ENTERPRISE SECURITY ADDENDUM

State of Nebraska — Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of [________________________________], with its principal place of business at [________________________________], and

WHEREAS, [________________________________] ("Provider"), a [________________________________] organized under the laws of the State of [________________________________], with its principal place of business at [________________________________], have entered into that certain Master Agreement referenced above (the "Master Agreement"); and

WHEREAS, the Master Agreement contemplates that Provider shall deliver certain enterprise software-as-a-service, cloud-hosted, or managed technology services (collectively, the "Services") to Customer that may involve the Processing of Customer Data, including Personal Information of Nebraska residents as defined under the Financial Data Protection and Consumer Notification of Data Security Breach Act (Neb. Rev. Stat. § 87-801 et seq.); and

WHEREAS, Customer requires Provider to implement and maintain a comprehensive information security program that meets or exceeds industry standards and complies with the data protection, breach notification, and consumer privacy requirements of Nebraska law, including Neb. Rev. Stat. § 87-801 et seq. and the Nebraska Data Privacy Act (Neb. Rev. Stat. § 87-1101 et seq.); and

WHEREAS, the Parties desire to set forth the specific security obligations, controls, and procedures that Provider shall implement and maintain in connection with the Services;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below when used in this Addendum. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.2 "Access Credentials" means usernames, passwords, API keys, tokens, certificates, multi-factor authentication codes, biometric identifiers, and any other mechanism used to authenticate a user or system to Provider's infrastructure or the Services.

1.3 "Authorized Personnel" means employees, contractors, agents, or subprocessors of Provider who have undergone background screening and security training and have a demonstrated need to access Customer Data in the performance of the Services.

1.4 "Breach" or "Security Breach" means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by an individual or a commercial entity, consistent with the definition under Neb. Rev. Stat. § 87-802(1). This also includes the unauthorized acquisition of encrypted data where the encryption key, security credential, or password is also acquired by an unauthorized person.

1.5 "Business Continuity Plan" or "BCP" means Provider's documented plan for maintaining essential business functions during and after a disaster or disruption, including recovery procedures for the Services.

1.6 "Consumer Data" means personal data as defined under the Nebraska Data Privacy Act (Neb. Rev. Stat. § 87-1101 et seq.), which includes data that is linked or reasonably linkable to an identified or identifiable individual.

1.7 "Customer Data" means all data, information, records, documents, files, and materials provided by or on behalf of Customer, or collected, generated, or processed by Provider in connection with the Services, including Personal Information, Consumer Data, Confidential Information, and Trade Secrets.

1.8 "Data Processing" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.9 "Disaster Recovery Plan" or "DRP" means Provider's documented plan for the restoration of the Services, systems, and Customer Data following a disaster, outage, or material disruption.

1.10 "Encryption" means the process of converting data into a coded form using industry-standard cryptographic algorithms to prevent unauthorized access, rendering the data unreadable without the corresponding decryption key.

1.11 "Information Security Program" means Provider's comprehensive, written program of policies, procedures, standards, and technical, administrative, and physical safeguards designed to protect Customer Data, as more fully described in Article 3 of this Addendum.

1.12 "Key Personnel" means Provider's Chief Information Security Officer (CISO), Data Protection Officer (DPO), Security Operations Center (SOC) Manager, Incident Response Lead, and any other individuals designated by Provider as having primary responsibility for the security of Customer Data.

1.13 "NIST" means the National Institute of Standards and Technology, an agency of the United States Department of Commerce.

1.14 "Penetration Test" means a simulated cyberattack against Provider's systems, applications, and networks conducted by qualified third-party security professionals to evaluate the security posture and identify vulnerabilities.

1.15 "Personal Information" means, consistent with the definition under Neb. Rev. Stat. § 87-802(5), a Nebraska resident's first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data element is not encrypted, redacted, or otherwise rendered unreadable or is encrypted and the encryption key has been accessed or acquired:

(a) Social Security number;

(b) Driver's license number or Nebraska state identification card number;

(c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account;

(d) Unique electronic identification number or routing code, in combination with any required security code, access code, or password;

(e) Unique biometric data, such as a fingerprint, voiceprint, or retina or iris image, or other unique physical representation or digital representation of biometric data;

(f) A username or email address, in combination with a password or security question and answer that would permit access to an online account.

The term does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

1.16 "Recovery Point Objective" or "RPO" means the maximum acceptable amount of data loss measured in time, establishing the point in time to which Customer Data must be recovered following a disruption.

1.17 "Recovery Time Objective" or "RTO" means the maximum acceptable duration of time within which the Services must be restored following a disruption.

1.18 "Security Incident" means any event that may compromise the confidentiality, integrity, or availability of Customer Data or Provider's systems, but that does not rise to the level of a confirmed Breach.

1.19 "Subprocessor" means any third party engaged by Provider that Processes Customer Data on behalf of Provider in connection with the Services.

