Security Addendum (Enterprise SaaS)

ENTERPRISE SECURITY ADDENDUM

New Jersey Jurisdictional Version

Addendum Reference No.: [________________________________]
Master Agreement Reference: [________________________________]
Effective Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]") and the entity identified as "Provider" ("[________________________________]") have entered into that certain Master Services Agreement, SaaS Subscription Agreement, or equivalent agreement dated [__/__/____] (the "Master Agreement");

WHEREAS, the Provider will Process, store, transmit, or otherwise access Customer Data, including Personal Information of New Jersey residents, in the course of performing the Services;

WHEREAS, the State of New Jersey has enacted comprehensive data protection legislation, including the New Jersey Data Privacy Act (N.J. Stat. Ann. § 56:8-166 et seq.), effective January 15, 2025, and the Data Breach Notification Act (N.J. Stat. Ann. § 56:8-161 et seq.), imposing specific obligations on entities handling Personal Information of New Jersey residents;

WHEREAS, the Parties desire to establish minimum security standards, breach notification obligations, and data protection requirements that comply with New Jersey law and industry best practices;

NOW, THEREFORE, in consideration of the mutual covenants and obligations contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized Personnel" means individuals who have been granted access to Customer Data through formal authorization procedures, including employees, contractors, and agents of Provider who have a legitimate business need for such access and who have completed all required background checks and security training.

1.2 "Biometric Data" means data generated by automatic measurements of an individual's biological characteristics, including fingerprints, voiceprints, retina or iris scans, or other unique biological patterns or characteristics used to authenticate an individual's identity.

1.3 "Breach" or "Security Breach" means unauthorized access to, or acquisition of, electronic files, media, databases, or computerized data containing Personal Information that compromises the security, confidentiality, or integrity of Personal Information maintained by Provider, consistent with the definition set forth in N.J. Stat. Ann. § 56:8-161.

1.4 "Consumer" means a New Jersey resident acting in an individual or household context, as defined under the New Jersey Data Privacy Act (N.J. Stat. Ann. § 56:8-166 et seq.).

1.5 "Controller" means the entity that determines the purposes and means of Processing Personal Data, as defined under the NJDPA.

1.6 "Critical System" means any system, application, database, or infrastructure component that stores, processes, or transmits Customer Data, or that, if compromised, could result in unauthorized access to Customer Data.

1.7 "Customer Data" means all data, information, records, files, and materials provided by or on behalf of Customer to Provider, or collected, generated, or processed by Provider on behalf of Customer in connection with the Services, including but not limited to Personal Information, Confidential Information, and proprietary business data.

1.8 "Data Protection Assessment" means the documented evaluation required under N.J. Stat. Ann. § 56:8-166 et seq. for processing activities that present a heightened risk of harm to consumers, including targeted advertising, profiling, sale of personal data, and processing of sensitive data.

1.9 "De-identified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, provided that the Controller that possesses such data takes reasonable measures to ensure the data cannot be associated with an individual and publicly commits to maintaining and using the data only in a de-identified fashion.

1.10 "Encryption Standards" means encryption using algorithms and key lengths that meet or exceed: (a) AES-256 for data at rest; (b) TLS 1.2 or higher for data in transit; and (c) current NIST recommended encryption standards.

1.11 "Incident" means any event that actually or potentially jeopardizes the confidentiality, integrity, or availability of Customer Data or any information system that stores, processes, or transmits Customer Data, including but not limited to attempted or successful unauthorized access, use, disclosure, modification, or destruction.

1.12 "Information Security Program" means Provider's comprehensive, documented program of administrative, technical, and physical safeguards designed to protect Customer Data, as further described in Article 4 of this Addendum.

1.13 "NJDPA" means the New Jersey Data Privacy Act, N.J. Stat. Ann. § 56:8-166 et seq., effective January 15, 2025, and all rules and regulations promulgated thereunder.

1.14 "Personal Information" means, consistent with N.J. Stat. Ann. § 56:8-161, an individual's first name or first initial and last name linked with any one or more of the following data elements: (a) Social Security number; (b) driver's license number or State identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (d) user name, email address, or any other account holder identifying information, in combination with any password, security question and answer, or other authentication factor that would permit access to an online account. This definition shall be interpreted broadly to encompass any additional categories of information added by amendment to N.J. Stat. Ann. § 56:8-161 or identified under the NJDPA.

1.15 "Personal Data" means information that is linked or reasonably linkable to an identified or identifiable individual, as defined under the NJDPA, excluding de-identified data, publicly available information, and certain employee/B2B data during any applicable exemption periods.

1.16 "Process" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification.

1.17 "Processor" means an entity that processes Personal Data on behalf of a Controller, as defined under the NJDPA.

1.18 "Sensitive Data" means, under the NJDPA, Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, Personal Data of a known child, or precise geolocation data.

1.19 "Subprocessor" means any third party engaged by Provider to Process Customer Data on Provider's behalf in connection with the Services.

