SECURITY ADDENDUM (ENTERPRISE SAAS)

New Mexico Jurisdictional Version

Addendum Effective Date: [__/__/____]

Addendum Reference Number: [________________________________]

PARTIES

"Customer":
Name: [________________________________]
State of Organization: [________________________________]
Principal Office Address: [________________________________]
Contact Person: [________________________________]
Email: [________________________________]
Phone: [________________________________]

"Provider":
Name: [________________________________]
State of Organization: [________________________________]
Principal Office Address: [________________________________]
Security Contact Person: [________________________________]
Email: [________________________________]
Phone: [________________________________]

RECITALS

WHEREAS, Customer and Provider have entered into that certain Master Services Agreement, SaaS Subscription Agreement, or similar agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Provider delivers certain cloud-based software-as-a-service solutions and related services to Customer;

WHEREAS, in connection with the performance of the Master Agreement, Provider will Process, store, transmit, and/or have access to Customer Data, including Personal Information of New Mexico residents and other Confidential Information;

WHEREAS, Customer requires that Provider maintain a comprehensive Information Security Program that meets or exceeds industry standards and complies with all applicable federal and New Mexico state laws, including the New Mexico Data Breach Notification Act, N.M. Stat. Ann. §§ 57-12C-1 through 57-12C-12;

WHEREAS, New Mexico imposes a strict forty-five (45) calendar day deadline for breach notification, which is among the more prescriptive timelines in the nation, and requires detailed content in all breach notifications;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

For purposes of this Security Addendum, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.1 "Authorized Users" means Customer's employees, contractors, agents, and other individuals who have been granted access to the Provider Systems by Customer in accordance with this Addendum and who have a legitimate business need for such access.

1.2 "Confidential Information" means all non-public information disclosed by either Party to the other Party, whether orally, in writing, or in electronic form, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, without limitation, Customer Data, trade secrets as defined under the New Mexico Uniform Trade Secrets Act, business plans, technical specifications, source code, algorithms, and security configurations.

1.3 "Customer Data" means all data, records, files, content, and information of any type that Customer or its Authorized Users input, upload, transmit, or store within the Provider Systems, including Personal Information, High-Risk Data, and any data derived therefrom.

1.4 "Data Breach" means a security breach as defined under N.M. Stat. Ann. § 57-12C-2, specifically the unauthorized acquisition of unencrypted computerized data, or encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person. For purposes of this Addendum, Data Breach also includes any Security Incident that results in the unauthorized access, acquisition, use, disclosure, or destruction of Customer Data.

1.5 "Data Processing" means any operation or set of operations performed on Customer Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.6 "Data Protection Agreement" or "DPA" means any separate data processing agreement or data protection addendum entered into between the Parties that governs the processing of personal data subject to applicable data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1.7 "Encryption Standard" means: (a) for data in transit, Transport Layer Security (TLS) version 1.2 or higher using cipher suites with a minimum key length of 128 bits; and (b) for data at rest, Advanced Encryption Standard (AES) with a minimum key length of 256 bits (AES-256), or a cryptographic standard of equivalent or greater strength as recognized by the National Institute of Standards and Technology (NIST).

1.8 "High-Risk Data" means any subset of Customer Data that, if subject to unauthorized access, acquisition, or disclosure, would pose a significant risk of harm, including: (a) financial account numbers, credit card numbers, or debit card numbers in combination with any required security code, access code, or password; (b) Social Security numbers; (c) protected health information (PHI) as defined under HIPAA; (d) biometric data; (e) authentication credentials; and (f) any data classified as "Restricted" or "Highly Confidential" under Customer's data classification policy.

1.9 "Information Security Program" means Provider's comprehensive, written program of administrative, technical, and physical safeguards designed to protect the security, confidentiality, integrity, and availability of Customer Data, as more fully described in this Addendum.

1.10 "Malware" means any software or code designed to damage, disrupt, gain unauthorized access to, or perform unauthorized operations on a computer system, network, or data, including viruses, worms, Trojan horses, ransomware, spyware, adware, rootkits, keyloggers, and any other form of malicious code.

1.11 "Personal Information" means, consistent with N.M. Stat. Ann. § 57-12C-2, an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data element is not encrypted, redacted, or otherwise rendered unreadable or unusable: (a) Social Security number; (b) driver's license number; (c) government-issued identification number; (d) account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; and (e) biometric data. Personal Information also includes a user name, unique identifier, or email address in combination with a password, security question and answer, or other authentication factor that would permit access to an online account.

1.12 "Provider Systems" means all information technology infrastructure, systems, applications, networks, databases, servers (whether physical or virtual), cloud environments, and endpoints owned, operated, managed, or controlled by Provider that are used to Process, store, or transmit Customer Data.

1.13 "Security Incident" means any event that results in or may reasonably result in unauthorized access, acquisition, use, disclosure, modification, or destruction of Customer Data or any component of the Provider Systems, including but not limited to successful or attempted unauthorized access, Malware infections, denial-of-service attacks, loss or theft of equipment containing Customer Data, and any event that triggers notification obligations under applicable law.

1.14 "Subprocessor" means any third party engaged by Provider to Process Customer Data on Provider's behalf, including cloud infrastructure providers, managed service providers, data center operators, and any other entity that has access to or processes Customer Data in connection with the services provided under the Master Agreement.

1.15 "Vulnerability" means a weakness, flaw, or deficiency in a system, application, process, or control that could be exploited by a threat actor to gain unauthorized access to or otherwise compromise the security, confidentiality, integrity, or availability of Customer Data or the Provider Systems. Vulnerabilities are classified by severity using the Common Vulnerability Scoring System (CVSS) as follows: Critical (CVSS 9.0–10.0), High (CVSS 7.0–8.9), Medium (CVSS 4.0–6.9), and Low (CVSS 0.1–3.9).