1.20 "Trade Secret" means information as defined in the Nebraska Trade Secrets Act, Neb. Rev. Stat. § 87-502(4), including a formula, pattern, compilation, program, device, method, technique, or process that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1.21 "Vulnerability" means a weakness in a system, application, network, or process that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of Customer Data or the Services.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Services provided under the Master Agreement that involve the Processing, storage, transmission, or access to Customer Data, including Personal Information and Consumer Data of Nebraska residents. This Addendum establishes the minimum security obligations of Provider.

2.2 Order of Precedence. In the event of any conflict or inconsistency between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and breach notification matters. In the event of any conflict between this Addendum and applicable Nebraska law, the more protective provision shall apply.

2.3 Incorporation. This Addendum is incorporated into and forms an integral part of the Master Agreement. All terms and conditions of the Master Agreement that are not expressly modified by this Addendum shall remain in full force and effect.

2.4 Regulatory Floor. The security requirements set forth in this Addendum represent minimum standards. Provider shall comply with all applicable federal, state, and local laws, regulations, and industry standards that impose more stringent requirements.

2.5 Nebraska Data Privacy Act Compliance. The Parties acknowledge that the Nebraska Data Privacy Act (Neb. Rev. Stat. § 87-1101 et seq.), effective January 1, 2025, establishes consumer rights including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of processing for targeted advertising, sale of personal data, and profiling. The Act is modeled largely on the Texas Data Privacy and Security Act and is enforced exclusively by the Nebraska Attorney General with no private right of action. Provider shall implement and maintain technical and organizational measures sufficient to enable Customer to comply with all obligations under the Nebraska Data Privacy Act.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 General Obligation. Provider shall establish, implement, maintain, and continuously improve a comprehensive, written Information Security Program designed to protect Customer Data against unauthorized access, acquisition, use, disclosure, modification, destruction, or other compromise.

3.2 Framework Alignment. Provider's Information Security Program shall be aligned with and shall materially conform to the following frameworks:

(a) ISO/IEC 27001:2022 — Information Security Management System (ISMS);

(b) SOC 2 Type II — Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy);

(c) NIST Cybersecurity Framework (CSF) 2.0 — Identify, Protect, Detect, Respond, Recover, and Govern functions.

3.3 Certifications. Provider shall maintain current:

(a) ISO/IEC 27001:2022 certification covering all systems and environments used to Process Customer Data;

(b) SOC 2 Type II report covering the most recent twelve (12) month period;

(c) Provider shall furnish copies of all certifications and reports to Customer within thirty (30) days of issuance and promptly upon request.

3.4 Security Policies. Provider shall maintain documented security policies addressing, at a minimum: acceptable use, access control, asset management, business continuity, change management, cryptography, data classification, human resources security, incident management, network security, operations security, physical security, supplier relationships, and system acquisition and development.

3.5 Risk Assessments. Provider shall conduct comprehensive risk assessments at least annually, and additionally upon any material change to the Services, infrastructure, or threat landscape. Risk assessments shall follow NIST SP 800-30 or ISO 27005 methodology and shall be documented and made available to Customer upon request.

3.6 Data Protection Assessments. To the extent required by the Nebraska Data Privacy Act, Provider shall assist Customer in conducting data protection assessments for processing activities that present a heightened risk of harm to consumers.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement and enforce role-based access controls ensuring that Authorized Personnel are granted access to Customer Data solely on a need-to-know, least-privilege basis commensurate with their job responsibilities.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to systems containing Customer Data;

(b) All administrative and privileged access to production environments;

(c) All access to Provider's management console or control plane;

(d) All VPN and remote desktop connections;

(e) All access to code repositories containing application code for the Services.

4.3 Access Reviews. Provider shall conduct formal access reviews on a quarterly basis to verify that:

(a) Access rights remain appropriate and are consistent with the principle of least privilege;

(b) Terminated or transferred personnel have had access promptly revoked;

(c) Dormant accounts (inactive for more than thirty (30) days) are disabled;

(d) Privileged accounts are inventoried and justified.

4.4 Password and Credential Management. Provider shall enforce password policies requiring:

(a) Minimum length of fourteen (14) characters;

(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;

(c) Password expiration no less frequently than every ninety (90) days for non-MFA accounts;

(d) Account lockout after no more than five (5) consecutive failed authentication attempts;

(e) Prohibition on the reuse of the last twelve (12) passwords.

4.5 Privileged Access Management. Provider shall implement a privileged access management (PAM) solution with session recording, just-in-time access provisioning, and automatic credential rotation for all administrative and service accounts.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using:

(a) TLS 1.2 or higher for all web-based and API communications;

(b) IPsec or WireGuard VPN for site-to-site and remote connections;

(c) SFTP or SCP for file transfers (FTP is prohibited);

(d) Provider shall disable support for SSL, TLS 1.0, and TLS 1.1.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using:

(a) AES-256 (or equivalent) for databases, file systems, storage volumes, and backups;

(b) Full-disk encryption on all endpoints, workstations, and portable media;

(c) Envelope encryption with hardware security modules (HSMs) for key wrapping.

