SECURITY ADDENDUM (ENTERPRISE SAAS)

Mississippi Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

RECITALS

This Security Addendum ("Addendum") is entered into as of the Effective Date set forth above by and between:

Provider:
Name: [________________________________]
Address: [________________________________]
State of Organization: [________________________________]
("Provider" or "Service Provider")

AND

Customer:
Name: [________________________________]
Address: [________________________________]
State of Organization: [________________________________]
("Customer" or "Client")

Each individually a "Party" and collectively the "Parties."

WHEREAS, the Parties have entered into a Master Services Agreement, SaaS Subscription Agreement, or similar agreement dated [__/__/____] (the "Master Agreement") pursuant to which Provider delivers certain software-as-a-service and related technology services to Customer;

WHEREAS, the performance of services under the Master Agreement requires Provider to access, process, store, or transmit data belonging to or entrusted to Customer, including data that may be subject to protection under Mississippi law, including Miss. Code Ann. § 75-24-29 and the Mississippi Insurance Data Security Law (Miss. Code Ann. §§ 83-5-801 to 83-5-825);

WHEREAS, Customer requires that Provider implement and maintain comprehensive information security controls to protect Customer Data from unauthorized access, use, disclosure, alteration, or destruction;

WHEREAS, the Parties desire to memorialize their respective obligations regarding information security, data protection, and breach notification in accordance with Mississippi law and applicable federal regulations;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below when used in this Addendum. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.2 "Authorized Users" means individuals who have been granted access to Provider Systems by Customer or Provider in accordance with this Addendum, including employees, contractors, agents, and third parties with a legitimate business need to access Customer Data.

1.3 "Confidential Information" means all non-public information disclosed by one Party to the other in connection with this Addendum or the Master Agreement, including trade secrets as defined under the Mississippi Uniform Trade Secrets Act (Miss. Code Ann. § 75-26-3), business plans, technical data, security configurations, audit results, and vulnerability assessments.

1.4 "Customer Data" means all data, information, records, documents, files, and materials provided by or on behalf of Customer to Provider, or collected, generated, or processed by Provider on Customer's behalf in the course of performing services under the Master Agreement, regardless of format or medium.

1.5 "Data Breach" means a breach of security as defined under Miss. Code Ann. § 75-24-29, constituting the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by a person or business conducting business in Mississippi, and that causes, or is reasonably believed to cause, identity theft or other fraud to any resident of Mississippi. For purposes of this Addendum, "Data Breach" also includes any Security Incident that results in the unauthorized access to, acquisition of, or exfiltration of Customer Data, whether or not such incident meets the statutory threshold for notification.

1.6 "Data Processing" means any operation or set of operations performed on Customer Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.7 "DPA" means a Data Processing Agreement or Data Processing Addendum that may be executed between the Parties to address specific data processing obligations, including those arising under applicable federal or international data protection regulations.

1.8 "Encryption Standard" means, at a minimum, Advanced Encryption Standard (AES) with a key length of 256 bits for data at rest, and Transport Layer Security (TLS) version 1.2 or higher for data in transit, or such stronger encryption standards as may become industry standard during the Term.

1.9 "High-Risk Data" means Customer Data that, if disclosed, altered, or destroyed without authorization, could cause significant harm to individuals or Customer, including Social Security numbers, financial account numbers, health information, biometric data, authentication credentials, and any data classified as "High" or "Critical" under the data classification framework established in this Addendum.

1.10 "Information Security Program" means Provider's comprehensive, written program of policies, procedures, and controls designed to protect the security, confidentiality, integrity, and availability of Customer Data, as more fully described in Article 4 of this Addendum.

1.11 "Malware" means any software, code, or program designed to disrupt, damage, or gain unauthorized access to computer systems, including viruses, worms, trojans, ransomware, spyware, adware, rootkits, keyloggers, and any other malicious or unauthorized code.

1.12 "Personal Information" means, consistent with Miss. Code Ann. § 75-24-29(a), an individual's first name or first initial and last name in combination with any one or more of the following data elements when the name or data element is not encrypted or redacted: (a) Social Security number; (b) driver's license number or state identification card number; or (c) financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

1.13 "Provider Systems" means all information technology infrastructure, platforms, applications, networks, servers, databases, storage systems, and related components owned, operated, managed, or controlled by Provider and used to process, store, or transmit Customer Data.

1.14 "Security Incident" means any event that actually or potentially compromises the confidentiality, integrity, or availability of Provider Systems or Customer Data, including unauthorized access attempts, denial-of-service attacks, Malware infections, phishing incidents, physical security breaches, and any other event that triggers investigation or response by Provider's security team.

1.15 "Subprocessor" means any third party engaged by Provider to process Customer Data on Provider's behalf in connection with the services provided under the Master Agreement, including cloud infrastructure providers, managed service providers, data center operators, and any subcontractor with access to Customer Data.

1.16 "Vulnerability" means a weakness in Provider Systems, software, hardware, or processes that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of Customer Data, as identified through vulnerability scanning, penetration testing, or other assessment methods.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all services provided by Provider to Customer under the Master Agreement that involve the access, processing, storage, transmission, or handling of Customer Data through Provider Systems. This Addendum governs Provider's information security obligations regardless of whether Customer Data is processed within or outside the State of Mississippi.

2.2 Order of Precedence. In the event of any conflict or inconsistency between the terms of this Addendum and the terms of the Master Agreement, the terms of this Addendum shall prevail with respect to information security, data protection, and breach notification matters. In the event of any conflict between this Addendum and any service order, statement of work, or other ancillary agreement, the terms of this Addendum shall take precedence unless the conflicting provision in such ancillary agreement expressly references this Addendum by name and states that it is intended to supersede a specific provision hereof.

2.3 Regulatory Compliance. To the extent Customer is subject to industry-specific regulations (including but not limited to the Mississippi Insurance Data Security Law, Miss. Code Ann. §§ 83-5-801 to 83-5-825; HIPAA; GLBA; PCI DSS; or SOX), Provider shall comply with the applicable security requirements of such regulations as they pertain to Customer Data processed by Provider. Customer shall notify Provider in writing of any such regulatory requirements at the time of execution of this Addendum or promptly upon becoming subject to new requirements.