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Security Addendum applies to all Customer Data that Provider Processes, stores, transmits, or otherwise accesses in connection with the Master Agreement. This Addendum establishes the minimum security requirements that Provider must implement and maintain throughout the term of the Master Agreement and for so long as Provider retains any Customer Data.

2.2 Order of Precedence. In the event of any conflict or inconsistency between the terms of this Security Addendum and the Master Agreement, the terms of this Security Addendum shall prevail with respect to matters relating to information security, data protection, breach notification, and the safeguarding of Customer Data. In the event of any conflict between this Security Addendum and any DPA, the more protective provision shall govern.

2.3 Minimum Standards. The security obligations set forth in this Addendum represent minimum requirements. Provider shall implement additional or enhanced security measures to the extent required by applicable law, industry standards, or the nature and sensitivity of the Customer Data being processed.

2.4 Regulatory Compliance. Provider shall comply with all applicable federal, state, and local laws, regulations, and rules relating to information security and data protection, including but not limited to the New Mexico Data Breach Notification Act (N.M. Stat. Ann. §§ 57-12C-1 through 57-12C-12) and the New Mexico Unfair Practices Act (N.M. Stat. Ann. § 56-8-4).

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Program Requirements. Provider shall establish, implement, and maintain a comprehensive Information Security Program that is designed to:

(a) Protect the security, confidentiality, integrity, and availability of Customer Data;

(b) Protect against any anticipated threats or hazards to the security or integrity of Customer Data;

(c) Protect against unauthorized access to or use of Customer Data that could result in substantial harm or inconvenience to any individual;

(d) Comply with all applicable federal, state, and local laws, regulations, and rules, including the New Mexico Data Breach Notification Act; and

(e) Align with one or more of the following recognized security frameworks:

• ☐ ISO/IEC 27001:2022 (Information Security Management Systems)
• ☐ SOC 2 Type II (Trust Services Criteria)
• ☐ NIST Cybersecurity Framework (CSF) 2.0
• ☐ NIST Special Publication 800-53 Rev. 5
• ☐ CIS Controls v8

3.2 Risk Assessment. Provider shall conduct comprehensive risk assessments at least annually, and additionally whenever there is a material change in Provider's operations, technology, or threat landscape. Risk assessments shall:

(a) Identify reasonably foreseeable internal and external threats to the security, confidentiality, integrity, and availability of Customer Data;

(b) Assess the likelihood and potential impact of each identified threat;

(c) Evaluate the sufficiency of existing safeguards and controls;

(d) Document findings and remediation plans; and

(e) Be conducted by qualified information security professionals.

3.3 Security Officer. Provider shall designate a qualified individual as its Chief Information Security Officer (CISO) or equivalent security officer who shall be responsible for the development, implementation, maintenance, and enforcement of the Information Security Program. The designated security officer as of the Addendum Effective Date is:

Name: [________________________________]
Title: [________________________________]
Email: [________________________________]
Phone: [________________________________]

Provider shall notify Customer in writing within thirty (30) days of any change in the designated security officer.

3.4 Security Policies. Provider shall maintain comprehensive, written information security policies and procedures that address, at a minimum, the topics covered by this Addendum. Such policies shall be reviewed and updated at least annually and shall be made available to Customer upon request.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement and enforce a role-based access control model that restricts access to Customer Data and Provider Systems to only those individuals who require such access to perform their assigned duties. Access rights shall be granted based on the principle of least privilege and the principle of need-to-know.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to Provider Systems that contain or process Customer Data;

(b) All access to administrative or privileged accounts;

(c) All access to cloud management consoles and infrastructure;

(d) All VPN connections to Provider's internal network; and

(e) All access to Customer Data from outside Provider's secured network.

4.3 Privileged Access Management. Provider shall implement enhanced controls for privileged accounts, including:

(a) Maintaining a current inventory of all privileged accounts;

(b) Using dedicated administrative accounts separate from standard user accounts;

(c) Implementing privileged access workstations for high-risk administrative tasks;

(d) Logging and monitoring all privileged account activity;

(e) Rotating privileged account credentials at least every ninety (90) days; and

(f) Implementing just-in-time or time-limited privileged access where technically feasible.

4.4 Access Reviews. Provider shall conduct formal access reviews at least quarterly to verify that:

(a) All user accounts remain active, valid, and necessary;

(b) Access rights are commensurate with current job responsibilities;

(c) Terminated or transferred personnel have had their access promptly revoked;

(d) Service accounts and system accounts are reviewed and validated; and

(e) Any identified access anomalies are investigated and remediated.

4.5 Password and Authentication Policies. Provider shall enforce the following minimum password requirements:

(a) Minimum password length of fourteen (14) characters;

(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;

(c) Password history enforcement preventing reuse of the last twenty-four (24) passwords;

(d) Account lockout after no more than five (5) consecutive failed login attempts;

(e) Session timeout after no more than fifteen (15) minutes of inactivity for systems accessing Customer Data; and

(f) Prohibition of shared accounts and default credentials.

4.6 Access Termination. Provider shall revoke all access to Customer Data and Provider Systems within twenty-four (24) hours of an employee's or contractor's termination, and shall modify access rights within forty-eight (48) hours of any role change that no longer requires the current level of access.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Encryption in Transit. All Customer Data transmitted over any network, including but not limited to the internet, wireless networks, and Provider's internal network, shall be encrypted using TLS version 1.2 or higher with cipher suites that provide forward secrecy. Provider shall disable all deprecated protocols, including SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1.