5.3 Key Management. Provider shall implement a key management program that includes:

(a) Generation of cryptographic keys using FIPS 140-2 Level 3 (or higher) validated modules;

(b) Separation of key management duties with dual control and split knowledge;

(c) Automated key rotation at least annually, and upon compromise or suspected compromise;

(d) Secure key storage in dedicated HSMs or equivalent FIPS-validated devices;

(e) Key revocation and destruction procedures in accordance with NIST SP 800-57.

5.4 Nebraska Encryption Provisions. The Parties acknowledge that Nebraska law (Neb. Rev. Stat. § 87-802(1)) provides that breach notification obligations apply to unencrypted data AND to encrypted data where the encryption key has also been accessed or acquired by an unauthorized person. This is a broader standard than many states. Provider shall therefore implement enhanced key management protections, including separation of key storage from data storage, to minimize the risk that encryption keys are compromised in a data breach event.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate Customer Data environments from corporate networks, development environments, and other customer environments. Segmentation shall be enforced through firewalls, VLANs, or software-defined networking controls.

6.2 Firewalls and Access Control Lists. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny inbound and outbound rules;

(b) Stateful packet inspection;

(c) Application-layer filtering;

(d) Rule reviews at least quarterly with documentation of business justification for each rule;

(e) Geo-blocking of traffic from jurisdictions not required for the Services.

6.3 Intrusion Detection and Prevention. Provider shall deploy and maintain network-based and host-based intrusion detection and prevention systems (IDS/IPS) that:

(a) Monitor all network traffic to and from Customer Data environments;

(b) Are updated with current threat signatures and behavioral analytics;

(c) Generate alerts that are monitored by Provider's Security Operations Center (SOC) on a 24/7/365 basis;

(d) Integrate with Provider's SIEM platform for correlation and analysis.

6.4 DDoS Mitigation. Provider shall implement distributed denial-of-service (DDoS) mitigation measures including volumetric, protocol, and application-layer protections through dedicated DDoS mitigation services or content delivery networks (CDNs).

6.5 Wireless Security. Provider shall secure all wireless networks using WPA3 Enterprise or equivalent, with separate SSIDs for corporate and guest networks, and no wireless access to Customer Data environments.

6.6 DNS Security. Provider shall implement DNSSEC, DNS filtering, and monitoring of DNS queries for indicators of compromise.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle (SDLC). Provider shall maintain a secure software development lifecycle that incorporates security at every phase:

(a) Requirements — Security and privacy requirements defined and documented;

(b) Design — Threat modeling conducted for all new features and material changes;

(c) Development — Secure coding standards (OWASP, CERT) enforced via automated tooling;

(d) Testing — Security testing integrated into CI/CD pipeline;

(e) Deployment — Hardened configurations, least-privilege service accounts;

(f) Maintenance — Patch management and ongoing vulnerability monitoring.

7.2 OWASP Compliance. Provider shall test for and remediate all vulnerabilities identified in the current OWASP Top 10 and OWASP API Security Top 10 prior to production deployment.

7.3 Static Application Security Testing (SAST). Provider shall perform automated SAST on all application code at each build, with blocking rules for critical and high-severity findings.

7.4 Dynamic Application Security Testing (DAST). Provider shall perform DAST scans against staging and production environments at least monthly, with remediation in accordance with the timelines set forth in Article 8.

7.5 Software Composition Analysis (SCA). Provider shall maintain an inventory of all third-party and open-source components, monitor for known vulnerabilities (CVEs), and remediate or replace vulnerable components in accordance with Article 8.

7.6 Code Reviews. All code changes to production systems shall undergo peer review by at least one developer other than the author, with documented approval prior to merge.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Scanning. Provider shall conduct authenticated vulnerability scans of all systems, networks, and applications in the Customer Data environment at least weekly, using industry-recognized scanning tools.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities within the following timelines measured from the date of discovery or notification:

(a) Critical Severity (CVSS 9.0–10.0): Twenty-four (24) hours;

(b) High Severity (CVSS 7.0–8.9): Seven (7) calendar days;

(c) Medium Severity (CVSS 4.0–6.9): Thirty (30) calendar days;

(d) Low Severity (CVSS 0.1–3.9): Ninety (90) calendar days.

8.3 Zero-Day Vulnerabilities. Upon identification of a zero-day vulnerability affecting systems Processing Customer Data, Provider shall implement compensating controls (e.g., WAF rules, network isolation, access restrictions) within four (4) hours and permanent remediation within forty-eight (48) hours, or as soon as a patch becomes available.

8.4 Patch Management. Provider shall maintain a formal patch management program with:

(a) Automated patch deployment where feasible;

(b) Testing of patches in a staging environment prior to production deployment;

(c) Emergency patching procedures for critical vulnerabilities;

(d) Documentation of patching decisions, including risk acceptance for deferred patches.

