 22 — STATE-SPECIFIC LEGAL PROVISIONS — MINNESOTA

22.1 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of Minnesota, without regard to its conflict of laws principles.

22.2 Venue and Jurisdiction. Any dispute, claim, or controversy arising out of or relating to this Addendum shall be brought exclusively in the state or federal courts located in Hennepin County, Minnesota, or such other county as may be agreed by the Parties. Each Party irrevocably consents to the exclusive jurisdiction and venue of such courts.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY MINNESOTA LAW, EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ALL RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY.

22.4 Trade Secret Protection. Provider acknowledges that Customer Data may contain Trade Secrets as defined in the Minnesota Uniform Trade Secrets Act (Minn. Stat. Ch. 325C). Provider shall maintain all such Trade Secrets in strict confidence and shall implement protections consistent with Minn. Stat. § 325C.01, Subd. 5, including reasonable measures to maintain secrecy. In the event of misappropriation, Customer shall be entitled to all remedies available under the Act, including injunctive relief (§ 325C.02), damages (§ 325C.03), and attorneys' fees (§ 325C.04).

22.5 Computer Crime. Provider acknowledges that unauthorized access to or modification of Customer Data may constitute a computer crime under Minn. Stat. § 609.891, which provides for criminal penalties and civil remedies.

22.6 Minnesota Consumer Data Privacy Act (MCDPA). Provider shall cooperate with Customer in complying with the Minnesota Consumer Data Privacy Act (Minn. Stat. Ch. 325M, effective July 31, 2025), including but not limited to:

(a) Honoring consumer rights to access, correct, delete, and obtain a portable copy of personal data;

(b) Responding to consumer requests for a list of specific third parties to whom personal data has been disclosed;

(c) Implementing mechanisms to facilitate consumer opt-out requests for targeted advertising, sale of personal data, and profiling;

(d) Conducting data protection assessments as required;

(e) Maintaining appropriate technical and organizational safeguards for consumer data;

(f) Complying with data minimization and purpose limitation requirements;

(g) Honoring universal opt-out mechanisms recognized under the MCDPA;

(h) Providing transparency through privacy notices regarding data collection and processing practices.

22.7 Payment Card Breach Liability. The Parties acknowledge that under Minn. Stat. § 325E.64, entities responsible for breaches involving payment card data may bear liability to card issuers for costs of reissuing cards and unauthorized charges. Provider shall implement enhanced security measures for payment card data environments and shall indemnify Customer against claims arising under this provision due to Provider's negligence.

22.8 Late Payment Interest. Any amounts due under this Addendum that are not paid when due shall bear interest at the rate of six percent (6%) per annum, or such higher rate as may be specified in the Master Agreement, not to exceed eight percent (8%) per annum, in accordance with Minnesota law.

22.9 Consumer Fraud Prevention. This Addendum shall be interpreted consistently with the Minnesota Prevention of Consumer Fraud Act (Minn. Stat. § 325F.69), and Provider shall not engage in any fraudulent, deceptive, or misleading acts or practices in connection with its handling of Customer Data.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Minnesota Uniform Electronic Transactions Act, Minn. Stat. Ch. 325L. The Parties agree that electronic signatures shall have the same legal effect, validity, and enforceability as manual ink signatures.

23.2 Legal Recognition. Pursuant to the Minnesota UETA, a record or signature may not be denied legal effect or enforceability solely because it is in electronic form. A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.

23.3 Consent to Electronic Records. Each Party consents to the use of electronic records and electronic signatures in connection with this Addendum and all related communications and documents, in accordance with Minnesota UETA.

23.4 Retention of Electronic Records. Electronic records of this Addendum shall be retained in accordance with the Minnesota UETA and shall be accessible and capable of being accurately reproduced for later reference.

23.5 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Delivery of an executed counterpart by electronic transmission (including PDF, DocuSign, or other secure electronic signature platform) shall be effective as delivery of a manually executed counterpart.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement and all exhibits, schedules, and attachments hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written, relating to the security of Customer Data.

24.2 Amendment. This Addendum may not be amended, modified, or supplemented except by a written instrument executed by authorized representatives of both Parties.

24.3 Waiver. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the Party against whom the waiver is sought to be enforced. No failure or delay by either Party in exercising any right or remedy shall operate as a waiver thereof.

24.4 Severability. If any provision of this Addendum is held to be invalid, illegal, or unenforceable under Minnesota law, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.

24.5 Assignment. Neither Party may assign this Addendum or any of its rights or obligations hereunder without the prior written consent of the other Party, which consent shall not be unreasonably withheld; provided, however, that either Party may assign this Addendum to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets.

24.6 Notices. All notices required or permitted under this Addendum shall be in writing and shall be delivered by hand, certified mail (return receipt requested), or recognized overnight courier service to the addresses set forth below, or to such other address as a Party may designate by written notice.

24.7 Survival. The provisions of this Addendum that by their nature should survive expiration or termination of the Master Agreement shall so survive, including without limitation the obligations related to data return/destruction, indemnification, confidentiality, breach notification, and audit rights.

ARTICLE 25 — EXECUTION

Compliance Checklist (Pre-Execution):

☐ Master Agreement fully executed and referenced herein

☐ Provider's Information Security Program documentation reviewed by Customer

☐ Provider's most recent SOC 2 Type II report reviewed by Customer

☐ Provider's ISO 27001 certification verified

☐ Provider's most recent penetration test report reviewed by Customer

☐ Subprocessor list reviewed and approved by Customer

☐ Insurance certificates reviewed and verified by Customer

☐ RPO and RTO values agreed upon and documented in Section 12.3

☐ Data residency requirements confirmed

☐ Minnesota Consumer Data Privacy Act compliance measures reviewed

☐ Payment card data handling requirements confirmed (Minn. Stat. § 325E.64)

☐ Minnesota-licensed legal counsel has reviewed this Addendum for both Parties

☐ Key Personnel and escalation contacts identified

☐ Security Governance Committee members designated

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Effective Date.

CUSTOMER

PROVIDER

EXHIBIT A — SECURITY CONTACT INFORMATION

EXHIBIT B — APPROVED SUBPROCESSOR LIST

SOURCES AND REFERENCES

1. Minnesota Data Breach Notification — Minn. Stat. § 325E.61: https://www.revisor.mn.gov/statutes/cite/325E.61
2. Minnesota Access Device Fraud — Minn. Stat. § 325E.64: https://www.revisor.mn.gov/statutes/cite/325E.64
3. Minnesota Consumer Data Privacy Act (MCDPA) — Minn. Stat. Ch. 325M: https://www.revisor.mn.gov/statutes/cite/325M
4. Minnesota Uniform Trade Secrets Act — Minn. Stat. Ch. 325C: https://www.revisor.mn.gov/statutes/cite/325C
5. Minnesota Uniform Electronic Transactions Act — Minn. Stat. Ch. 325L: https://www.revisor.mn.gov/statutes/cite/325L
6. Minnesota Computer Crime — Minn. Stat. § 609.891: https://www.revisor.mn.gov/statutes/cite/609.891
7. Minnesota Attorney General — Data Privacy: https://ag.state.mn.us/Data-Privacy/
8. NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
9. NIST SP 800-88 Rev. 1 — Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
10. ISO/IEC 27001:2022: https://www.iso.org/standard/27001

This Enterprise Security Addendum is intended for use on the ezel.ai platform and must be reviewed by Minnesota-licensed legal counsel before execution. Last updated: 2026-02-21.