5.2 Encryption at Rest. All Customer Data stored on any medium, including databases, file systems, backups, archives, and removable media, shall be encrypted using AES-256 or a cryptographic standard of equivalent or greater strength.

5.3 Key Management. Provider shall implement a comprehensive key management program that includes:

(a) Generation of encryption keys using cryptographically secure random number generators;

(b) Secure storage of encryption keys separate from the data they protect;

(c) Access controls limiting key access to authorized personnel only;

(d) Key rotation at least annually and upon suspicion of compromise;

(e) Secure destruction of retired encryption keys using methods that prevent recovery; and

(f) Documented key management procedures aligned with NIST Special Publication 800-57.

5.4 Key Separation. Given that New Mexico law (N.M. Stat. Ann. § 57-12C-2) defines a security breach to include the acquisition of encrypted data together with the confidential process or key used to decrypt it, Provider shall maintain strict separation between encrypted Customer Data and the corresponding encryption keys, storing them on separate systems with independent access controls.

5.5 Certificate Management. Provider shall maintain a comprehensive certificate management program that includes tracking certificate expiration dates, timely renewal of certificates, and immediate revocation of compromised certificates.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate Customer Data environments from other networks, including:

(a) Logical separation of Customer Data processing environments from Provider's corporate network;

(b) Segmentation between different customers' environments in multi-tenant architectures;

(c) Isolation of development, staging, and production environments; and

(d) Dedicated management networks for administrative access.

6.2 Firewalls and Access Control Lists. Provider shall deploy and maintain enterprise-grade firewalls and access control lists at all network perimeters and between network segments. Firewall rules shall follow a default-deny policy, permitting only traffic that is explicitly authorized.

6.3 Intrusion Detection and Prevention Systems (IDS/IPS). Provider shall deploy and maintain network-based and host-based intrusion detection and prevention systems that:

(a) Monitor all network traffic to and from Customer Data environments;

(b) Use signature-based and behavior-based detection methods;

(c) Generate real-time alerts for detected threats;

(d) Are updated with current threat signatures at least daily; and

(e) Are monitored twenty-four (24) hours per day, seven (7) days per week, three hundred sixty-five (365) days per year.

6.4 DDoS Protection. Provider shall implement distributed denial-of-service (DDoS) mitigation capabilities, including traffic analysis, rate limiting, and automated mitigation for volumetric, protocol, and application-layer attacks.

6.5 Virtual Private Network (VPN). All remote administrative access to Provider Systems containing Customer Data shall be conducted through encrypted VPN connections using current, industry-accepted protocols with multi-factor authentication.

6.6 Wireless Security. Provider shall implement WPA3 or equivalent security for any wireless networks that have connectivity to systems containing Customer Data, and shall maintain a separate guest wireless network that is fully isolated from production environments.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Software Development Lifecycle (SDLC). Provider shall implement and maintain a secure SDLC that incorporates security requirements, threat modeling, secure coding practices, security testing, and security review at each phase of development.

7.2 OWASP Top 10. Provider shall design, develop, and test all applications that process Customer Data to protect against the current OWASP Top 10 vulnerabilities and shall maintain documentation demonstrating compliance with OWASP security guidelines.

7.3 Static and Dynamic Application Security Testing. Provider shall perform:

(a) Static Application Security Testing (SAST) on all application source code prior to each release;

(b) Dynamic Application Security Testing (DAST) on all running applications at least quarterly; and

(c) Interactive Application Security Testing (IAST) during quality assurance testing as appropriate.

7.4 API Security. Provider shall secure all application programming interfaces (APIs) through:

(a) Authentication and authorization for all API calls;

(b) Input validation and output encoding;

(c) Rate limiting and throttling;

(d) API versioning and deprecation management;

(e) Comprehensive API logging and monitoring; and

(f) Regular security testing of all APIs.

7.5 Code Review. All code changes affecting systems that process Customer Data shall undergo peer review by at least one qualified developer other than the author prior to deployment to production environments.

7.6 Third-Party Components. Provider shall maintain an inventory of all third-party libraries, frameworks, and components used in applications that process Customer Data, and shall monitor such components for known vulnerabilities and apply patches or updates in accordance with the vulnerability management timelines specified in Article 9.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall conduct automated vulnerability scans of all Provider Systems at least monthly, and additionally after any significant change to the environment. Scans shall cover all network-accessible systems, applications, and databases that process or store Customer Data.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines, measured from the date of discovery or notification:

8.3 Patch Management. Provider shall implement a formal patch management program that includes:

(a) Monitoring vendor announcements and security advisories for applicable patches;

(b) Testing patches in a non-production environment prior to deployment;

(c) Deploying security patches within the remediation timelines specified in Section 8.2;

(d) Emergency patching procedures for actively exploited zero-day vulnerabilities; and

(e) Documentation and tracking of all patch activities.

8.4 Compensating Controls. Where immediate remediation of a vulnerability is not technically feasible, Provider shall implement compensating controls to mitigate the risk and shall document the compensating controls, the justification for the delayed remediation, and the planned remediation date. Provider shall notify Customer of any Critical or High vulnerability for which compensating controls are implemented in lieu of timely remediation.

8.5 Vulnerability Reporting. Provider shall provide Customer with quarterly vulnerability management reports that include the number of vulnerabilities identified by severity, remediation status, average time to remediate, and any exceptions or compensating controls in place.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Security Information and Event Management (SIEM). Provider shall deploy and maintain an enterprise SIEM system that aggregates, correlates, and analyzes security logs from all Provider Systems that process, store, or transmit Customer Data.