8.5 Vulnerability Reporting. Provider shall furnish Customer with monthly vulnerability summary reports, including metrics on scan coverage, identified vulnerabilities, remediation rates, and open items.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Logging Requirements. Provider shall generate and maintain comprehensive audit logs for all systems Processing Customer Data, including:

(a) Authentication events (successful and failed);

(b) Authorization changes and privilege escalations;

(c) Data access, creation, modification, and deletion events;

(d) Administrative and configuration changes;

(e) Network traffic logs (flow and connection logs);

(f) Application-level events and errors;

(g) Security events (firewall, IDS/IPS, anti-malware).

9.2 Log Integrity. Provider shall ensure the integrity of audit logs through:

(a) Write-once or append-only storage mechanisms;

(b) Cryptographic hash verification;

(c) Centralized log aggregation to prevent local tampering;

(d) Separation of duties between log administrators and system administrators.

9.3 SIEM Platform. Provider shall operate a Security Information and Event Management (SIEM) platform that:

(a) Aggregates and correlates logs from all systems in real-time;

(b) Applies behavioral analytics and threat intelligence feeds;

(c) Generates automated alerts for anomalous or suspicious activity;

(d) Is monitored by qualified security analysts on a 24/7/365 basis.

9.4 Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in immediately accessible online storage, and for an additional twelve (12) months in secure archival storage, for a total retention period of twenty-four (24) months.

9.5 Log Access. Customer shall have the right to request and receive relevant log data pertaining to Customer Data and Customer's use of the Services within five (5) business days of such request.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Provider shall maintain logical segregation of Customer Data from the data of other customers and Provider's own corporate data at all layers of the architecture (application, database, storage, network, and backup).

10.2 Tenant Isolation. Where multi-tenant architecture is employed, Provider shall implement tenant isolation controls that prevent any cross-tenant data access, including through application logic, database schemas or separate databases, encryption with customer-specific keys, and network-level isolation.

10.3 Data Residency. Provider shall store and process Customer Data solely within the continental United States unless Customer provides prior written consent to a specific alternative location. Provider shall promptly notify Customer of any proposed change to data storage or processing locations.

10.4 Data Classification. Provider shall apply Customer's data classification scheme (or a comparable scheme agreed upon by the Parties) to Customer Data and implement security controls proportionate to the classification level.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Provider shall engage an independent, qualified third-party security firm to conduct comprehensive penetration testing at least annually. Testing shall include:

(a) External network penetration testing;

(b) Internal network penetration testing;

(c) Web application penetration testing (all customer-facing applications);

(d) API security testing;

(e) Social engineering and phishing assessments;

(f) Wireless network penetration testing.

11.2 Scope. Penetration testing shall cover all systems, applications, networks, and infrastructure used to Process, store, or transmit Customer Data.

11.3 Methodology. Penetration testing shall follow industry-recognized methodologies (e.g., PTES, OWASP Testing Guide, NIST SP 800-115) and shall simulate realistic threat scenarios.

11.4 Reporting. Provider shall furnish Customer with complete, unredacted penetration test reports within thirty (30) days of test completion, subject to Provider's execution of a mutual non-disclosure agreement with the testing firm where required.

11.5 Remediation. Provider shall remediate all findings in accordance with the timelines set forth in Article 8 (Vulnerability Management), measured from the date of the final penetration test report.

11.6 Customer Testing. Customer shall have the right to conduct or commission its own penetration testing of Provider's environments used for the Services, upon thirty (30) days' written notice and subject to reasonable scheduling coordination, at Customer's expense.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan covering all aspects of the Services, including:

(a) Business impact analysis (BIA) identifying critical functions and dependencies;

(b) Succession planning for Key Personnel;

(c) Communication plans for Customer and other stakeholders;

(d) Alternative processing capabilities and facilities;

(e) Supply chain continuity measures.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan providing for the recovery of the Services, systems, and Customer Data following a disaster or material disruption.

12.3 Recovery Objectives. Provider shall achieve the following recovery objectives:

(a) Recovery Point Objective (RPO): [____] hours — the maximum data loss measured in time;

(b) Recovery Time Objective (RTO): [____] hours — the maximum downtime for the Services.

12.4 Backup and Restoration. Provider shall:

(a) Perform automated backups of all Customer Data at least daily;

(b) Store backups in a geographically separate facility at least [____] miles from the primary data center;

(c) Encrypt all backups using AES-256 or equivalent;

(d) Test backup restoration at least quarterly and document results;

(e) Retain backups for a minimum of thirty (30) days.

12.5 Annual Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises, functional tests, or full-scale simulations, and shall furnish Customer with a written summary of test results, findings, and corrective actions within thirty (30) days of each test.