2.4 Incorporation. This Addendum is incorporated into and forms part of the Master Agreement. All terms, conditions, representations, warranties, and obligations of the Master Agreement not expressly modified by this Addendum shall remain in full force and effect.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Written Security Program. Provider shall establish, implement, and maintain a comprehensive, written Information Security Program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, and scope of Provider's business activities, the nature and sensitivity of Customer Data processed, and the requirements of this Addendum. The Information Security Program shall be designed to:

(a) Protect the security, confidentiality, integrity, and availability of Customer Data;

(b) Protect against any anticipated threats or hazards to the security or integrity of Customer Data;

(c) Protect against unauthorized access to or use of Customer Data that could result in substantial harm or inconvenience to Customer or any individual;

(d) Ensure the proper disposal of Customer Data in accordance with Article 21 of this Addendum.

3.2 Framework Alignment. Provider's Information Security Program shall be aligned with one or more of the following recognized security frameworks, as selected by Provider and approved by Customer:

☐ ISO/IEC 27001:2022 (Information Security Management Systems)
☐ SOC 2 Type II (Trust Services Criteria)
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 (Security and Privacy Controls)
☐ CIS Critical Security Controls (v8)

3.3 Risk Assessment. Provider shall conduct a comprehensive risk assessment of Provider Systems at least annually, and additionally upon any material change to Provider's technology infrastructure, business operations, or threat landscape. Risk assessments shall identify threats and vulnerabilities, assess the likelihood and impact of potential security events, and result in documented risk treatment plans with assigned ownership and target remediation dates.

3.4 Security Officer. Provider shall designate a qualified individual as its Chief Information Security Officer ("CISO") or equivalent security officer with responsibility for the development, implementation, oversight, and enforcement of the Information Security Program. Provider shall notify Customer within thirty (30) days of any change in the individual serving in this role. The designated security officer as of the Effective Date is:

Name: [________________________________]
Title: [________________________________]
Contact: [________________________________]

3.5 Annual Review. Provider shall review and update the Information Security Program at least annually, and more frequently as necessary, to address changes in technology, threat landscape, regulatory requirements, and the results of risk assessments. Provider shall provide Customer with a summary of material changes to the Information Security Program within thirty (30) days of implementation.

3.6 Policy Documentation. Provider shall maintain written security policies addressing, at minimum, the following domains: access control, asset management, business continuity, cryptography, human resource security, incident management, network security, operational security, physical security, supplier relationships, system acquisition and development, and compliance.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement role-based access controls to ensure that Authorized Users are granted only the minimum level of access necessary to perform their assigned duties (principle of least privilege). Access rights shall be defined based on job function, department, and business need, and shall be documented in an access control matrix.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to Provider Systems;
(b) All administrative or privileged access to systems containing Customer Data;
(c) All access to management consoles, cloud infrastructure portals, and security tools;
(d) All access to Customer-facing portals and dashboards;
(e) All VPN connections to Provider's network.

4.3 Privileged Access Management (PAM). Provider shall implement a privileged access management program that includes:

(a) Unique identification and authentication for all privileged accounts;
(b) Time-limited elevation of privileges (just-in-time access) where technically feasible;
(c) Logging and monitoring of all privileged access sessions;
(d) Separation of duties to prevent any single individual from having unchecked privileged access;
(e) Regular rotation of privileged account credentials, not less frequently than every ninety (90) days.

4.4 Access Reviews. Provider shall conduct formal access reviews at least quarterly to verify that:

(a) All active user accounts correspond to current Authorized Users;
(b) Access rights are appropriate for each user's current role and responsibilities;
(c) Privileged access is limited to personnel with a demonstrated business need;
(d) Former employees, contractors, and terminated users have been promptly deprovisioned;
(e) Service accounts and system accounts are inventoried and appropriately restricted.

4.5 Onboarding and Offboarding. Provider shall implement documented procedures for granting access upon personnel onboarding and revoking access upon personnel offboarding, including:

(a) Provisioning of access only after appropriate authorization and background check completion;
(b) Revocation of all access within twenty-four (24) hours of employment or engagement termination;
(c) Revocation of all access within four (4) hours for involuntary terminations or for-cause separations;
(d) Return or secure destruction of all devices, tokens, and credentials upon departure.

4.6 Password Policies. Provider shall enforce password policies that require, at minimum:

(a) Minimum length of fourteen (14) characters;
(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;
(c) Prohibition against reuse of the previous twenty-four (24) passwords;
(d) Automatic account lockout after no more than five (5) consecutive failed login attempts;
(e) Password expiration not to exceed ninety (90) days for non-MFA accounts.

4.7 Session Management. Provider shall enforce automatic session timeouts after a maximum of fifteen (15) minutes of inactivity for sessions involving access to Customer Data. Concurrent session limitations shall be implemented for privileged accounts.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Encryption in Transit. All Customer Data transmitted over public networks, wireless networks, or any network not exclusively controlled by Provider shall be encrypted using TLS version 1.2 or higher with strong cipher suites. Provider shall disable support for SSL and TLS versions below 1.2.

5.2 Encryption at Rest. All Customer Data stored on Provider Systems, including primary databases, replicated databases, data warehouses, file systems, and backup storage, shall be encrypted using AES-256 or an equivalent or stronger encryption standard.

5.3 Key Management. Provider shall implement a formal cryptographic key management program that includes:

(a) Secure generation of encryption keys using cryptographically secure random number generators;
(b) Secure storage of encryption keys in dedicated hardware security modules (HSMs) or equivalent key vaults;
(c) Separation of encryption keys from the data they protect;
(d) Key rotation at least annually, and immediately upon suspected compromise;
(e) Secure key destruction upon expiration or revocation;
(f) Documented key management procedures with defined roles and responsibilities.

5.4 Certificate Management. Provider shall maintain a certificate management program that includes an inventory of all digital certificates, automated monitoring of certificate expiration dates, and procedures for timely renewal and replacement of certificates before expiration.

5.5 Encryption of Backups. All backup copies of Customer Data shall be encrypted to the same standard as production data. Backup encryption keys shall be managed in accordance with Section 5.3 and stored separately from backup media.