1.20 "Trade Secret" means information as defined under the New Jersey Trade Secrets Act (N.J. Stat. Ann. § 56:15-2), including a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value from not being generally known and is the subject of reasonable efforts to maintain its secrecy.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Processing of Customer Data by Provider, its Authorized Personnel, and its Subprocessors in connection with the Services provided under the Master Agreement.

2.2 Order of Precedence. In the event of any conflict or inconsistency between the terms of this Addendum and the Master Agreement, this Addendum shall prevail with respect to matters related to data security, privacy, breach notification, and compliance with New Jersey law. In the event of conflict between this Addendum and applicable New Jersey statutes or regulations, the applicable law shall control.

2.3 Regulatory Updates. Provider acknowledges that the NJDPA regulations are still being developed and finalized, and agrees to monitor regulatory developments and adjust its practices to comply with final rules promulgated by the New Jersey Division of Consumer Affairs.

2.4 Incorporation. This Addendum is hereby incorporated into and made a part of the Master Agreement. All terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

ARTICLE 3 — NEW JERSEY DATA PRIVACY ACT (NJDPA) COMPLIANCE

3.1 Applicability. Where Provider acts as a Processor of Personal Data on behalf of Customer (as Controller) with respect to New Jersey Consumers, Provider shall comply with all applicable obligations of a Processor under the NJDPA (N.J. Stat. Ann. § 56:8-166 et seq.).

3.2 Processing Limitations. Provider shall:

(a) Process Personal Data only in accordance with Customer's documented instructions and the purposes specified in the Master Agreement;

(b) Not Process Personal Data for purposes of targeted advertising, sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects, unless expressly authorized by Customer in writing and in compliance with the NJDPA;

(c) Not combine Personal Data received from Customer with Personal Data received from or on behalf of other controllers or collected from Provider's own interactions with data subjects, except as expressly permitted by the NJDPA.

3.3 Consumer Rights Facilitation. Provider shall provide reasonable technical and organizational assistance to Customer in fulfilling Customer's obligations to respond to Consumer rights requests under the NJDPA, including:

(a) Right to confirm Processing and access Personal Data;
(b) Right to correct inaccuracies;
(c) Right to delete Personal Data;
(d) Right to data portability;
(e) Right to opt out of sale, targeted advertising, and profiling.

3.4 Sensitive Data. Provider shall not Process Sensitive Data (as defined under the NJDPA) without first obtaining Customer's written confirmation that appropriate opt-in consent has been obtained from the Consumer, in compliance with N.J. Stat. Ann. § 56:8-166 et seq.

3.5 Data Protection Assessments. Provider shall cooperate with and provide information reasonably necessary to assist Customer in conducting Data Protection Assessments required under the NJDPA for processing activities that present a heightened risk of harm to consumers.

3.6 Cure Period Awareness. The Parties acknowledge that the NJDPA provides a 30-day cure period for violations during the first 18 months following the effective date (through approximately July 15, 2026). After this sunset period, the right to cure is at the discretion of the New Jersey Attorney General.

3.7 Nonprofit and Educational Entity Applicability. Provider acknowledges that the NJDPA applies to nonprofit organizations and educational institutions, and Provider's obligations under this Article apply regardless of Customer's organizational type.

ARTICLE 4 — INFORMATION SECURITY PROGRAM

4.1 General Obligation. Provider shall establish, implement, and maintain a comprehensive, written Information Security Program that includes administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, acquisition, destruction, use, modification, or disclosure. Such program shall be appropriate to the size and complexity of Provider's operations and the nature and scope of Customer Data processed.

4.2 Security Frameworks. Provider's Information Security Program shall align with one or more of the following recognized frameworks:

(a) ISO/IEC 27001:2022 — Information Security Management Systems;
(b) SOC 2 Type II — Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy);
(c) NIST Cybersecurity Framework (CSF) v2.0;
(d) NIST SP 800-53 Rev. 5 — Security and Privacy Controls.

4.3 Minimum Security Controls. Without limiting the generality of Section 4.1, Provider's Information Security Program shall include, at a minimum, the controls described in Articles 5 through 17 of this Addendum.

4.4 Continuous Improvement. Provider shall review and update its Information Security Program no less than annually, and more frequently as necessary to address new threats, vulnerabilities, changes in technology, or changes in applicable New Jersey law.

4.5 Documentation. Provider shall maintain current documentation of its Information Security Program, including policies, procedures, standards, and guidelines, and shall make such documentation available to Customer upon reasonable request.

ARTICLE 5 — ACCESS CONTROLS

5.1 Role-Based Access Control (RBAC). Provider shall implement and enforce role-based access controls to ensure that access to Customer Data is limited to Authorized Personnel whose job functions require such access.

5.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for: (a) all remote access to systems containing Customer Data; (b) all administrative and privileged access to Critical Systems; (c) all access to Customer-facing portals and dashboards; and (d) all access to cloud management consoles and infrastructure.