12.6 Notification. Provider shall notify Customer within one (1) hour of declaring a disaster or invoking the DRP, and shall provide ongoing status updates at least every four (4) hours until full restoration.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

13.1 Incident Response Plan

Provider shall maintain a documented Incident Response Plan that includes:

(a) Defined incident classification and severity levels;

(b) Roles and responsibilities of the incident response team;

(c) Escalation procedures and communication protocols;

(d) Containment, eradication, and recovery procedures;

(e) Evidence preservation and chain of custody procedures;

(f) Post-incident review and lessons-learned processes;

(g) Integration with Nebraska-specific breach notification requirements under Neb. Rev. Stat. § 87-803.

13.2 Incident Notification to Customer

Provider shall notify Customer of any Security Incident or Breach as follows:

(a) Initial Notification: Within twenty-four (24) hours of Provider's confirmation of a Security Incident that may involve Customer Data;

(b) Detailed Notification: Within seventy-two (72) hours, including a description of the incident, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address the incident;

(c) Ongoing Updates: At least daily until the incident is resolved.

13.3 Nebraska Breach Notification — Neb. Rev. Stat. § 87-801 et seq.

This section establishes obligations specific to compliance with Nebraska's Financial Data Protection and Consumer Notification of Data Security Breach Act.

13.3.1 Investigation Obligation. Under Neb. Rev. Stat. § 87-803(1), any individual or commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes Personal Information about a Nebraska resident shall, when it becomes aware of a breach of the security of the system, conduct a reasonable and prompt investigation to determine the likelihood that Personal Information has been or will be used for an unauthorized purpose.

13.3.2 Notification Trigger. If the investigation determines that the use of the Personal Information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident, in accordance with Neb. Rev. Stat. § 87-803(1).

13.3.3 Notification Timeline. Notification shall be made as soon as possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity, security, and confidentiality of the data. Delay is permitted for a reasonable period of time if a law enforcement agency determines and advises that notification will impede a criminal investigation.

13.3.4 Nebraska Attorney General Notification. Under Neb. Rev. Stat. § 87-803(1), if notice of a breach is required to any Nebraska resident, the individual or commercial entity shall also provide notice to the Nebraska Attorney General. This notice to the Attorney General must be provided not later than when notice is provided to the affected Nebraska resident. Provider shall cooperate with Customer in making this simultaneous notification.

13.3.5 Notice Content. The breach notification shall include, at a minimum:

(a) A description of the categories of Personal Information that were the subject of the breach;

(b) The date or estimated date range of the breach;

(c) A general description of the breach incident;

(d) The actions taken by the entity to protect the Personal Information from further breach;

(e) Contact information for the notifying entity, including toll-free telephone number, mailing address, and email address;

(f) The toll-free telephone numbers, addresses, and websites for the three major credit reporting agencies;

(g) Advice to the affected individual to remain vigilant by reviewing account statements and monitoring credit reports;

(h) Contact information for the Nebraska Attorney General's Office and the Federal Trade Commission.

13.3.6 Methods of Notice. Notice may be provided by:

(a) Written notice to the last known postal address of the affected individual;

(b) Telephonic notice;

(c) Electronic notice, if the entity's primary method of communication with the individual is electronic and the notice is consistent with 15 U.S.C. § 7001 (E-SIGN Act);

(d) Substitute notice, if the entity demonstrates that the cost of providing notice would exceed Seventy-Five Thousand Dollars ($75,000) or the affected class exceeds one hundred thousand (100,000) Nebraska residents, or the entity does not have sufficient contact information, consisting of: (i) email notice when available, (ii) conspicuous posting on the entity's website, and (iii) notice to major statewide media. Note: Nebraska's substitute notice thresholds ($75,000 cost and 100,000 affected persons) are lower than many other states.

13.3.7 Enforcement and Penalties. The Nebraska Attorney General has enforcement authority under Neb. Rev. Stat. § 87-806, including the power to issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation. The Attorney General may also obtain injunctive relief. The statute does not provide for a private right of action.

13.3.8 Third-Party Data Maintainers. Under Neb. Rev. Stat. § 87-803(2), any individual or commercial entity that maintains computerized data that includes Personal Information about a Nebraska resident that the individual or entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system immediately following discovery of the breach.

13.4 Provider Obligations During a Breach

Provider shall:

(a) Immediately contain and investigate the Breach;

(b) Preserve all evidence and maintain chain of custody documentation;

(c) Engage qualified forensic investigators at Provider's expense;

(d) Provide Customer with complete forensic reports within thirty (30) days of incident closure;

(e) Implement corrective measures to prevent recurrence;

(f) Fund credit monitoring and identity theft protection services for affected individuals for a period of at least twenty-four (24) months;

(g) Coordinate with law enforcement as appropriate;

(h) Not issue any public statement or notification regarding the Breach without Customer's prior written approval unless legally compelled.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain a current list of all approved Subprocessors, including their identity, location, and scope of processing.

14.2 Due Diligence. Before engaging any Subprocessor, Provider shall conduct a thorough security assessment of the Subprocessor's security practices, policies, and technical controls to ensure they meet or exceed the requirements of this Addendum.