5.6 Field-Level Encryption. For High-Risk Data elements, including Social Security numbers, financial account numbers, and authentication credentials, Provider shall implement field-level encryption or tokenization to provide an additional layer of protection beyond volume-level or database-level encryption.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate environments processing Customer Data from other network segments, including corporate networks, development environments, and other customer environments. Segmentation shall be enforced through firewalls, virtual local area networks (VLANs), or software-defined networking controls.

6.2 Firewalls. Provider shall deploy and maintain enterprise-grade firewalls at all network perimeters and at boundaries between network segments. Firewall rules shall be reviewed at least quarterly and follow a default-deny policy, permitting only traffic that is explicitly authorized.

6.3 Intrusion Detection and Prevention. Provider shall deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) at critical network points, including network perimeters and segments processing Customer Data. IDS/IPS signatures and rules shall be updated at least daily.

6.4 DDoS Mitigation. Provider shall implement distributed denial-of-service (DDoS) mitigation measures, including traffic scrubbing, rate limiting, and capacity planning, sufficient to maintain service availability during volumetric, protocol, and application-layer attacks.

6.5 VPN Requirements. All remote administrative access to Provider Systems shall be conducted through encrypted virtual private network (VPN) tunnels or equivalent secure connectivity mechanisms. Split tunneling shall be prohibited for VPN connections used to access Customer Data.

6.6 Wireless Security. Any wireless networks within Provider facilities that have connectivity to systems processing Customer Data shall use WPA3 encryption (or WPA2-Enterprise at minimum), shall be segmented from wired networks, and shall require individual authentication credentials.

6.7 DMZ Architecture. Provider shall implement a demilitarized zone (DMZ) architecture to separate internet-facing systems from internal systems processing Customer Data. No Customer Data shall be stored in the DMZ. All traffic from the internet to internal systems shall traverse the DMZ and be subject to inspection and filtering.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Software Development Lifecycle (SDLC). Provider shall implement a secure SDLC that integrates security requirements, threat modeling, secure coding practices, code review, and security testing throughout all phases of software development and deployment.

7.2 OWASP Top 10. Provider shall ensure that all applications processing Customer Data are tested for and protected against the vulnerabilities identified in the current OWASP Top 10 and OWASP API Security Top 10. Provider shall document remediation of any identified vulnerabilities prior to deployment to production.

7.3 Code Reviews. Provider shall require peer code reviews with security focus for all changes to applications that process Customer Data. Code reviews shall be performed by personnel other than the original developer and shall include review for common security vulnerabilities.

7.4 Static and Dynamic Application Security Testing. Provider shall perform:

(a) Static Application Security Testing (SAST) on all application code prior to deployment to production environments;
(b) Dynamic Application Security Testing (DAST) on all production applications at least quarterly;
(c) Interactive Application Security Testing (IAST) during quality assurance testing where technically feasible.

7.5 Dependency and Supply Chain Security. Provider shall maintain a software bill of materials (SBOM) for applications processing Customer Data and shall perform automated scanning of third-party libraries and dependencies for known vulnerabilities. Vulnerable dependencies shall be updated or remediated in accordance with the vulnerability remediation SLAs set forth in Article 9.

7.6 API Security. Provider shall implement API security controls including authentication, authorization, rate limiting, input validation, output encoding, and logging for all APIs that process or provide access to Customer Data.

7.7 Input Validation. Provider shall implement server-side input validation for all user-supplied data to prevent injection attacks, cross-site scripting (XSS), and other input-based vulnerabilities.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall conduct automated vulnerability scanning of all Provider Systems, including network infrastructure, operating systems, databases, and applications, at least weekly for external-facing systems and at least monthly for internal systems.

8.2 Remediation SLAs. Provider shall remediate identified vulnerabilities according to the following timelines, measured from the date of identification:

8.3 Patch Management. Provider shall implement a formal patch management program that includes:

(a) Monitoring of vendor security advisories and vulnerability disclosures;
(b) Testing of patches in a non-production environment before deployment;
(c) Emergency patching procedures for Critical vulnerabilities that bypass standard change management timelines;
(d) Documentation of all patching activities, including exceptions and compensating controls.

8.4 Zero-Day Response. Upon discovery or notification of a zero-day vulnerability affecting Provider Systems, Provider shall:

(a) Immediately assess the potential impact on Customer Data;
(b) Implement available compensating controls within four (4) hours;
(c) Notify Customer within twenty-four (24) hours if the vulnerability poses a material risk to Customer Data;
(d) Apply vendor-supplied patches or permanent fixes within the Critical remediation timeline upon availability.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Centralized Logging. Provider shall implement centralized log management using a Security Information and Event Management (SIEM) system or equivalent technology. All security-relevant events across Provider Systems shall be aggregated, correlated, and analyzed in the centralized platform.

9.2 Logging Requirements. Provider shall log, at minimum, the following events:

(a) User authentication events (successful and failed);
(b) Authorization changes and privilege escalations;
(c) Access to Customer Data, including create, read, update, and delete operations;
(d) Administrative and configuration changes;
(e) Security events detected by IDS/IPS, firewalls, and endpoint protection;
(f) System startup, shutdown, and error events;
(g) File integrity monitoring alerts.

9.3 Log Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in immediately accessible, searchable storage, and for an additional twelve (12) months in archived storage. Logs relevant to known or suspected Security Incidents shall be retained for a minimum of thirty-six (36) months or until the resolution of any related legal proceedings, whichever is longer.

9.4 Log Integrity. Provider shall implement controls to prevent unauthorized modification or deletion of log data, including write-once storage, cryptographic hashing, or other tamper-detection mechanisms. Access to log management systems shall be restricted to authorized security personnel.

9.5 Real-Time Alerting. Provider shall configure real-time alerts for high-severity security events, including but not limited to: multiple failed authentication attempts, privilege escalation events, access from anomalous geographic locations, data exfiltration indicators, and Malware detection events. Provider shall maintain a 24/7 security operations capability (internal or outsourced) to monitor and respond to alerts.