5.3 Least Privilege. Access shall be granted based on the principle of least privilege, providing only the minimum access necessary to perform assigned job functions.

5.4 Access Reviews. Provider shall conduct formal access reviews no less than quarterly to verify that access privileges remain appropriate and that accounts for terminated or transferred personnel have been promptly deactivated. Evidence of such reviews shall be maintained and available for audit.

5.5 Privileged Access Management. Provider shall implement dedicated privileged access management (PAM) controls, including session recording, credential vaulting, and just-in-time access provisioning for administrative accounts.

5.6 Account Management. Provider shall: (a) disable or remove inactive accounts after thirty (30) days of inactivity; (b) enforce account lockout after no more than five (5) consecutive failed login attempts; (c) deactivate accounts of terminated personnel within twenty-four (24) hours of notification; and (d) implement unique user identifiers for all accounts with access to Customer Data.

5.7 Password Policy. Provider shall enforce password policies requiring a minimum of fourteen (14) characters, complexity requirements, prohibition of known compromised passwords, and mandatory rotation for privileged accounts no less than every ninety (90) days.

ARTICLE 6 — ENCRYPTION STANDARDS

6.1 Data in Transit. All Customer Data transmitted over public or untrusted networks shall be encrypted using TLS 1.2 or higher with strong cipher suites. TLS 1.0 and 1.1 shall be disabled on all systems.

6.2 Data at Rest. All Customer Data stored on Provider systems, including databases, file systems, backups, and removable media, shall be encrypted using AES-256 or an equivalent or stronger algorithm.

6.3 Key Management. Provider shall implement a formal key management program that includes: (a) generation of cryptographic keys using approved random number generators; (b) secure storage of keys in hardware security modules (HSMs) or equivalent; (c) key rotation no less than annually; (d) key revocation and destruction procedures; (e) separation of duties between key custodians; and (f) documentation and audit trails for all key management activities.

6.4 End-to-End Encryption. Where technically feasible and appropriate to the sensitivity of the data, Provider shall implement end-to-end encryption so that Customer Data is encrypted throughout its entire lifecycle.

6.5 Certificate Management. Provider shall maintain a current inventory of all digital certificates, implement automated certificate lifecycle management, and ensure that expired or compromised certificates are promptly replaced.

ARTICLE 7 — NETWORK SECURITY

7.1 Network Architecture. Provider shall implement network segmentation to isolate systems that store or process Customer Data from other systems. Critical Systems shall reside in dedicated network segments with strictly controlled ingress and egress traffic.

7.2 Firewalls and Intrusion Prevention. Provider shall deploy and maintain: (a) next-generation firewalls at all network perimeters; (b) intrusion detection and prevention systems (IDS/IPS) monitoring all network traffic to and from Customer Data environments; (c) web application firewalls (WAF) protecting all Customer-facing applications.

7.3 Network Monitoring. Provider shall monitor all network traffic for anomalous activity on a continuous (24/7/365) basis using automated tools and shall investigate all alerts promptly.

7.4 Wireless Security. All wireless networks with access to Customer Data environments shall use WPA3 or equivalent encryption and shall be segmented from production networks.

7.5 Remote Access. All remote access to Customer Data environments shall be conducted through encrypted VPN connections or zero-trust network access (ZTNA) solutions, with multi-factor authentication required for all sessions.

7.6 DDoS Protection. Provider shall implement distributed denial-of-service (DDoS) mitigation capabilities sufficient to maintain availability of Services during volumetric, protocol, and application-layer attacks.

ARTICLE 8 — APPLICATION SECURITY

8.1 Secure Development Lifecycle (SDLC). Provider shall implement a formal Secure Development Lifecycle for all applications that store, process, or transmit Customer Data, incorporating security at each phase of development, including requirements, design, implementation, testing, deployment, and maintenance.

8.2 OWASP Compliance. Provider shall ensure that all web applications and APIs are developed and maintained in accordance with the OWASP Top Ten and OWASP Application Security Verification Standard (ASVS), addressing at minimum: injection, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, vulnerable components, and insufficient logging and monitoring.

8.3 Static and Dynamic Analysis. Provider shall perform: (a) Static Application Security Testing (SAST) on all code prior to release; (b) Dynamic Application Security Testing (DAST) on all deployed applications no less than quarterly; and (c) Software Composition Analysis (SCA) to identify vulnerabilities in third-party libraries and open-source components.

8.4 Code Review. All code changes affecting Customer Data handling shall undergo peer code review with security-focused review criteria before deployment to production.

8.5 API Security. Provider shall implement API authentication, authorization, rate limiting, input validation, and logging for all APIs that access or expose Customer Data.

8.6 Change Management. Provider shall implement formal change management procedures for all modifications to production systems, including documented approval, testing, rollback plans, and post-implementation review.