14.3 Contractual Flow-Down. Provider shall impose on each Subprocessor, by written contract, data protection and security obligations no less protective than those imposed on Provider under this Addendum, including compliance with Neb. Rev. Stat. § 87-803(2) third-party notification requirements.

14.4 Oversight and Audit. Provider shall monitor and audit each Subprocessor's compliance with security requirements at least annually and shall promptly address any deficiencies.

14.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors in relation to Customer Data, as if such acts or omissions were Provider's own.

14.6 Notification of Changes. Provider shall notify Customer at least thirty (30) days in advance of any proposed addition or replacement of a Subprocessor. Customer shall have the right to object to any proposed Subprocessor and, if the objection cannot be resolved, to terminate the affected Services without penalty.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct comprehensive background checks on all Authorized Personnel prior to granting access to Customer Data, including criminal history, employment verification, and education verification, to the extent permitted by Nebraska law.

15.2 Security Training. Provider shall require all Authorized Personnel to complete:

(a) Security awareness training upon hiring and at least annually thereafter;

(b) Role-specific security training for personnel with elevated access privileges;

(c) Phishing simulation exercises at least quarterly;

(d) Training on Nebraska-specific data protection requirements, including Neb. Rev. Stat. § 87-801 et seq. and the Nebraska Data Privacy Act.

15.3 Confidentiality Agreements. All Authorized Personnel shall execute written confidentiality and non-disclosure agreements prior to accessing Customer Data.

15.4 Termination Procedures. Upon termination or transfer of any Authorized Personnel, Provider shall:

(a) Revoke all access to Customer Data and related systems within four (4) hours of termination;

(b) Collect and secure all company-issued devices, badges, and credentials;

(c) Conduct an exit interview addressing confidentiality obligations.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. Provider shall ensure that all data centers and facilities housing Customer Data maintain the following physical security controls:

(a) 24/7/365 on-site security personnel or remote monitoring;

(b) Multi-layered perimeter security with barriers, fencing, and controlled entry points;

(c) Biometric and multi-factor authentication for facility access;

(d) Mantrap or airlock entry systems for sensitive areas;

(e) Closed-circuit television (CCTV) surveillance with recording and at least ninety (90) days retention;

(f) Environmental controls including fire suppression, climate control, water detection, and redundant power;

(g) Visitor management with photo identification, escort requirements, and access logs;

(h) SOC 2 Type II or ISO 27001 certification for all data center facilities.

16.2 Media Handling. Provider shall implement secure media handling procedures including:

(a) Encryption of all portable media containing Customer Data;

(b) Tracking and inventory of all media;

(c) Secure disposal of media using NIST SP 800-88 methods (Clear, Purge, or Destroy as appropriate);

(d) Certificates of destruction furnished to Customer upon request.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall obtain and maintain throughout the term of the Master Agreement and this Addendum, at its own expense, the following insurance coverage:

(a) Cyber Liability / Technology Errors and Omissions Insurance: No less than Five Million Dollars ($5,000,000) per occurrence and in the aggregate, covering:
- Data breach response costs, including notification, credit monitoring, and forensic investigation;
- Network security liability;
- Privacy liability;
- Media liability;
- Regulatory defense and penalties;
- PCI-DSS fines and assessments;
- Cyber extortion and ransomware;

(b) Professional Liability / Errors and Omissions Insurance: No less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: No less than One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate;

(d) Workers' Compensation Insurance: As required by Nebraska law (Neb. Rev. Stat. Ch. 48, Art. 1).

17.2 Policy Requirements. All insurance policies shall:

(a) Be issued by insurers with an A.M. Best rating of A- VII or better;

(b) Name Customer as an additional insured on the CGL policy;

(c) Provide a waiver of subrogation in favor of Customer;

(d) Require the insurer to provide Customer with thirty (30) days' prior written notice of cancellation or material modification;

(e) Be primary and non-contributory with respect to any insurance maintained by Customer.

17.3 Evidence of Insurance. Provider shall furnish certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right, at its own expense and upon thirty (30) days' prior written notice, to audit Provider's compliance with this Addendum.

18.2 Frequency. Customer may conduct audits up to once per year under normal circumstances, and at any time following a Security Incident, Breach, or material change in Provider's security posture.

18.3 Third-Party Auditors. Customer may engage qualified third-party auditors to conduct audits on its behalf, subject to such auditors executing a non-disclosure agreement acceptable to Provider.

18.4 Cooperation. Provider shall cooperate fully with all audits, provide timely access to facilities, systems, records, and personnel, and respond to audit findings with a remediation plan within fifteen (15) business days.

18.5 Regulatory Audits. Provider shall cooperate with audits or examinations by any regulatory authority with jurisdiction over Customer, including the Nebraska Attorney General's Office and the Nebraska Department of Banking and Finance.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Governance Committee. The Parties shall establish a joint Security Governance Committee consisting of designated representatives from each Party, which shall meet at least quarterly to review Provider's security posture and compliance with this Addendum, discuss emerging threats, review incident reports, and address security concerns.