9.6 Audit Trail. Provider shall maintain a complete, immutable audit trail of all actions taken with respect to Customer Data sufficient to support forensic investigation, regulatory inquiry, and Customer audit requirements.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Tenant Isolation. Provider shall implement logical isolation controls to ensure that Customer Data is segregated from the data of other Provider customers. Such controls shall prevent any unauthorized cross-tenant data access, leakage, or commingling and shall be validated through regular testing.

10.2 Data Residency. Unless otherwise agreed in writing, Provider shall store and process Customer Data within the geographic boundaries of the United States. Provider shall notify Customer at least sixty (60) days in advance of any proposed change to data storage locations and shall obtain Customer's written consent before transferring Customer Data outside the United States.

10.3 Cross-Border Transfer Restrictions. Provider shall not transfer Customer Data to any location outside the United States without Customer's prior written consent. If cross-border transfer is authorized, Provider shall implement appropriate safeguards, including contractual protections and encryption, to ensure that the transferred data receives a level of protection substantially equivalent to that provided under this Addendum.

10.4 Data Classification. Provider shall support Customer's data classification framework and shall implement technical and organizational controls commensurate with the classification level assigned to Customer Data. At minimum, Provider shall support the following classification levels:

(a) Public — Information approved for public disclosure;
(b) Internal — Information intended for internal business use;
(c) Confidential — Sensitive business information requiring protection;
(d) Restricted — High-Risk Data requiring the strongest level of protection.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Provider shall engage a qualified, independent third-party penetration testing firm to conduct comprehensive penetration testing of Provider Systems at least annually. Penetration testing shall include network-layer, application-layer, and social engineering components.

11.2 Scope. Penetration testing shall encompass all Provider Systems that process, store, or transmit Customer Data, including external-facing and internal network components, web applications, APIs, mobile applications, and cloud infrastructure configurations.

11.3 Methodology. Penetration testing shall be conducted in accordance with recognized methodologies, including OWASP Testing Guide, PTES (Penetration Testing Execution Standard), or NIST SP 800-115. Testing shall simulate real-world attack scenarios and include both authenticated and unauthenticated testing perspectives.

11.4 Reporting. Provider shall share penetration testing results with Customer under mutual non-disclosure obligations within thirty (30) days of test completion. Reports shall include an executive summary, detailed findings, severity ratings, proof-of-concept demonstrations (where applicable), and recommended remediation actions.

11.5 Remediation Tracking. Provider shall remediate all findings from penetration testing in accordance with the vulnerability remediation SLAs set forth in Article 8. Provider shall provide Customer with a remediation status report within sixty (60) days of test completion and verification that all Critical and High findings have been addressed.

11.6 Customer Testing. Upon reasonable advance notice (not less than thirty (30) days) and subject to mutually agreed scope and rules of engagement, Customer may conduct or commission its own penetration testing of Provider Systems. Provider shall cooperate with such testing and shall not impose unreasonable conditions or restrictions.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 BC/DR Plans. Provider shall establish, maintain, and test written business continuity and disaster recovery plans designed to ensure the continued availability of Provider Systems and the protection and recovery of Customer Data in the event of a disruption, disaster, or other emergency.

12.2 Recovery Objectives. Provider shall meet or exceed the following recovery objectives for services provided to Customer:

(a) Recovery Point Objective (RPO): [____] hours — the maximum acceptable amount of data loss measured in time;
(b) Recovery Time Objective (RTO): [____] hours — the maximum acceptable time to restore service availability.

12.3 Geographic Redundancy. Provider shall maintain geographically separated backup and recovery infrastructure sufficient to achieve the RPO and RTO targets specified in Section 12.2. Primary and secondary data centers shall be located in different geographic regions or availability zones separated by a minimum of [____] miles.

12.4 Annual Testing. Provider shall test its business continuity and disaster recovery plans at least annually, including failover and failback testing, and shall provide Customer with a summary of test results, including any deficiencies identified and corrective actions taken, within thirty (30) days of test completion.

12.5 Failover Procedures. Provider shall implement automated failover mechanisms where technically feasible to minimize service disruption. Failover procedures shall be documented, regularly updated, and include clear escalation paths and communication protocols for notifying Customer of failover events.

12.6 Customer Notification. Provider shall notify Customer within one (1) hour of any unplanned invocation of disaster recovery procedures that affects or may affect the availability of services provided to Customer.

ARTICLE 13 — INCIDENT RESPONSE AND MISSISSIPPI-SPECIFIC BREACH NOTIFICATION

13.1 Incident Response Plan. Provider shall establish and maintain a written incident response plan that defines roles, responsibilities, communication protocols, and procedures for identifying, containing, investigating, remediating, and reporting Security Incidents. The incident response plan shall be tested at least annually through tabletop exercises or simulated incident drills.

13.2 Incident Classification. Provider shall classify Security Incidents according to the following severity levels:

13.3 Customer Notification of Security Incidents. Provider shall notify Customer of any P1 or P2 Security Incident within the timeframes specified in Section 13.2. Notification shall be provided to Customer's designated security contact(s) via telephone and email at the following:

Primary Security Contact: [________________________________]
Phone: [________________________________]
Email: [________________________________]

Secondary Security Contact: [________________________________]
Phone: [________________________________]
Email: [________________________________]

13.4 Incident Notification Contents. Provider's initial notification shall include, to the extent known at the time:

(a) Date and time the incident was detected;
(b) Nature and scope of the incident;
(c) Types of Customer Data potentially affected;
(d) Number of records or individuals potentially affected;
(e) Containment measures implemented or planned;
(f) Initial assessment of impact;
(g) Identity and contact information of Provider's incident lead.

13.5 Mississippi Statutory Breach Notification Requirements. In the event of a Data Breach involving Personal Information of Mississippi residents, the following requirements apply under Miss. Code Ann. § 75-24-29:

(a) Notification Timeline. Provider shall assist Customer in providing notification to affected individuals without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in Miss. Code Ann. § 75-24-29(3), and consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Mississippi law does not prescribe a fixed number of days but requires that notification not be unreasonably delayed.