9.2 Logging Requirements. Provider shall maintain comprehensive audit logs that capture, at a minimum:

(a) All user authentication events (successful and failed);

(b) All access to Customer Data, including read, write, modify, and delete operations;

(c) All administrative and privileged account activities;

(d) All changes to system configurations, security policies, and access controls;

(e) All network security events, including firewall, IDS/IPS, and VPN activity;

(f) All data export, download, and transfer events; and

(g) All system and application errors related to security functions.

9.3 Log Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in an immediately accessible format and for an additional twelve (12) months in archive storage. Logs shall be protected against unauthorized access, modification, and deletion through write-once storage or equivalent controls.

9.4 Real-Time Alerting. Provider shall implement real-time alerting for security events that indicate potential threats to Customer Data, including but not limited to:

(a) Multiple failed authentication attempts;

(b) Unauthorized access attempts or privilege escalation;

(c) Anomalous data access patterns or bulk data extraction;

(d) Malware detection;

(e) Changes to critical system configurations; and

(f) Communication with known malicious IP addresses or domains.

9.5 Monitoring. Provider shall monitor all Provider Systems containing Customer Data on a twenty-four (24) hours per day, seven (7) days per week, three hundred sixty-five (365) days per year basis through a combination of automated tools and qualified security personnel.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Tenant Isolation. In multi-tenant environments, Provider shall implement logical and, where appropriate, physical controls to ensure that Customer Data is segregated from the data of other customers. Such controls shall prevent any unauthorized access to or commingling of Customer Data.

10.2 Data Residency. Unless otherwise agreed in writing, Provider shall store and process all Customer Data within the continental United States. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent. Current data storage locations are:

Primary Data Center: [________________________________]
Secondary/DR Data Center: [________________________________]

10.3 Data Classification. Provider shall support Customer's data classification requirements and shall implement appropriate technical and organizational controls for each classification level. At a minimum, Provider shall recognize the following data classification categories:

(a) Public — Information intended for public disclosure;
(b) Internal — Information for internal use that is not intended for public disclosure;
(c) Confidential — Sensitive business information requiring enhanced protection; and
(d) Restricted — Highly sensitive information, including High-Risk Data, requiring the highest level of protection.

10.4 Environment Separation. Provider shall maintain separate environments for development, testing, staging, and production. Customer Data shall not be used in development or testing environments unless it has been de-identified or anonymized in a manner that prevents re-identification.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Penetration Testing. Provider shall engage a qualified, independent third-party security firm to conduct comprehensive penetration testing of all Provider Systems that process or store Customer Data at least annually. Penetration testing shall include:

(a) External network penetration testing;

(b) Internal network penetration testing;

(c) Web application penetration testing;

(d) API penetration testing;

(e) Social engineering testing; and

(f) Wireless network penetration testing (where applicable).

11.2 Testing Standards. Penetration tests shall be conducted in accordance with recognized methodologies, including the Penetration Testing Execution Standard (PTES), OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Provider shall provide Customer with an executive summary of penetration test results within thirty (30) days of test completion. Full penetration test reports shall be made available to Customer under an appropriate nondisclosure agreement. Reports shall include identified vulnerabilities, risk ratings, evidence of exploitation, and remediation recommendations.

11.4 Remediation. Provider shall remediate all findings from penetration tests in accordance with the vulnerability management timelines set forth in Article 8. Provider shall conduct re-testing to confirm successful remediation of all Critical and High findings.

11.5 Customer Testing. Customer may, upon thirty (30) days' prior written notice and subject to mutually agreed scope and rules of engagement, conduct its own penetration testing or engage a third party to do so. Such testing shall be conducted during mutually agreed timeframes and shall not unreasonably interfere with Provider's operations.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan (BCP). Provider shall develop, implement, and maintain a comprehensive business continuity plan that ensures the continued availability of the services and the protection of Customer Data in the event of a disaster, disruption, or other emergency.

12.2 Disaster Recovery Plan (DRP). Provider shall maintain a disaster recovery plan that includes, at a minimum:

(a) Recovery Point Objective (RPO): Maximum tolerable data loss shall not exceed [____] hours;

(b) Recovery Time Objective (RTO): Maximum tolerable downtime shall not exceed [____] hours;

(c) Documented recovery procedures for all critical systems;

(d) Identified recovery team roles and responsibilities;

(e) Communication procedures for notifying Customer of disaster events; and

(f) Procedures for failover to geographically redundant facilities.

12.3 Geographic Redundancy. Provider shall maintain geographically redundant data processing and storage capabilities at facilities separated by a minimum of [____] miles to protect against regional disasters.

12.4 Annual Testing. Provider shall test its BCP and DRP at least annually through tabletop exercises, functional exercises, or full-scale tests. Provider shall provide Customer with a summary of test results and any identified improvements within thirty (30) days of each test.

12.5 Backup Requirements. Provider shall maintain regular, encrypted backups of all Customer Data in accordance with the following schedule:

(a) Full backups at least weekly;

(b) Incremental or differential backups at least daily;

(c) Transaction log backups at least every four (4) hours for database systems; and

(d) Backup integrity verification through regular restoration testing at least quarterly.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

New Mexico-Specific Breach Notification Requirements (N.M. Stat. Ann. §§ 57-12C-1 through 57-12C-12)

13.1 Incident Response Plan. Provider shall develop, implement, and maintain a comprehensive incident response plan that addresses the identification, containment, eradication, recovery, and post-incident review of Security Incidents. The plan shall be tested at least annually through tabletop exercises or simulations.