ARTICLE 9 — VULNERABILITY MANAGEMENT

9.1 Vulnerability Scanning. Provider shall conduct automated vulnerability scanning of all Critical Systems no less than weekly, and of all other systems no less than monthly.

9.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines, measured from the date of identification:

9.3 Zero-Day Vulnerabilities. Provider shall maintain a process for identifying and responding to zero-day vulnerabilities affecting systems that process Customer Data. Emergency patches or compensating controls shall be deployed within twenty-four (24) hours of vendor notification or public disclosure, whichever occurs first.

9.4 Patch Management. Provider shall maintain a formal patch management program that includes testing, approval, deployment, and verification procedures for all security patches.

9.5 Vulnerability Reporting. Provider shall provide Customer with quarterly vulnerability management reports summarizing the number and severity of identified vulnerabilities, remediation status, and any exceptions or risk acceptances.

ARTICLE 10 — LOGGING, MONITORING, AND AUDIT

10.1 Security Information and Event Management (SIEM). Provider shall implement and maintain a SIEM solution capable of real-time aggregation, correlation, and analysis of security events from all Critical Systems.

10.2 Log Collection. Provider shall collect and maintain audit logs from all systems that store, process, or transmit Customer Data, including: (a) authentication events (successes and failures); (b) authorization changes; (c) data access events; (d) system administrator activities; (e) system and application errors; (f) firewall and IDS/IPS events; (g) anti-malware events; and (h) data modification and deletion events.

10.3 Log Retention. Audit logs shall be retained for a minimum of twelve (12) months online and an additional twelve (12) months in secure archived storage, for a total retention period of twenty-four (24) months. Logs shall be protected against unauthorized modification or deletion.

10.4 Log Integrity. Provider shall implement controls to ensure log integrity, including cryptographic hashing, write-once storage, or equivalent tamper-evident mechanisms.

10.5 Monitoring and Alerting. Provider shall maintain 24/7/365 security monitoring with defined alert thresholds, escalation procedures, and response timeframes. Critical alerts shall trigger automated notifications to Provider's security operations team.

10.6 Log Access. Upon Customer's reasonable request, Provider shall provide Customer with access to or copies of audit logs pertaining to Customer Data, within ten (10) business days of such request.

ARTICLE 11 — DATA SEGREGATION AND RESIDENCY

11.1 Logical Segregation. Provider shall logically segregate Customer Data from the data of other customers at the application, database, and storage layers. Segregation mechanisms shall prevent unauthorized cross-tenant access.

11.2 Data Residency. Unless otherwise agreed in writing, Customer Data shall be stored and processed within the continental United States. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent.

11.3 Notification of Residency Changes. Provider shall notify Customer no less than sixty (60) days in advance of any proposed change in the geographic location of data storage or processing facilities affecting Customer Data.

11.4 Multi-Tenant Isolation. In multi-tenant environments, Provider shall implement robust tenant isolation controls, including separate encryption keys per tenant, isolated compute environments where feasible, and regular testing of isolation controls.

ARTICLE 12 — PENETRATION TESTING

12.1 Annual Testing. Provider shall engage an independent, qualified third-party firm to conduct comprehensive penetration testing of all systems and applications that store, process, or transmit Customer Data no less than annually. Testing shall include external network, internal network, web application, and social engineering components.

12.2 Methodology. Penetration tests shall be conducted in accordance with recognized methodologies, including OWASP Testing Guide, PTES, or NIST SP 800-115.

12.3 Scope. The scope of penetration testing shall include all Customer-facing applications, APIs, infrastructure, and network perimeters associated with the Services.

12.4 Remediation. All findings rated Critical or High shall be remediated in accordance with the timelines specified in Article 9 of this Addendum. Provider shall conduct validation testing to confirm successful remediation.

12.5 Reporting. Provider shall provide Customer with an executive summary of penetration test results, including identified vulnerabilities, risk ratings, and remediation status, within thirty (30) days of test completion. Full reports shall be available upon request subject to reasonable confidentiality protections.

12.6 Customer Testing. Upon no less than thirty (30) days' prior written notice, Customer shall have the right to conduct or commission its own penetration testing of the Services, subject to reasonable scope and scheduling coordination with Provider. Customer shall provide Provider with a copy of any findings.

ARTICLE 13 — BUSINESS CONTINUITY AND DISASTER RECOVERY

13.1 BC/DR Program. Provider shall establish, maintain, and test a comprehensive business continuity and disaster recovery program designed to ensure the continued availability and integrity of Customer Data and Services.

13.2 Recovery Objectives. Unless otherwise specified in the Master Agreement or an applicable Service Level Agreement:

(a) Recovery Point Objective (RPO): No greater than four (4) hours, meaning that in the event of a disaster or system failure, no more than four (4) hours of Customer Data shall be at risk of loss;

(b) Recovery Time Objective (RTO): No greater than eight (8) hours, meaning that Services shall be restored within eight (8) hours of a declared disaster or system failure.