(b) Notification Recipients.
- Affected Individuals: Notice must be provided to all Mississippi residents whose Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person.
- Mississippi Attorney General: If the breach affects one hundred (100) or more Mississippi residents, written notice must be provided to the Consumer Protection Division of the Office of the Attorney General of Mississippi as expeditiously as possible and without unreasonable delay.

(c) Form of Notification. Notice to affected individuals may be provided by any of the following methods:
- Written notice sent to the last known mailing address of the affected individual;
- Telephonic notice;
- Electronic notice, if the person's primary method of communication with affected individuals is by electronic means, or the notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001 (E-SIGN Act);
- Substitute Notice — if the cost of providing notice would exceed Five Thousand Dollars ($5,000), the affected class exceeds five thousand (5,000) individuals, or the person does not have sufficient contact information, substitute notice may consist of all of the following: (i) email notice to affected individuals for whom the person has an email address; (ii) conspicuous posting of the notice on the person's website; and (iii) notification to statewide media.

(d) Notification Content. While Miss. Code Ann. § 75-24-29 does not prescribe specific content requirements, best practices require that notification include: (i) description of the incident; (ii) type of Personal Information involved; (iii) steps taken to address the breach; (iv) steps the individual can take to protect themselves; (v) contact information for the notifying entity; and (vi) contact information for relevant credit reporting agencies.

(e) Encryption Safe Harbor. Notification is not required if the Personal Information was encrypted and the encryption key was not, or is not reasonably believed to have been, acquired in connection with the breach. Miss. Code Ann. § 75-24-29(2).

(f) Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. The notification required by the statute shall be made after the law enforcement agency determines that it will not compromise the investigation.

(g) Enforcement and Penalties. Failure to comply with Miss. Code Ann. § 75-24-29 constitutes an unfair trade practice under the Mississippi Consumer Protection Act (Miss. Code Ann. § 75-24-1 et seq.) and shall be enforced by the Mississippi Attorney General. The statute does not create a private right of action. Penalties may include injunctive relief, restitution, and civil penalties as available under the Consumer Protection Act.

13.6 Mississippi Insurance Data Security Law Notifications. If Customer is a licensee subject to the Mississippi Insurance Data Security Law (Miss. Code Ann. §§ 83-5-801 to 83-5-825), Provider shall cooperate with Customer in fulfilling the following additional obligations:

(a) Notification to the Mississippi Commissioner of Insurance no later than three (3) business days after a determination that a cybersecurity event involving nonpublic information has occurred;
(b) Providing the Commissioner with the information required under Miss. Code Ann. § 83-5-811, including the date of the event, description of the event, how the information was exposed, and the number of affected individuals;
(c) Compliance with the investigation, information security program, and reporting requirements applicable to third-party service providers under the Insurance Data Security Law.

13.7 Cooperation with Customer's Incident Response. Provider shall fully cooperate with Customer's incident response efforts, including:

(a) Providing Customer with timely access to all relevant logs, records, and data;
(b) Making Provider personnel available for interviews and consultation;
(c) Preserving all evidence related to the Security Incident;
(d) Implementing additional containment or remediation measures as reasonably requested by Customer;
(e) Supporting Customer's communications with affected individuals, regulators, and law enforcement.

13.8 Forensic Investigation. For any P1 Security Incident, Provider shall engage a qualified, independent third-party forensic investigation firm (subject to Customer's reasonable approval) to conduct a thorough investigation. Provider shall share the results of the forensic investigation with Customer under mutual non-disclosure obligations. The cost of the forensic investigation shall be borne by Provider if the incident resulted from Provider's failure to comply with its obligations under this Addendum.

13.9 Root Cause Analysis and Remediation. Following any P1 or P2 Security Incident, Provider shall:

(a) Conduct a root cause analysis and provide findings to Customer within thirty (30) days;
(b) Implement corrective actions to address the root cause and prevent recurrence;
(c) Provide Customer with a written remediation report documenting actions taken;
(d) Conduct a post-incident review with Customer, if requested.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Approval Process. Provider shall not engage any Subprocessor to process Customer Data without Customer's prior written consent. Provider shall notify Customer at least thirty (30) days in advance of any proposed engagement of a new Subprocessor or replacement of an existing Subprocessor, providing sufficient detail for Customer to evaluate the Subprocessor's security posture.

14.2 Current Subprocessor List. Provider shall maintain and provide to Customer a current list of all Subprocessors that process Customer Data, including each Subprocessor's name, location, and description of processing activities. The current Subprocessor list as of the Effective Date is attached as Exhibit A to this Addendum or available at: [________________________________].

14.3 Flow-Down Requirements. Provider shall impose on each Subprocessor, by written agreement, security and data protection obligations that are no less protective than those imposed on Provider under this Addendum. Provider shall ensure that each Subprocessor agreement includes, at minimum, requirements for:

(a) Compliance with the Encryption Standards set forth in Article 5;
(b) Access controls consistent with Article 4;
(c) Incident notification timelines no longer than those set forth in Article 13;
(d) Audit rights for both Provider and Customer;
(e) Data return and destruction obligations consistent with Article 21;
(f) Confidentiality obligations at least as restrictive as those in this Addendum.

14.4 Right to Object. Customer shall have the right to object to the engagement of any Subprocessor within fifteen (15) days of receiving notice from Provider. If Customer objects on reasonable security grounds, the Parties shall negotiate in good faith to resolve the objection. If the Parties are unable to resolve the objection within thirty (30) days, Customer may terminate the affected services under the Master Agreement without penalty.

14.5 Subprocessor Audit Rights. Provider shall maintain audit rights over all Subprocessors and shall exercise such rights at least annually. Provider shall make the results of Subprocessor audits available to Customer upon request. Customer shall have the right to audit Subprocessors directly, subject to reasonable notice and coordination with Provider.

14.6 Provider Responsibility. Provider shall remain fully responsible and liable for the acts, omissions, and security failures of its Subprocessors as if such acts, omissions, or failures were those of Provider itself.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct background checks on all personnel who will have access to Customer Data, including employees and contractors, prior to granting such access. Background checks shall include, at minimum, verification of identity, criminal history, and employment history, to the extent permitted by applicable Mississippi and federal law.