13.2 Initial Notification to Customer. Provider shall notify Customer of any confirmed or suspected Security Incident or Data Breach affecting Customer Data as follows:

(a) Initial notification: Within twenty-four (24) hours of discovery or becoming aware of the Security Incident;

(b) Method: Via telephone to Customer's designated security contact, followed by written notification via email; and

(c) Content of initial notification: A description of the incident, the date and time of discovery, the categories of data affected, the estimated number of records affected, and the immediate steps taken to contain the incident.

13.3 New Mexico Statutory Breach Notification. In the event of a Data Breach involving Personal Information of New Mexico residents as defined under N.M. Stat. Ann. § 57-12C-2:

(a) Notification Timeline — 45 Calendar Days. Provider shall, at its own cost and in coordination with Customer, provide notice to affected New Mexico residents in the most expedient time possible, but not later than forty-five (45) calendar days following discovery of the security breach. This is a firm statutory deadline, and Provider shall structure its incident response procedures to ensure compliance.

(b) Required Notification Content. Pursuant to N.M. Stat. Ann. § 57-12C-7, the notification to affected individuals shall include:

• (i) The name and contact information of the person providing the notification;
• (ii) A list of the types of personal identifying information that were the subject of the security breach;
• (iii) The date, estimated date, or estimated date range of the security breach;
• (iv) A general description of the security breach incident;
• (v) The toll-free numbers and addresses of the major consumer reporting agencies;
• (vi) Advice directing the individual to review account statements and monitor credit reports to detect errors resulting from the security breach; and
• (vii) Advice informing the individual of the rights available under the federal Fair Credit Reporting Act.

(c) Methods of Notification. Notice may be provided by:

• (i) Written notice sent to the individual's most recent mailing address;
• (ii) Electronic notice, if the individual has consented to receiving electronic notice and the notice is consistent with the provisions regarding electronic records and signatures under 15 U.S.C. § 7001; or
• (iii) Substitute notice, if the cost of providing notice exceeds Fifty Thousand Dollars ($50,000.00), the affected class of persons exceeds one hundred thousand (100,000), or the person does not have sufficient contact information to provide notice. Substitute notice consists of: email notice; conspicuous posting on the person's website; and notification to major statewide media.

(d) Notification to New Mexico Attorney General. Pursuant to N.M. Stat. Ann. § 57-12C-6, if more than one thousand (1,000) New Mexico residents are to be notified, Provider shall also notify the New Mexico Attorney General and the major consumer reporting agencies no later than forty-five (45) calendar days following discovery of the breach. The notification to the Attorney General shall include:

• (i) The number of New Mexico residents affected;
• (ii) A copy of the notification sent to affected individuals;
• (iii) The types of personal identifying information compromised; and
• (iv) Any steps taken to prevent future breaches.

(e) Notification to Consumer Reporting Agencies. If more than one thousand (1,000) New Mexico residents are to be notified, Provider shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined under 15 U.S.C. § 1681a(p), within the forty-five (45) calendar day deadline.

(f) Encryption Safe Harbor. Notification under the New Mexico Data Breach Notification Act is not required if the personal identifying information was encrypted and the confidential process or key used to decrypt the information was not also acquired.

(g) Law Enforcement Delay. The notification required by this Section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. Provider shall make notification after the law enforcement agency determines it will no longer impede the investigation, but in no event later than forty-five (45) calendar days after the law enforcement agency makes such determination.

13.4 Penalties for Non-Compliance. Under N.M. Stat. Ann. § 57-12C-10, the New Mexico Attorney General may enforce the Data Breach Notification Act and seek:

(a) Injunctive relief to ensure compliance with the Act;

(b) Civil penalties of up to Twenty-Five Thousand Dollars ($25,000.00) per violation;

(c) The Attorney General may also pursue enforcement actions under the Unfair Practices Act (N.M. Stat. Ann. § 56-8-4); and

(d) Provider acknowledges these penalty provisions and agrees to cooperate fully with Customer in any regulatory investigation or enforcement action.

13.5 Ongoing Updates. Following the initial notification, Provider shall provide Customer with regular updates, no less frequently than every twenty-four (24) hours during active incident response and every seventy-two (72) hours thereafter, until the incident is fully resolved. Updates shall include:

(a) Status of containment and eradication efforts;

(b) Root cause analysis progress;

(c) Updated scope and impact assessment;

(d) Remediation steps taken and planned; and

(e) Evidence preservation status.

13.6 Post-Incident Report. Provider shall deliver a comprehensive written post-incident report to Customer within thirty (30) days of the resolution of any Security Incident. The report shall include a detailed timeline, root cause analysis, scope and impact assessment, remediation actions taken, and recommendations to prevent recurrence.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Subprocessor Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written consent. Provider shall maintain a current list of all approved Subprocessors, which shall be made available to Customer upon request.

14.2 Current Subprocessors. Provider's current Subprocessors as of the Addendum Effective Date are listed in Exhibit A attached hereto. Customer's execution of this Addendum constitutes approval of the Subprocessors listed in Exhibit A.

14.3 New Subprocessor Notification. Provider shall provide Customer with at least thirty (30) days' prior written notice before engaging any new Subprocessor. The notice shall include the Subprocessor's name, location, and a description of the services to be provided. Customer may object to a proposed Subprocessor within fifteen (15) days of receiving notice. If Customer objects, the Parties shall work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected services without penalty.

14.4 Flow-Down Requirements. Provider shall ensure that all Subprocessors are bound by written agreements that impose data protection and security obligations no less protective than those set forth in this Addendum, including compliance with the forty-five (45) calendar day notification deadline under New Mexico law. Provider shall be fully responsible and liable for the acts and omissions of its Subprocessors.