13.3 Backup Procedures. Provider shall: (a) perform daily encrypted backups of all Customer Data; (b) store backups in a geographically separate facility from the primary data center; (c) test backup restoration procedures no less than quarterly; and (d) maintain backup encryption consistent with Article 6.

13.4 Annual Testing. Provider shall conduct a full disaster recovery test no less than annually, simulating realistic disaster scenarios. Customer shall be invited to observe testing and shall receive test results within thirty (30) days.

13.5 Failover. Provider shall implement automated failover capabilities for all Critical Systems, with failover time not exceeding the RTO specified in Section 13.2.

ARTICLE 14 — INCIDENT RESPONSE AND NEW JERSEY BREACH NOTIFICATION

14.1 Incident Response Plan. Provider shall maintain a documented incident response plan that includes: (a) incident identification and classification procedures; (b) containment and eradication procedures; (c) evidence preservation and chain-of-custody procedures; (d) communication and escalation procedures; (e) recovery and restoration procedures; and (f) post-incident review and lessons-learned procedures.

14.2 Initial Notification to Customer. Provider shall notify Customer of any confirmed or suspected Incident involving Customer Data within twenty-four (24) hours of Provider's discovery of the Incident, by email to the security contact designated by Customer and by telephone to the emergency contact designated by Customer.

14.3 Incident Notification Content. Provider's initial notification shall include, to the extent known at the time: (a) the nature and scope of the Incident; (b) the date and time of discovery; (c) the type of Customer Data affected; (d) the number of individuals potentially affected; (e) actions taken or planned to contain and remediate the Incident; and (f) the identity of a Provider point of contact for ongoing communications.

14.4 Ongoing Updates. Following initial notification, Provider shall provide Customer with written status updates no less than every twenty-four (24) hours until the Incident is resolved, including updated information about scope, impact, containment, remediation, and root cause analysis.

14.5 New Jersey Breach Notification — Statutory Requirements. In the event of a Breach involving Personal Information of New Jersey residents, the following requirements under N.J. Stat. Ann. § 56:8-163 shall apply:

(a) Timeline: Notification shall be made to affected individuals in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system;

(b) Division of State Police Notification: Before notifying affected individuals, Provider shall (on behalf of or in coordination with Customer) report the Breach to the New Jersey Division of State Police in the Department of Law and Public Safety;

(c) Notice Content: Written notification to affected individuals shall include: (i) the date or estimated date of the breach; (ii) a description of the type of Personal Information that was, or is reasonably believed to have been, accessed or acquired; (iii) contact information for the reporting entity; (iv) toll-free telephone numbers and addresses for major consumer reporting agencies; and (v) advice directing the individual to remain vigilant by reviewing account statements and monitoring credit reports;

(d) Method of Notice: Notification may be provided by: (i) written notice sent to the last known postal address in the records of the entity; (ii) electronic notice, if the entity's primary method of communication with the individual is by electronic means or if notice is consistent with the provisions regarding electronic records set forth in 15 U.S.C. § 7001; or (iii) substitute notice, if the entity demonstrates that the cost of providing notice exceeds $250,000, or the affected class exceeds 500,000 persons, or the entity does not have sufficient contact information.

14.6 Penalties for Non-Compliance. The Parties acknowledge that failure to comply with N.J. Stat. Ann. § 56:8-163 may result in civil penalties of up to ten thousand dollars ($10,000) per initial violation and twenty thousand dollars ($20,000) per subsequent violation, plus restitution and investigative costs. Provider shall indemnify Customer against penalties arising from Provider's failure to comply with its notification obligations.

14.7 Cooperation. Provider shall cooperate fully with Customer, law enforcement, and regulatory authorities in the investigation and resolution of any Breach. Provider shall preserve all evidence related to the Breach and shall not destroy any logs, records, or data relevant to the investigation without Customer's prior written consent.

14.8 Root Cause Analysis. Within thirty (30) days of Breach resolution, Provider shall deliver to Customer a written root cause analysis report identifying: (a) the cause of the Breach; (b) a timeline of events; (c) the scope and impact of the Breach; (d) remedial actions taken; and (e) measures implemented to prevent recurrence.

14.9 Credit Monitoring. In the event of a Breach involving Social Security numbers or financial account information of New Jersey residents, Provider shall, at its sole expense, offer no less than twenty-four (24) months of credit monitoring and identity theft protection services to affected individuals.

ARTICLE 15 — SUBPROCESSOR MANAGEMENT

15.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain a current list of all approved Subprocessors and make it available to Customer.

15.2 Notification of Changes. Provider shall notify Customer no less than thirty (30) days in advance of any proposed addition or replacement of a Subprocessor. Customer shall have the right to object to such change within fifteen (15) days of notification.

15.3 Contractual Requirements. Provider shall enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set forth in this Addendum, including security controls, breach notification, audit rights, and compliance with New Jersey law.