19.2 Security Reporting. Provider shall furnish Customer with the following reports:

(a) Monthly: Vulnerability scan summaries, patch compliance metrics, and security incident summaries;

(b) Quarterly: Access review results, security awareness training completion rates, and KPI dashboards;

(c) Annually: Penetration test reports, risk assessment results, BCP/DRP test results, SOC 2 Type II reports, and ISO 27001 certification status;

(d) Ad Hoc: Any material change in security posture, key personnel, or Subprocessor arrangements.

19.3 Key Performance Indicators. Provider shall track and report on the following security KPIs: MTTD, MTTR, vulnerability remediation rates, patch compliance percentage, security training completion rates, and uptime/availability of the Services.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request at any time, Provider shall return all Customer Data in a mutually agreed-upon, industry-standard, machine-readable format within thirty (30) calendar days.

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall securely destroy all copies of Customer Data in accordance with NIST SP 800-88 Rev. 1 guidelines and furnish Customer with a written certificate of destruction within fifteen (15) calendar days.

20.3 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law, regulation, or court order, with notice to Customer, limited to the minimum necessary, and continued protection under this Addendum.

20.4 Subprocessor Data. Provider shall ensure that all Subprocessors return or destroy Customer Data in accordance with the same standards set forth in this Article.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall defend, indemnify, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against all claims, demands, actions, liabilities, damages, losses, costs, and expenses arising from or related to:

(a) Any Breach caused by Provider's negligence, willful misconduct, or failure to comply with this Addendum;

(b) Provider's failure to comply with Neb. Rev. Stat. § 87-803, the Nebraska Data Privacy Act, or any other applicable data protection law;

(c) Any unauthorized access to, acquisition of, or disclosure of Customer Data;

(d) Any regulatory investigation, enforcement action, fine, or penalty, including recovery of direct economic damages under Neb. Rev. Stat. § 87-806;

(e) Any third-party claims arising from a Breach.

21.2 Costs and Expenses. Provider's indemnification obligations shall include notification costs, credit monitoring, forensic investigation, public relations, call center costs, regulatory damages and penalties, and litigation defense and settlement costs.

21.3 Limitation. The indemnification obligations under this Article shall not be subject to any limitation of liability caps set forth in the Master Agreement, unless expressly stated otherwise in a separate written amendment.

ARTICLE 22 — STATE-SPECIFIC LEGAL PROVISIONS — NEBRASKA

22.1 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of Nebraska, without regard to its conflict of laws principles.

22.2 Venue and Jurisdiction. Any dispute, claim, or controversy arising out of or relating to this Addendum shall be brought exclusively in the state or federal courts located in Lancaster County, Nebraska, or such other county as may be agreed by the Parties. Each Party irrevocably consents to the exclusive jurisdiction and venue of such courts.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY NEBRASKA LAW, EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ALL RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY.

22.4 Trade Secret Protection. Provider acknowledges that Customer Data may contain Trade Secrets as defined in the Nebraska Trade Secrets Act (Neb. Rev. Stat. § 87-501 et seq.). Provider shall maintain all such Trade Secrets in strict confidence. Under Nebraska law, if an alleged trade secret is ascertainable by any means that are not improper, it may be excluded from coverage under the Trade Secrets Act. Provider shall implement protections consistent with Neb. Rev. Stat. § 87-502(4). In the event of misappropriation, Customer shall be entitled to injunctive relief (§ 87-503), damages (§ 87-504), and attorneys' fees (§ 87-505).

22.5 Computer Crimes. Provider acknowledges that unauthorized access to or modification of Customer Data may constitute a violation of the Nebraska Computer Crimes Act (Neb. Rev. Stat. § 28-1341 et seq.), which provides for criminal penalties and may support civil claims for damages.

22.6 Nebraska Data Privacy Act. Provider shall cooperate with Customer in complying with the Nebraska Data Privacy Act (Neb. Rev. Stat. § 87-1101 et seq., effective January 1, 2025), including:

(a) Honoring consumer rights to access, correct, delete, and obtain a portable copy of personal data;

(b) Implementing mechanisms to facilitate consumer opt-out requests for targeted advertising, sale of personal data, and profiling;

(c) Conducting data protection assessments for processing activities presenting heightened risk;

(d) Maintaining appropriate technical and organizational safeguards;

(e) Complying with data minimization and purpose limitation requirements;

(f) Providing transparency through privacy notices regarding data collection and processing practices;

(g) Recognizing that enforcement is exclusively by the Nebraska Attorney General with no private right of action.

22.7 Late Payment Interest. Any amounts due under this Addendum that are not paid when due shall bear interest at the rate of six percent (6%) per annum, or such higher rate as may be specified in the Master Agreement, not to exceed sixteen percent (16%) per annum, in accordance with Nebraska law.