14.5 Subprocessor Audit. Provider shall conduct an initial security assessment of each Subprocessor prior to engagement and shall conduct ongoing assessments at least annually thereafter. Provider shall make the results of such assessments available to Customer upon request.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct pre-employment background checks on all personnel who will have access to Customer Data, to the extent permitted by applicable law. Background checks shall include, at a minimum:

(a) Criminal history check;

(b) Employment verification for the prior seven (7) years;

(c) Education verification; and

(d) Reference checks.

15.2 Confidentiality Agreements. All Provider personnel who have access to Customer Data shall execute written confidentiality and non-disclosure agreements prior to being granted access. Such agreements shall survive the termination of the individual's employment or engagement with Provider.

15.3 Security Awareness Training. Provider shall require all personnel with access to Customer Data to complete security awareness training:

(a) Upon hire or initial assignment;

(b) At least annually thereafter; and

(c) Upon the occurrence of material changes to security policies or procedures, or following a Security Incident.

Training shall cover, at a minimum, data handling procedures, phishing awareness, social engineering, password security, incident reporting, and applicable regulatory requirements including the New Mexico Data Breach Notification Act and its forty-five (45) calendar day notification deadline.

15.4 Specialized Training. Personnel with specific security responsibilities shall receive specialized training appropriate to their roles, including secure coding practices for developers, incident response training for security team members, and compliance training for personnel handling regulated data.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Standards. All data centers used to store or process Customer Data shall maintain, at a minimum, SOC 2 Type II certification or equivalent third-party security certification. Data center physical security controls shall include:

(a) Twenty-four (24) hour, seven (7) day per week physical security personnel;

(b) Multi-factor physical access controls (badge, biometric, PIN);

(c) Closed-circuit television (CCTV) surveillance with a minimum retention of ninety (90) days;

(d) Visitor escort requirements and visitor logs;

(e) Mantrap or airlock entry systems for sensitive areas; and

(f) Perimeter security including fencing, barriers, and lighting.

16.2 Environmental Controls. Provider shall maintain environmental controls at all facilities housing Customer Data, including:

(a) Redundant heating, ventilation, and air conditioning (HVAC) systems;

(b) Fire detection and suppression systems;

(c) Water leak detection systems;

(d) Uninterruptible power supply (UPS) systems;

(e) Backup power generators with a minimum of seventy-two (72) hours of fuel capacity; and

(f) Environmental monitoring and alerting.

16.3 Media Handling and Destruction. Provider shall implement secure media handling procedures that include:

(a) Encryption of all portable media containing Customer Data;

(b) Tracking and inventory of all media containing Customer Data;

(c) Secure destruction of media in accordance with NIST Special Publication 800-88 Rev. 1, "Guidelines for Media Sanitization"; and

(d) Certificates of destruction for all media containing Customer Data, provided to Customer upon request.

ARTICLE 17 — INSURANCE REQUIREMENTS

17.1 Cyber Liability Insurance. Provider shall obtain and maintain throughout the term of this Addendum cyber liability / technology errors and omissions insurance with a minimum limit of Five Million Dollars ($5,000,000.00) per occurrence and in the aggregate, covering:

(a) Data breach notification and response costs;

(b) Regulatory defense and penalty coverage;

(c) Business interruption and service restoration;

(d) Cyber extortion and ransomware;

(e) Media liability; and

(f) Network security liability.

17.2 Professional Liability / Errors and Omissions Insurance. Provider shall maintain professional liability / errors and omissions insurance with a minimum limit of Two Million Dollars ($2,000,000.00) per occurrence and in the aggregate.

17.3 General Requirements. All insurance policies required under this Article shall:

(a) Be maintained with insurers rated A- VII or better by A.M. Best;

(b) Name Customer as an additional insured where applicable;

(c) Require at least thirty (30) days' prior written notice to Customer of any cancellation or material modification;

(d) Include a waiver of subrogation in favor of Customer; and

(e) Be primary and non-contributory to any insurance maintained by Customer.

17.4 Certificates of Insurance. Provider shall furnish certificates of insurance to Customer upon request and at each policy renewal.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer, or its designated third-party auditor, shall have the right to conduct security audits of Provider's Information Security Program, systems, facilities, and practices at least once annually, and additionally following any Security Incident or Data Breach.

18.2 Audit Procedures. Customer shall provide Provider with at least thirty (30) days' prior written notice of any planned audit (except in the case of a Security Incident, in which case reasonable notice under the circumstances shall suffice). Audits shall be conducted during normal business hours and shall not unreasonably interfere with Provider's operations. Provider shall provide reasonable cooperation, access, and assistance in connection with such audits.

18.3 SOC 2 / ISO Acceptance. In lieu of a direct on-site audit, Customer may, at its sole discretion, accept Provider's current SOC 2 Type II report, ISO/IEC 27001 certification, or equivalent third-party security assessment. Acceptance of such reports does not waive Customer's audit rights under this Section.

18.4 Regulatory Cooperation. Provider shall cooperate fully with any audit, examination, or investigation conducted by a federal or state regulatory authority having jurisdiction over Customer, including the New Mexico Attorney General, to the extent such audit, examination, or investigation relates to Provider's processing of Customer Data.

18.5 Remediation. Provider shall develop and implement a corrective action plan to address any deficiencies identified during an audit within thirty (30) days of receipt of the audit findings. Provider shall report on the status of remediation to Customer on a monthly basis until all deficiencies are resolved.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Quarterly Security Reviews. The Parties shall conduct quarterly security governance meetings to review:

(a) Security incident trends and metrics;

(b) Vulnerability management status and trends;

(c) Changes to the threat landscape;

(d) Upcoming changes to Provider's security posture or infrastructure;

(e) Regulatory developments, including any changes to New Mexico law affecting data protection;

(f) Status of corrective action plans; and

(g) Key performance indicators as described in Section 19.3.