15.4 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors as if such acts and omissions were performed by Provider directly.

15.5 Due Diligence. Provider shall conduct due diligence on each Subprocessor before engagement, and annually thereafter, to verify the Subprocessor's ability to meet its security and data protection obligations. Due diligence shall include review of security certifications, audit reports, and incident history.

ARTICLE 16 — PERSONNEL SECURITY

16.1 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data prior to granting such access, to the extent permitted by New Jersey law (N.J. Stat. Ann. § 56:8-166 et seq. and applicable employment regulations). Background checks shall include, at minimum, criminal history and identity verification.

16.2 Security Training. Provider shall require all Authorized Personnel to complete comprehensive security awareness training upon hiring and no less than annually thereafter. Training shall cover: (a) data handling and protection procedures; (b) incident identification and reporting; (c) social engineering and phishing awareness; (d) applicable New Jersey data protection laws; and (e) Provider's security policies and procedures.

16.3 Confidentiality Agreements. All Authorized Personnel shall execute confidentiality and non-disclosure agreements prior to accessing Customer Data, with provisions that survive termination of employment.

16.4 Separation Procedures. Upon termination or reassignment of any Authorized Personnel, Provider shall: (a) revoke all access to Customer Data within twenty-four (24) hours; (b) recover all Provider-issued devices and media; (c) confirm deletion of Customer Data from personal devices, if applicable; and (d) remind the individual of continuing confidentiality obligations.

ARTICLE 17 — PHYSICAL SECURITY

17.1 Data Center Security. All facilities housing Critical Systems shall implement, at minimum: (a) 24/7/365 security personnel or video surveillance; (b) multi-layer access controls (badge, biometric, PIN) with visitor escort requirements; (c) environmental controls including fire suppression, climate control, and water detection; (d) redundant power supply with uninterruptible power supply (UPS) and backup generators; and (e) secure media storage and destruction capabilities.

17.2 Visitor Management. All visitors to data center and office facilities where Customer Data is accessible shall be logged, escorted, and required to sign confidentiality agreements.

17.3 Media Handling. All removable media containing Customer Data shall be encrypted, inventoried, tracked, and securely stored when not in use. Disposal of media shall comply with Article 21.

17.4 Clean Desk Policy. Provider shall enforce a clean desk policy in all areas where Customer Data may be accessed, ensuring that sensitive information is not left unattended on desks, screens, or in unlocked containers.

ARTICLE 18 — INSURANCE

18.1 Cyber Liability Insurance. Provider shall maintain cyber liability insurance coverage with limits of no less than five million dollars ($5,000,000) per occurrence and in the aggregate, covering: (a) data breaches and security incidents; (b) regulatory fines and penalties; (c) crisis management and notification costs; (d) business interruption; and (e) third-party claims arising from security failures.

18.2 Errors and Omissions Insurance. Provider shall maintain professional liability (errors and omissions) insurance with limits of no less than two million dollars ($2,000,000) per occurrence and in the aggregate.

18.3 General Requirements. All required insurance policies shall: (a) be issued by carriers rated A- VII or better by A.M. Best; (b) name Customer as an additional insured where applicable; (c) contain a waiver of subrogation in favor of Customer; and (d) require thirty (30) days' prior written notice to Customer of cancellation, non-renewal, or material change.

18.4 Certificates. Provider shall furnish certificates of insurance to Customer upon execution of this Addendum and annually thereafter, or upon request.

ARTICLE 19 — AUDIT RIGHTS

19.1 Audit Right. Customer, or its designated independent auditor, shall have the right to audit Provider's compliance with this Addendum no more than once per twelve (12) month period, upon no less than thirty (30) days' prior written notice, during regular business hours.

19.2 Scope of Audit. Audits may include: (a) review of security policies, procedures, and documentation; (b) inspection of data center and office facilities; (c) review of access logs and security monitoring records; (d) interviews with Provider security personnel; (e) review of third-party audit reports (SOC 2, ISO 27001, penetration test results); and (f) review of incident response records.

19.3 Additional Audits. Customer shall have the right to conduct additional audits following a confirmed Breach, regulatory inquiry, or material change to Provider's security posture.

19.4 Cooperation. Provider shall cooperate fully with all audits and shall provide reasonable access to facilities, systems, records, and personnel as necessary to complete the audit.

19.5 Remediation. Provider shall develop and implement a remediation plan to address any audit findings within the timeframes mutually agreed upon by the Parties, but no later than: (a) thirty (30) days for Critical findings; (b) sixty (60) days for High findings; and (c) ninety (90) days for Medium and Low findings.

19.6 Third-Party Reports. In lieu of or in addition to direct audits, Provider shall make available to Customer, upon request: (a) SOC 2 Type II reports; (b) ISO 27001 certification; (c) penetration test executive summaries; and (d) any other relevant third-party security assessment reports.