22.8 Consumer Protection Act. This Addendum shall be interpreted consistently with the Nebraska Consumer Protection Act (Neb. Rev. Stat. § 59-1601 et seq.), and Provider shall not engage in any unfair or deceptive acts or practices in connection with its handling of Customer Data.

22.9 Financial Data Protection. The Parties acknowledge that the Financial Data Protection and Consumer Notification of Data Security Breach Act (Neb. Rev. Stat. § 87-801 et seq.) applies to entities subject to Title V of the Gramm-Leach-Bliley Act. To the extent Customer is such an entity, Provider shall implement controls consistent with both the Nebraska breach notification requirements and GLBA safeguards.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Nebraska electronic transactions provisions, Neb. Rev. Stat. § 86-611 et seq. The Parties agree that electronic signatures shall have the same legal effect, validity, and enforceability as manual ink signatures.

23.2 Legal Recognition. Pursuant to Nebraska law, a record or signature may not be denied legal effect or enforceability solely because it is in electronic form. A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.

23.3 Consent to Electronic Records. Each Party consents to the use of electronic records and electronic signatures in connection with this Addendum and all related communications and documents.

23.4 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original. Delivery of an executed counterpart by electronic transmission (including PDF, DocuSign, or other secure electronic signature platform) shall be effective as delivery of a manually executed counterpart.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof.

24.2 Amendment. This Addendum may not be amended except by a written instrument executed by authorized representatives of both Parties.

24.3 Waiver. No waiver of any provision shall be effective unless in writing and signed by the Party against whom the waiver is sought.

24.4 Severability. If any provision is held invalid under Nebraska law, such provision shall be modified to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.

24.5 Assignment. Neither Party may assign this Addendum without the prior written consent of the other Party; provided that either Party may assign in connection with a merger, acquisition, or sale of substantially all assets.

24.6 Notices. All notices shall be in writing, delivered by hand, certified mail, or recognized overnight courier.

24.7 Survival. Obligations related to data return/destruction, indemnification, confidentiality, breach notification, and audit rights shall survive termination.

ARTICLE 25 — EXECUTION

Compliance Checklist (Pre-Execution):

☐ Master Agreement fully executed and referenced herein

☐ Provider's Information Security Program documentation reviewed by Customer

☐ Provider's most recent SOC 2 Type II report reviewed by Customer

☐ Provider's ISO 27001 certification verified

☐ Provider's most recent penetration test report reviewed by Customer

☐ Subprocessor list reviewed and approved by Customer

☐ Insurance certificates reviewed and verified by Customer

☐ RPO and RTO values agreed upon and documented in Section 12.3

☐ Data residency requirements confirmed

☐ Nebraska Data Privacy Act compliance measures reviewed

☐ Nebraska Attorney General simultaneous notification procedures confirmed

☐ Nebraska-licensed legal counsel has reviewed this Addendum for both Parties

☐ Key Personnel and escalation contacts identified

☐ Security Governance Committee members designated

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Effective Date.

CUSTOMER

PROVIDER

EXHIBIT A — SECURITY CONTACT INFORMATION

EXHIBIT B — APPROVED SUBPROCESSOR LIST

SOURCES AND REFERENCES

1. Nebraska Financial Data Protection and Consumer Notification Act — Neb. Rev. Stat. § 87-801 et seq.: https://nebraskalegislature.gov/laws/display_html.php?begin_section=87-801&end_section=87-808
2. Nebraska Breach Notification Requirements — Neb. Rev. Stat. § 87-803: https://nebraskalegislature.gov/laws/statutes.php?statute=87-802
3. Nebraska Data Privacy Act — Neb. Rev. Stat. § 87-1101 et seq.: https://nebraskalegislature.gov/laws/display_html.php?begin_section=87-1101&end_section=87-1130
4. Nebraska Protect the Good Life — Data Privacy Homepage: https://protectthegoodlife.nebraska.gov/data-privacy-homepage
5. Nebraska Trade Secrets Act — Neb. Rev. Stat. § 87-501 et seq.: https://nebraskalegislature.gov/laws/statutes.php?statute=87-501
6. Nebraska Electronic Transactions — Neb. Rev. Stat. § 86-611 et seq.: https://nebraskalegislature.gov/laws/statutes.php?statute=86-611
7. Nebraska Computer Crimes Act — Neb. Rev. Stat. § 28-1341 et seq.: https://nebraskalegislature.gov/laws/statutes.php?statute=28-1341
8. Nebraska Department of Banking and Finance — Financial Data Protection: https://ndbf.nebraska.gov/about/legal/financial-data-protection-consumer-notification-data-security-breach-act-2006
9. NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
10. NIST SP 800-88 Rev. 1 — Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

This Enterprise Security Addendum is intended for use on the ezel.ai platform and must be reviewed by Nebraska-licensed legal counsel before execution. Last updated: 2026-02-21.