19.2 Annual Security Assessment. Provider shall conduct and deliver to Customer an annual comprehensive security assessment report that includes:

(a) Summary of the Information Security Program's effectiveness;

(b) Risk assessment results and changes since the prior assessment;

(c) Penetration test results (executive summary);

(d) Audit findings and remediation status;

(e) Security awareness training completion rates;

(f) Business continuity and disaster recovery test results; and

(g) Planned security improvements for the upcoming year.

19.3 Key Performance Indicators (KPIs). Provider shall track and report on the following security KPIs:

(a) Mean time to detect security incidents;

(b) Mean time to respond to and contain security incidents;

(c) Percentage of vulnerabilities remediated within target timelines;

(d) Percentage of personnel completing security awareness training;

(e) System availability and uptime percentage;

(f) Number and severity of security incidents; and

(g) Results of phishing simulation exercises.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request at any time, Provider shall return all Customer Data to Customer in a mutually agreed, commercially standard format within thirty (30) days. Provider shall cooperate with Customer to ensure a complete and orderly transfer of all Customer Data.

20.2 Data Destruction. Following the successful return of Customer Data and written confirmation from Customer, or upon Customer's written instruction, Provider shall securely destroy all copies of Customer Data in its possession or control, including all backups, archives, and copies held by Subprocessors, within sixty (60) days. Destruction shall be performed in accordance with NIST Special Publication 800-88 Rev. 1.

20.3 Certification of Destruction. Provider shall provide Customer with a written certification of destruction signed by an authorized officer of Provider within ten (10) days of completion of the destruction process. The certification shall identify the data destroyed, the method of destruction, and the date of destruction.

20.4 Retention Exceptions. Provider may retain Customer Data to the extent required by applicable law or regulation, provided that Provider shall: (a) limit retention to the minimum amount of data required; (b) continue to protect retained data in accordance with this Addendum; (c) promptly destroy retained data when the legal retention requirement expires; and (d) notify Customer of any such retention requirements.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or relating to:

(a) A Data Breach or Security Incident caused by Provider's breach of its obligations under this Addendum;

(b) Provider's failure to comply with the breach notification requirements of N.M. Stat. Ann. §§ 57-12C-1 through 57-12C-12 or any other applicable breach notification law;

(c) Any regulatory investigation, enforcement action, or penalty arising from Provider's acts or omissions with respect to the security or privacy of Customer Data; and

(d) Any third-party claim arising from the unauthorized access, acquisition, use, or disclosure of Customer Data while in Provider's possession or control.

21.2 Covered Costs. Without limiting the generality of Section 21.1, Provider's indemnification obligations shall include:

(a) Costs of notifying affected individuals as required by N.M. Stat. Ann. § 57-12C-6;

(b) Costs of providing credit monitoring services to affected individuals for a minimum of twenty-four (24) months;

(c) Costs of establishing and operating a call center to respond to inquiries from affected individuals;

(d) Costs of forensic investigation to determine the cause and scope of the Data Breach;

(e) Costs of regulatory filings and compliance with regulatory inquiries;

(f) Civil penalties assessed under N.M. Stat. Ann. § 57-12C-10, up to Twenty-Five Thousand Dollars ($25,000.00) per violation;

(g) Public relations and crisis communication costs; and

(h) Any identity theft or fraud-related losses incurred by affected individuals that are attributable to the Data Breach.

21.3 Limitation. The indemnification obligations under this Article shall not be subject to any limitation of liability that may be set forth in the Master Agreement. This carve-out from the limitation of liability reflects the Parties' agreement that security breaches caused by Provider's negligence or breach of this Addendum warrant full indemnification.

ARTICLE 22 — NEW MEXICO-SPECIFIC LEGAL PROVISIONS

22.1 Governing Law. This Security Addendum shall be governed by and construed in accordance with the laws of the State of New Mexico, without regard to its conflict of law principles.

22.2 Forum and Jurisdiction. Any dispute arising out of or relating to this Addendum shall be brought exclusively in the First Judicial District Court, Santa Fe County, New Mexico, or the United States District Court for the District of New Mexico. Each Party irrevocably consents to the personal jurisdiction and venue of such courts and waives any objection based on inconvenient forum.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY AND UNCONDITIONALLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS SECURITY ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY. EACH PARTY CERTIFIES AND ACKNOWLEDGES THAT: (A) NO REPRESENTATIVE OF THE OTHER PARTY HAS REPRESENTED THAT SUCH OTHER PARTY WOULD NOT SEEK TO ENFORCE THIS WAIVER IN THE EVENT OF LITIGATION; (B) SUCH PARTY HAS CONSIDERED THE IMPLICATIONS OF THIS WAIVER; (C) SUCH PARTY MAKES THIS WAIVER KNOWINGLY AND VOLUNTARILY; AND (D) SUCH PARTY HAS BEEN INDUCED TO ENTER INTO THIS ADDENDUM BY, AMONG OTHER THINGS, THE MUTUAL WAIVERS AND CERTIFICATIONS IN THIS SECTION.

22.4 Injunctive Relief. The Parties acknowledge that a breach of the security obligations under this Addendum may cause irreparable harm for which monetary damages would be an inadequate remedy. Accordingly, either Party shall be entitled to seek injunctive relief, specific performance, or other equitable remedies in addition to all other remedies available at law or in equity, without the necessity of proving actual damages or posting a bond or other security.