ARTICLE 20 — SECURITY GOVERNANCE AND REPORTING

20.1 Security Governance. Provider shall designate a qualified Chief Information Security Officer (CISO) or equivalent senior security executive with responsibility for the Information Security Program.

20.2 Quarterly Reporting. Provider shall provide Customer with quarterly security reports that include, at minimum: (a) summary of security incidents and near-misses; (b) vulnerability management metrics; (c) patch compliance status; (d) access review results; (e) training completion rates; and (f) any material changes to the Information Security Program.

20.3 Annual Security Review. Provider and Customer shall conduct an annual security review meeting to discuss: (a) the state of Provider's Information Security Program; (b) emerging threats and vulnerabilities; (c) any changes to applicable New Jersey law; (d) audit and assessment results; and (e) planned security improvements.

20.4 Risk Management. Provider shall maintain a formal risk management program that includes regular risk assessments, risk treatment plans, and a risk register documenting identified risks and their status.

ARTICLE 21 — DATA RETURN AND DESTRUCTION

21.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request, Provider shall return all Customer Data to Customer in a machine-readable, industry-standard format within thirty (30) days.

21.2 Data Destruction. Following return of Customer Data (or upon Customer's written instruction), Provider shall securely destroy all copies of Customer Data in its possession or control, including backup copies, within sixty (60) days. Destruction shall comply with NIST Special Publication 800-88 (Guidelines for Media Sanitization) or an equivalent standard.

21.3 Certification of Destruction. Provider shall provide Customer with a written certification of destruction signed by an authorized officer of Provider, specifying the data destroyed, the method of destruction, and the date of destruction.

21.4 Exceptions. Provider may retain Customer Data only to the extent required by applicable law, provided that: (a) Provider notifies Customer of the specific legal requirement; (b) the retained data remains subject to the protections of this Addendum; and (c) the retained data is destroyed promptly upon expiration of the retention requirement.

21.5 Subprocessor Data Destruction. Provider shall ensure that all Subprocessors comply with the same data return and destruction requirements set forth in this Article.

ARTICLE 22 — INDEMNIFICATION FOR SECURITY BREACHES

22.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or resulting from:

(a) Any Breach caused by Provider's failure to comply with this Addendum;

(b) Any violation of N.J. Stat. Ann. § 56:8-163 (breach notification) caused by Provider's acts or omissions;

(c) Any violation of the NJDPA caused by Provider's acts or omissions;

(d) Any fines, penalties, or regulatory sanctions imposed on Customer due to Provider's failure to maintain security controls consistent with this Addendum;

(e) Any third-party claims arising from unauthorized access to or disclosure of Customer Data attributable to Provider's negligence or willful misconduct.

22.2 Uncapped Liability. The indemnification obligations set forth in this Article shall not be subject to any limitation of liability or cap on damages set forth in the Master Agreement. The Parties acknowledge that security breaches involving Personal Information of New Jersey residents may result in significant regulatory penalties, litigation, and reputational harm that cannot be adequately addressed by standard limitation-of-liability provisions.

22.3 Mitigation. Provider shall take all commercially reasonable steps to mitigate damages arising from a Breach, including but not limited to providing timely notification, credit monitoring services, and technical assistance.

ARTICLE 23 — NEW JERSEY-SPECIFIC LEGAL PROVISIONS

23.1 New Jersey Data Privacy Act (NJDPA) — Detailed Compliance.

(a) Controller-Processor Relationship. Where Customer acts as a Controller and Provider acts as a Processor under the NJDPA, the Parties' respective obligations are as set forth in Article 3 of this Addendum. This Addendum constitutes the required written contract between Controller and Processor under the NJDPA.

(b) Transparency. Provider shall assist Customer in maintaining transparent privacy notices that accurately describe the Processing of Personal Data, including the categories of data processed, purposes of processing, categories of third parties with whom data is shared, and Consumer rights.

(c) Universal Opt-Out Mechanism. Provider shall implement technical support for universal opt-out preference signals (e.g., Global Privacy Control) recognized under the NJDPA, to the extent applicable to the Services.

(d) Children's Data. Where the Services may involve processing Personal Data of consumers known to be under the age of seventeen (17), Provider shall implement age verification mechanisms and obtain opt-in consent as required by the NJDPA.

(e) Non-Discrimination. Provider shall not discriminate against any Consumer who exercises rights under the NJDPA, including by denying goods or services, charging different prices, or providing a different level of quality.

23.2 New Jersey Trade Secrets Act (N.J. Stat. Ann. § 56:15-1 et seq.).

(a) Provider acknowledges that Customer Data may include Trade Secrets as defined under the New Jersey Trade Secrets Act.

(b) Provider shall implement and maintain reasonable measures to preserve the secrecy of all Trade Secrets, including access controls, encryption, confidentiality agreements, and employee training.

(c) In the event of actual or threatened misappropriation of Trade Secrets, Customer shall be entitled to injunctive relief, actual damages, and, in cases of willful and malicious misappropriation, exemplary damages not exceeding twice the amount of actual damages, plus reasonable attorneys' fees, as provided under N.J. Stat. Ann. § 56:15-3 and § 56:15-4.