15.2 Security Training. Provider shall require all personnel with access to Customer Data to complete security awareness training upon hire and at least annually thereafter. Training shall cover, at minimum:

(a) Information security policies and procedures;
(b) Data handling and classification requirements;
(c) Phishing and social engineering awareness;
(d) Incident reporting procedures;
(e) Acceptable use of Provider Systems;
(f) Mississippi-specific data breach notification requirements under Miss. Code Ann. § 75-24-29.

15.3 Acceptable Use Policies. Provider shall maintain and enforce written acceptable use policies governing the use of Provider Systems by all personnel. Such policies shall address, at minimum, appropriate use of email, internet, removable media, mobile devices, and social media.

15.4 Non-Disclosure Agreements. All Provider personnel with access to Customer Data shall be bound by written non-disclosure and confidentiality agreements that protect Customer Data and Confidential Information and survive the termination of employment or engagement.

15.5 Termination Procedures. Provider shall implement documented procedures to ensure that upon termination of employment or engagement, all access to Provider Systems and Customer Data is revoked promptly in accordance with Section 4.5, all company-owned devices and media are returned or securely wiped, and all Customer Data in the departed individual's possession is identified, returned, or destroyed.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. All data centers used by Provider to process or store Customer Data shall maintain physical security controls appropriate for enterprise-grade hosting, including:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Multi-factor physical access controls (e.g., biometric plus keycard);
(c) Video surveillance of all entry/exit points and sensitive areas, with recordings retained for a minimum of ninety (90) days;
(d) Mantrap or airlock entry systems for server rooms;
(e) Perimeter fencing and lighting appropriate for the facility location.

16.2 SOC 2 Type II Certification. All data center facilities used to process or store Customer Data shall maintain current SOC 2 Type II certification or equivalent third-party security certification. Provider shall make copies of such certifications available to Customer upon request.

16.3 Visitor Management. Provider shall implement visitor management procedures for all facilities housing Provider Systems, including visitor identification verification, sign-in/sign-out logging, escort requirements for visitor access to sensitive areas, and visitor badge issuance and return.

16.4 Environmental Controls. Data center facilities shall be equipped with:

(a) Redundant heating, ventilation, and air conditioning (HVAC) systems;
(b) Fire detection and suppression systems;
(c) Water detection systems;
(d) Uninterruptible power supplies (UPS) and backup generator systems;
(e) Redundant network connectivity from diverse providers.

16.5 Media Destruction. Provider shall implement secure media destruction procedures for all physical media that has contained Customer Data, including hard drives, solid-state drives, tapes, and optical media. Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) and shall be documented with certificates of destruction that include media serial numbers and destruction method used.

ARTICLE 17 — INSURANCE REQUIREMENTS

17.1 Cyber Liability Insurance. Provider shall maintain cyber liability (including network security and privacy liability) insurance with a minimum coverage limit of Five Million Dollars ($5,000,000) per occurrence and in the aggregate. Such policy shall cover:

(a) Data breach response costs, including notification, credit monitoring, and identity restoration;
(b) Regulatory proceedings and penalties;
(c) Media liability;
(d) Cyber extortion and ransomware;
(e) Business interruption arising from cyber events;
(f) Third-party claims arising from security failures.

17.2 Errors and Omissions Insurance. Provider shall maintain professional liability / errors and omissions (E&O) insurance with a minimum coverage limit of Two Million Dollars ($2,000,000) per occurrence and in the aggregate, covering claims arising from professional services rendered under the Master Agreement.

17.3 General Commercial Liability. Provider shall maintain commercial general liability insurance with a minimum coverage limit of One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate.

17.4 Evidence of Coverage. Provider shall furnish Customer with certificates of insurance evidencing the coverages required by this Article within ten (10) business days of the Effective Date and annually thereafter upon renewal. Certificates shall name Customer as an additional insured where applicable.

17.5 Notice of Cancellation. Provider shall provide Customer with at least thirty (30) days' prior written notice of any material change, cancellation, or non-renewal of any insurance coverage required under this Article.

17.6 No Limitation of Liability. The insurance requirements set forth in this Article shall not be construed to limit Provider's liability under this Addendum or the Master Agreement. Provider's obligation to maintain insurance shall not relieve Provider of its obligation to perform its security obligations under this Addendum.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right, upon not less than thirty (30) days' prior written notice, to conduct or commission an independent third party to conduct an audit of Provider's Information Security Program, policies, procedures, and controls as they relate to the processing and protection of Customer Data. Customer may exercise this right no more than once per twelve (12) month period, unless a Security Incident or material deficiency has been identified, in which case additional audits may be conducted.

18.2 Audit Scope. Audits may include review of Provider's security policies and procedures, physical inspection of facilities, interviews with security personnel, review of security logs and monitoring reports, review of vulnerability assessment and penetration testing results, and verification of compliance with the requirements of this Addendum.

18.3 Third-Party Audit Acceptance. In lieu of a direct audit, Customer may accept the following third-party audit reports and certifications as evidence of Provider's compliance with this Addendum:

☐ SOC 2 Type II Report (covering Security, Availability, Confidentiality, and Processing Integrity trust service criteria)
☐ ISO/IEC 27001 Certification
☐ SOC 1 Type II Report (for financial reporting controls)
☐ PCI DSS Report on Compliance (if processing payment card data)
☐ HITRUST CSF Certification (if processing health information)

Provider shall make such reports and certifications available to Customer upon request, subject to reasonable confidentiality protections.

18.4 Regulatory Audit Cooperation. Provider shall cooperate fully with any audit, inspection, or examination conducted by a regulatory authority having jurisdiction over Customer, including the Mississippi Attorney General, the Mississippi Department of Insurance, and applicable federal regulators. Provider shall provide timely access to records, facilities, and personnel as reasonably required by such regulatory audits.

18.5 Audit Cost Allocation. The costs of audits conducted by Customer or Customer's designated third-party auditor shall be borne by Customer, except that if an audit reveals a material failure by Provider to comply with its obligations under this Addendum, Provider shall bear the reasonable costs of such audit and any follow-up audit required to verify remediation.