22.5 Trade Secrets Protection. The Parties agree that Confidential Information constituting trade secrets shall be protected in accordance with the New Mexico Uniform Trade Secrets Act, N.M. Stat. Ann. §§ 57-3A-1 through 57-3A-7. Any misappropriation of trade secrets under this Addendum shall be subject to the remedies available under the NMUTSA, including injunctive relief, damages for actual loss caused by the misappropriation and for unjust enrichment, and exemplary damages in cases of willful and malicious misappropriation not to exceed twice the amount of damages awarded. A prevailing party may recover reasonable attorneys' fees.

22.6 Interest on Late Payments. Any amounts owed under this Addendum that are not paid when due shall bear interest at the rate of fifteen percent (15%) per annum, as permitted under New Mexico law, or the maximum rate permitted by applicable law, whichever is less.

22.7 Attorneys' Fees. In any action to enforce the terms of this Addendum, the prevailing Party shall be entitled to recover its reasonable attorneys' fees, court costs, and expenses from the non-prevailing Party.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Electronic Signature Validity. This Security Addendum may be executed by electronic signature in accordance with the New Mexico Uniform Electronic Transactions Act, N.M. Stat. Ann. §§ 14-16-1 through 14-16-19. Electronic signatures shall have the same legal effect, validity, and enforceability as original ink signatures.

23.2 Consent to Electronic Transactions. By executing this Addendum electronically, each Party consents to conduct the transactions contemplated herein by electronic means and agrees that electronic records and electronic signatures satisfy any legal requirement that such records or signatures be in writing.

23.3 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Delivery of an executed counterpart by electronic transmission (including PDF, DocuSign, or similar platform) shall be effective as delivery of an original executed counterpart.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Security Addendum, together with the Master Agreement and any exhibits or schedules hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, representations, and understandings relating to information security and data protection.

24.2 Amendment. This Addendum may not be amended or modified except by a written instrument signed by authorized representatives of both Parties.

24.3 Severability. If any provision of this Addendum is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid while preserving the Parties' original intent.

24.4 Waiver. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the waiving Party. A waiver of any provision on one occasion shall not be deemed a waiver of such provision on any subsequent occasion.

24.5 Notices. All notices under this Addendum shall be in writing and shall be deemed given when delivered personally, sent by certified mail (return receipt requested), or sent by nationally recognized overnight courier to the addresses set forth above, or to such other address as either Party may designate in writing.

24.6 Assignment. Provider shall not assign or transfer this Addendum or any rights or obligations hereunder without Customer's prior written consent. Any purported assignment in violation of this Section shall be null and void.

24.7 Survival. The following Articles and Sections shall survive the expiration or termination of this Addendum: Article 1 (Definitions), Article 13 (Incident Response and Breach Notification), Article 14 (Subprocessor Management, to the extent Subprocessors retain Customer Data), Article 20 (Data Return and Destruction), Article 21 (Indemnification), Article 22 (New Mexico-Specific Legal Provisions), and this Section 24.7.

24.8 Force Majeure. Neither Party shall be liable for any failure or delay in performance due to circumstances beyond its reasonable control, including natural disasters, acts of war or terrorism, pandemics, government actions, or failures of third-party telecommunications or power supply; provided, however, that this Section shall not excuse Provider from its obligations with respect to data security, data backup, disaster recovery, and breach notification.

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

EXHIBIT A — APPROVED SUBPROCESSORS

EXHIBIT B — SECURITY REQUIREMENTS CHECKLIST

Pre-Execution Verification

☐ Master Agreement fully executed and in effect
☐ Provider's Information Security Program documentation reviewed
☐ Provider's most recent SOC 2 Type II report or ISO 27001 certification reviewed
☐ Provider's most recent penetration test executive summary reviewed
☐ Subprocessor list reviewed and approved
☐ Insurance certificates reviewed and verified
☐ Data processing locations confirmed within the United States
☐ Provider's designated security officer contact information confirmed
☐ Business continuity and disaster recovery plan reviewed
☐ Incident response plan reviewed
☐ 45-day notification timeline procedures confirmed and documented

Ongoing Compliance

☐ Quarterly security governance meetings scheduled
☐ Annual security assessment scheduled
☐ Annual penetration test scheduled
☐ Annual audit or SOC 2/ISO 27001 review scheduled
☐ Security awareness training records reviewed annually
☐ Subprocessor list reviewed at least annually
☐ Insurance certificates reviewed at each renewal
☐ Data breach notification procedures tested (including 45-day timeline compliance)
☐ Encryption key separation controls verified

SOURCES AND REFERENCES

1. N.M. Stat. Ann. §§ 57-12C-1 through 57-12C-12 — New Mexico Data Breach Notification Act
   https://law.justia.com/codes/new-mexico/chapter-57/article-12c/

2. N.M. Stat. Ann. § 57-12C-6 — Notification of Security Breach
   https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/

3. N.M. Stat. Ann. § 57-12C-7 — Notification Required Content
   https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-7/

4. N.M. Stat. Ann. §§ 57-3A-1 through 57-3A-7 — Uniform Trade Secrets Act
   https://law.justia.com/codes/new-mexico/chapter-57/article-3a/

5. N.M. Stat. Ann. §§ 14-16-1 through 14-16-19 — Uniform Electronic Transactions Act
   https://law.justia.com/codes/new-mexico/chapter-14/article-16/

6. N.M. Stat. Ann. § 56-8-4 — Unfair Practices Act
   https://law.justia.com/codes/new-mexico/chapter-56/article-8/

7. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework

8. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

9. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001

10. OWASP Top 10
    https://owasp.org/www-project-top-ten/