23.3 New Jersey Consumer Fraud Act (N.J. Stat. Ann. § 56:8-1 et seq.).

(a) Provider represents that its security practices shall not constitute an unconscionable commercial practice, deception, fraud, false pretense, false promise, or misrepresentation under the New Jersey Consumer Fraud Act.

(b) Provider acknowledges that violations of the data breach notification statute may be actionable under the Consumer Fraud Act, with treble damages available to aggrieved persons.

23.4 Forum and Governing Law.

(a) This Addendum shall be governed by and construed in accordance with the laws of the State of New Jersey, without regard to its conflict-of-laws principles.

(b) Any dispute arising out of or relating to this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of New Jersey.

(c) JURY WAIVER. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM.

23.5 Late Payment.

(a) Any undisputed amounts not paid when due shall bear interest at the rate of six percent (6%) per annum or such other rate as specified in the Master Agreement, not to exceed the maximum rate permitted under New Jersey law (16% per annum by contract under N.J. Stat. Ann. § 31:1-1).

ARTICLE 24 — ELECTRONIC SIGNATURES

24.1 Validity. This Addendum may be executed by electronic signature in accordance with the New Jersey Uniform Electronic Transactions Act (N.J. Stat. Ann. § 12A:12-1 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.).

24.2 Equivalence. Electronic signatures shall have the same legal force, effect, and enforceability as original wet-ink signatures. No Party shall contest the validity or enforceability of this Addendum solely on the basis that it was executed electronically.

24.3 Consent to Electronic Records. Each Party consents to the use of electronic records and electronic signatures in connection with this Addendum and all related documents, notices, and communications.

24.4 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Delivery of an executed counterpart by electronic transmission (including PDF) shall be effective as delivery of an original executed counterpart.

24.5 Retention. Each Party shall retain a complete and accurate copy of this Addendum, including all electronic signatures, in a format that is accessible and capable of accurate reproduction for the duration of the Master Agreement and for the applicable statute of limitations period thereafter.

ARTICLE 25 — GENERAL PROVISIONS

25.1 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties with respect to security and data protection.

25.2 Amendments. This Addendum may not be amended or modified except by a written instrument signed by duly authorized representatives of both Parties.

25.3 Severability. If any provision of this Addendum is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

25.4 Waiver. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the Party granting the waiver.

25.5 Notices. All notices required or permitted under this Addendum shall be in writing and delivered to the addresses specified in the Master Agreement or as updated in writing by either Party.

25.6 Survival. The provisions of Articles 14, 21, 22, 23, and 24 shall survive expiration or termination of this Addendum and the Master Agreement.

25.7 Assignment. This Addendum shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns. Neither Party may assign this Addendum without the prior written consent of the other Party, except in connection with a merger, acquisition, or sale of all or substantially all of the assigning Party's assets.

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have executed this Enterprise Security Addendum as of the Effective Date.

CUSTOMER

PROVIDER

EXECUTION CHECKLIST

☐ Master Agreement referenced and attached
☐ All fillable fields completed with accurate information
☐ NJDPA compliance requirements reviewed (Article 3)
☐ Data Protection Assessment requirements reviewed (Section 3.5)
☐ Subprocessor list reviewed and approved (Article 15)
☐ Insurance certificates obtained and verified (Article 18)
☐ Security contact and emergency contact designated for breach notification
☐ New Jersey Division of State Police notification process established (Section 14.5)
☐ Provider's SOC 2 Type II report and/or ISO 27001 certification reviewed
☐ Data residency requirements confirmed (Article 11)
☐ Recovery objectives (RPO/RTO) reviewed and approved (Article 13)
☐ New Jersey-licensed counsel has reviewed and approved this Addendum

SOURCES AND REFERENCES

1. New Jersey Data Breach Notification Act — N.J. Stat. Ann. § 56:8-161 et seq.
   https://law.justia.com/codes/new-jersey/title-56/section-56-8-163/

2. New Jersey Data Privacy Act (NJDPA) — N.J. Stat. Ann. § 56:8-166 et seq.
   https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx

3. New Jersey Trade Secrets Act — N.J. Stat. Ann. § 56:15-1 et seq.
   https://law.justia.com/codes/new-jersey/title-56/

4. New Jersey Uniform Electronic Transactions Act — N.J. Stat. Ann. § 12A:12-1 et seq.
   https://ally-law.com/e-signature-regulations-u-s-a-new-jersey/

5. NIST Cybersecurity Framework v2.0
   https://www.nist.gov/cyberframework

6. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

7. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001

8. OWASP Top Ten
   https://owasp.org/www-project-top-ten/

9. New Jersey Division of Consumer Affairs — NJDPA Proposed Rules (2025)
   https://www.njconsumeraffairs.gov/