18.6 Remediation of Audit Findings. Provider shall address all findings identified in audits conducted under this Article in accordance with the vulnerability remediation SLAs set forth in Article 8, as applicable, and shall provide Customer with a written remediation plan within fifteen (15) business days of receiving audit findings.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Quarterly Security Reviews. The Parties shall participate in quarterly security review meetings to discuss Provider's security posture, recent Security Incidents, changes to the threat landscape, planned security improvements, and the status of any open remediation items. Meetings may be conducted in person or via videoconference.

19.2 Annual Security Assessment. Provider shall provide Customer with an annual security assessment report that includes:

(a) Summary of the Information Security Program's effectiveness;
(b) Results of the most recent risk assessment;
(c) Summary of penetration testing and vulnerability assessment results;
(d) Review of Security Incidents and trends;
(e) Status of compliance with industry frameworks (ISO 27001, SOC 2, NIST CSF);
(f) Summary of changes to security policies, procedures, and controls;
(g) Forward-looking security roadmap and planned investments.

19.3 Security Metrics and KPIs. Provider shall track and report to Customer the following security metrics on a quarterly basis:

(a) Mean time to detect (MTTD) security events;
(b) Mean time to respond (MTTR) to Security Incidents;
(c) Vulnerability remediation rates by severity;
(d) Patch compliance rates;
(e) Percentage of personnel completing security training;
(f) Number and severity of Security Incidents;
(g) System availability and uptime percentages.

19.4 Executive Security Briefings. Provider's CISO or designated security officer shall be available, upon reasonable request, to participate in executive security briefings with Customer's senior management, providing an overview of security posture, material risks, and strategic security initiatives.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon termination or expiration of the Master Agreement, or upon Customer's written request at any time during the Term, Provider shall return to Customer all Customer Data in Provider's possession or control in a mutually agreed, industry-standard, machine-readable format within thirty (30) days of such termination, expiration, or request.

20.2 Data Destruction. Following the return of Customer Data to Customer (and Customer's written confirmation of receipt), or upon Customer's written instruction to destroy Customer Data in lieu of return, Provider shall securely destroy all copies of Customer Data in Provider's possession or control, including all backup copies, archived copies, and copies held by Subprocessors, within sixty (60) days.

20.3 Destruction Standards. Data destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) or equivalent industry-recognized standards. Destruction methods shall render Customer Data irrecoverable and shall include, as appropriate:

(a) Cryptographic erasure (destruction of encryption keys rendering encrypted data irrecoverable);
(b) Secure overwriting using approved sanitization patterns;
(c) Physical destruction (degaussing, shredding, or incineration) for physical media.

20.4 Certification of Destruction. Provider shall provide Customer with a written certification of destruction within ten (10) business days of completing the destruction process. The certification shall include the date of destruction, description of data destroyed, destruction method used, and the identity of the individual responsible for overseeing the destruction.

20.5 Retention Exceptions. Provider may retain copies of Customer Data only to the extent required by applicable law, regulation, or legal hold obligation, provided that Provider shall: (a) promptly notify Customer of the legal requirement and the specific data retained; (b) limit the retention to only the data required; (c) continue to protect such retained data in accordance with this Addendum; and (d) securely destroy such data when the retention obligation expires.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer, its officers, directors, employees, agents, successors, and assigns from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or relating to:

(a) Provider's failure to comply with its obligations under this Addendum;
(b) A Data Breach resulting from Provider's negligence, willful misconduct, or failure to implement and maintain the security measures required by this Addendum;
(c) Provider's failure to comply with breach notification requirements under Miss. Code Ann. § 75-24-29 or other applicable law;
(d) Any regulatory investigation, enforcement action, or penalty resulting from Provider's security failures.

21.2 Notification and Remediation Costs. Provider's indemnification obligations under this Article include, without limitation:

(a) Costs of providing notice to affected individuals and the Mississippi Attorney General as required by Miss. Code Ann. § 75-24-29;
(b) Costs of providing credit monitoring and identity theft protection services to affected individuals for a minimum period of twenty-four (24) months;
(c) Costs of establishing and operating a call center or response team to handle inquiries from affected individuals;
(d) Costs of forensic investigation;
(e) Costs of public relations and crisis communications;
(f) Regulatory fines, penalties, and assessments, to the extent insurable and arising from Provider's security failures.

21.3 Carve-Out from Liability Cap. Notwithstanding any limitation of liability in the Master Agreement, the following shall not be subject to any cap on liability: (a) Provider's indemnification obligations under this Article; (b) Provider's breach of its confidentiality obligations; (c) Provider's willful misconduct or gross negligence; and (d) Provider's breach of its obligations under Article 13 (Incident Response and Breach Notification).

21.4 Customer Indemnification. Customer shall indemnify, defend, and hold harmless Provider from and against any and all claims, losses, liabilities, damages, costs, and expenses arising out of or relating to Customer's failure to comply with its obligations under this Addendum, including Customer's failure to provide accurate information regarding applicable regulatory requirements.

ARTICLE 22 — MISSISSIPPI-SPECIFIC LEGAL PROVISIONS

22.1 Governing Law. This Addendum shall be governed by, construed, and enforced in accordance with the laws of the State of Mississippi, without regard to its conflict of laws principles.

22.2 Venue and Jurisdiction. Any dispute arising out of or relating to this Addendum shall be brought exclusively in the state or federal courts located in the State of Mississippi, specifically in the courts located in:

County: [________________________________]

Each Party hereby irrevocably submits to the exclusive jurisdiction and venue of such courts and waives any objection based on forum non conveniens or any other basis.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY AND UNCONDITIONALLY WAIVES ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY IN RESPECT OF ANY LEGAL PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY. EACH PARTY CERTIFIES AND ACKNOWLEDGES THAT (A) NO REPRESENTATIVE OF THE OTHER PARTY HAS REPRESENTED, EXPRESSLY OR OTHERWISE, THAT SUCH OTHER PARTY WOULD NOT SEEK TO ENFORCE THE FOREGOING WAIVER IN THE EVENT OF A LEGAL PROCEEDING, (B) EACH PARTY HAS CONSIDERED THE IMPLICATIONS OF THIS WAIVER, (C) EACH PARTY MAKES THIS WAIVER VOLUNTARILY, AND (D) EACH PARTY HAS BEEN INDUCED TO ENTER INTO THIS ADDENDUM BY, AMONG OTHER THINGS, THE MUTUAL WAIVERS AND CERTIFICATIONS IN THIS SECTION.

22.4 Injunctive Relief. Each Party acknowledges that a breach of the security and confidentiality obligations of this Addendum may cause irreparable harm that cannot be adequately compensated by monetary damages. Accordingly, either Party may seek injunctive or other equitable relief from any Mississippi court of competent jurisdiction without the necessity of proving actual damages, posting a bond, or other security, to the extent permitted by Mississippi law.

22.5 Alternative Dispute Resolution. At the election of either Party, disputes arising under this Addendum may be submitted to binding arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association ("AAA"). The arbitration shall be conducted in [________________________________], Mississippi, before a single arbitrator with expertise in information technology and data security matters. The arbitrator's award shall be final and binding and may be entered as a judgment in any Mississippi court of competent jurisdiction.

22.6 Mississippi Consumer Protection. The Parties acknowledge that violations of data breach notification requirements under Miss. Code Ann. § 75-24-29 constitute unfair trade practices under the Mississippi Consumer Protection Act (Miss. Code Ann. § 75-24-1 et seq.), enforceable by the Mississippi Attorney General. Provider shall cooperate with Customer in responding to any investigation or enforcement action by the Mississippi Attorney General arising from a Data Breach involving Customer Data.

22.7 Statutory Interest Rate. Any amounts due under this Addendum that are not paid when due shall bear interest at the rate of eight percent (8%) per annum, as permitted under Mississippi law (Miss. Code Ann. § 75-17-1), or at the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 UETA Compliance. This Addendum may be executed by electronic signature in accordance with the Mississippi Uniform Electronic Transactions Act (Miss. Code Ann. §§ 75-12-1 to 75-12-39). Electronic signatures shall have the same legal effect, validity, and enforceability as manually executed signatures pursuant to Miss. Code Ann. § 75-12-13.

23.2 Federal E-SIGN Act. To the extent applicable, this Addendum is also subject to the provisions of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).

23.3 Electronic Records. Electronic records generated in connection with this Addendum shall be deemed to satisfy any requirement that such records be in writing, in accordance with Miss. Code Ann. § 75-12-13.

23.4 Consent to Electronic Delivery. Each Party consents to receive electronic delivery of all notices, communications, and documents related to this Addendum, except where physical delivery is required by applicable law or this Addendum expressly requires a specific form of notice.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement and all exhibits and schedules hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written.

24.2 Amendments. This Addendum may be amended only by a written instrument signed by authorized representatives of both Parties. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the Party granting the waiver.

24.3 Severability. If any provision of this Addendum is held to be invalid, illegal, or unenforceable under applicable Mississippi law, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.

24.4 Assignment. Neither Party may assign its rights or obligations under this Addendum without the prior written consent of the other Party, except that either Party may assign this Addendum in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by all terms and conditions of this Addendum.

24.5 Notices. All formal notices required or permitted under this Addendum shall be in writing and shall be deemed given when delivered personally, sent by certified mail (return receipt requested), or sent by nationally recognized overnight courier to the addresses set forth in the Recitals or to such other address as a Party may designate in writing.

24.6 Survival. The following Articles and Sections shall survive the termination or expiration of this Addendum: Articles 1, 13 (with respect to ongoing breach notification obligations), 14.6, 15.4, 20, 21, 22, 23, and 24.

24.7 Counterparts. This Addendum may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic and facsimile signatures shall be deemed original signatures for all purposes.

24.8 Force Majeure. Neither Party shall be liable for any failure or delay in performing its obligations under this Addendum (other than payment obligations and breach notification obligations) to the extent that such failure or delay results from causes beyond that Party's reasonable control, including acts of God, war, terrorism, pandemic, natural disaster, fire, flood, or governmental action. The affected Party shall provide prompt written notice and shall use commercially reasonable efforts to mitigate the impact and resume performance.

ARTICLE 25 — SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have executed this Security Addendum as of the Effective Date first written above, each through their duly authorized representative.

PROVIDER

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Email: [________________________________]

Representation of Authority: The undersigned represents and warrants that they have full legal authority to bind Provider to the terms and conditions of this Addendum.

CUSTOMER

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Email: [________________________________]

Representation of Authority: The undersigned represents and warrants that they have full legal authority to bind Customer to the terms and conditions of this Addendum.

EXHIBIT A — SUBPROCESSOR LIST

EXHIBIT B — SECURITY CONTACT INFORMATION

Provider Security Contacts:

Customer Security Contacts:

SOURCES AND REFERENCES

1. Mississippi Data Breach Notification Law — Miss. Code Ann. § 75-24-29
   https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/

2. Mississippi Insurance Data Security Law — Miss. Code Ann. §§ 83-5-801 to 83-5-825
   https://law.justia.com/codes/mississippi/title-83/article-5/article-11/

3. Mississippi Uniform Trade Secrets Act — Miss. Code Ann. §§ 75-26-1 to 75-26-19
   https://law.justia.com/codes/mississippi/title-75/chapter-26/

4. Mississippi Uniform Electronic Transactions Act — Miss. Code Ann. §§ 75-12-1 to 75-12-39
   https://law.justia.com/codes/mississippi/title-75/chapter-12/section-75-12-13/

5. Mississippi Consumer Protection Act — Miss. Code Ann. § 75-24-1 et seq.

6. Mississippi Statutory Interest Rate — Miss. Code Ann. § 75-17-1

7. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

8. NIST Cybersecurity Framework (CSF) 2.0
   https://www.nist.gov/cyberframework

9. ISO/IEC 27001:2022 — Information Security Management Systems

10. OWASP Top 10 — https://owasp.org/www-project-top-ten/

This template is provided for informational purposes only and does not constitute legal advice. An attorney licensed in Mississippi must review and customize this document before execution. Legal requirements may change over time; verify all statutory citations before use.

Prepared for use on the ezel.ai platform.