ENTERPRISE SECURITY ADDENDUM

Nevada Jurisdictional Version

Addendum Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) and the entity identified as "Provider" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) have entered into the Master Agreement referenced above (the "Master Agreement");

WHEREAS, Provider will Process, store, transmit, or otherwise have access to Customer Data, including Personal Information as defined under Nevada law, in connection with the services described in the Master Agreement;

WHEREAS, Nevada's data breach notification statute (Nev. Rev. Stat. § 603A.220) imposes obligations regarding notification to affected individuals following a breach of security of system data;

WHEREAS, Nevada SB 220 (Nev. Rev. Stat. §§ 603A.300 through 603A.360) grants consumers the right to opt out of the sale of their personal information and imposes obligations on operators of internet websites and online services;

WHEREAS, Nevada requires data collectors to implement and maintain reasonable security measures under Nev. Rev. Stat. § 603A.210 and mandates PCI DSS compliance for payment card data under Nev. Rev. Stat. § 603A.215;

WHEREAS, the Parties desire to establish the security standards, controls, and obligations that Provider shall maintain in connection with the Processing of Customer Data;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and in the Master Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized User" means any individual who has been granted access to Customer Data by Customer or through Customer's authorization, including employees, contractors, and agents operating under appropriate access controls.

1.2 "Business Day" means any day other than a Saturday, Sunday, or day on which banks in the State of Nevada are authorized or required to be closed.

1.3 "Confidential Information" means all non-public information disclosed by either Party to the other, including but not limited to Trade Secrets as defined under Nev. Rev. Stat. § 600A.030, Customer Data, business plans, technical specifications, and security configurations.

1.4 "Covered Information" means any information described in Nev. Rev. Stat. § 603A.320 that is collected through an internet website or online service operated by Provider, including first and last name, physical address, email address, telephone number, Social Security number, and any identifier that permits the physical or online contacting of a consumer.

1.5 "Customer Data" means all data, records, files, information, and materials provided by or on behalf of Customer or collected or generated by Provider on behalf of Customer in the course of performing services under the Master Agreement.

1.6 "Data Collector" means any person who, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic Personal Information, as defined under Nev. Rev. Stat. § 603A.030.

1.7 "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a decryption key, using methods consistent with current industry standards including AES-256 for data at rest and TLS 1.2 or higher for data in transit.

1.8 "Incident" means any event that results in, or has the reasonable potential to result in, unauthorized access to, disclosure of, or loss of Customer Data, including Security Breaches.

1.9 "Multi-Factor Authentication" or "MFA" means an authentication mechanism requiring at least two distinct factors from: (a) something the user knows; (b) something the user possesses; and (c) something the user is.

1.10 "Operator" means a person who owns or operates an internet website or online service for commercial purposes, or collects and maintains Covered Information from consumers who reside in Nevada and use or visit the internet website or online service, as defined under Nev. Rev. Stat. § 603A.330.

1.11 "Personal Information" means, as defined under Nev. Rev. Stat. § 603A.040, a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (a) Social Security number; (b) driver's license number, driver authorization card number, or identification card number; (c) account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the person's financial account; (d) a medical identification number or a health insurance identification number; (e) a user name, unique identifier, or email address in combination with a password, access code, or security question and answer that would permit access to an online account.

1.12 "Process" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification.

1.13 "Sale" means the exchange of Covered Information for monetary consideration by an Operator to a person for the person to license or sell the Covered Information to additional persons, as described under Nev. Rev. Stat. § 603A.340.

1.14 "Security Breach" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of Personal Information maintained by a Data Collector, as defined under Nev. Rev. Stat. § 603A.020.

1.15 "Subprocessor" means any third party engaged by Provider to Process Customer Data on behalf of Customer.

1.16 "Trade Secret" means information as defined under Nev. Rev. Stat. § 600A.030, V, including a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value from not being generally known and is the subject of reasonable efforts to maintain its secrecy.

1.17 "Verified Request" means a request from a consumer to opt out of the sale of Covered Information, authenticated by Provider to the extent reasonably necessary to verify the consumer's identity, as contemplated by Nev. Rev. Stat. § 603A.345.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Customer Data that Provider Processes, accesses, stores, transmits, or otherwise handles in connection with the Master Agreement. This Addendum shall bind Provider and all Subprocessors.

2.2 Order of Precedence. In the event of a conflict between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and privacy matters. In the event of a conflict between this Addendum and applicable Nevada law, applicable law shall control.

2.3 Minimum Standards. The requirements in this Addendum establish minimum standards. Where the Master Agreement or applicable law imposes more stringent requirements, Provider shall comply with the more stringent standard.

2.4 Regulatory Changes. Provider shall monitor changes to Nevada law, including amendments to NRS Chapter 603A, and shall notify Customer within thirty (30) days of any change that materially affects Provider's obligations under this Addendum.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Comprehensive Security Program. Provider shall establish, implement, and maintain a written information security program ("ISP") that includes administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction.

3.2 Nevada Statutory Security Obligation. Pursuant to Nev. Rev. Stat. § 603A.210, Provider shall implement and maintain reasonable security measures to protect Customer Data from unauthorized access, acquisition, destruction, use, modification, or disclosure. Such measures shall be appropriate to the nature of the data and the size and complexity of Provider's business operations.

3.3 Framework Alignment. Provider's ISP shall be aligned with one or more of the following recognized frameworks:

☐ ISO/IEC 27001:2022 — Information Security Management System
☐ SOC 2 Type II — Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ NIST SP 800-53 Rev. 5 — Security and Privacy Controls
☐ CIS Controls v8

3.4 Risk Assessment. Provider shall conduct a comprehensive risk assessment at least annually and whenever material changes occur to the processing environment. Risk assessments shall:

(a) Identify threats and vulnerabilities relevant to Customer Data;
(b) Evaluate the likelihood and potential impact of identified risks;
(c) Document risk treatment decisions and residual risk acceptance;
(d) Be reviewed and approved by Provider's senior information security leadership.

3.5 Security Policies. Provider shall maintain documented security policies covering, at minimum: access control, encryption, incident response, vulnerability management, change management, acceptable use, data classification, and business continuity. Policies shall be reviewed and updated at least annually.

3.6 PCI DSS Compliance. If Provider accepts, processes, stores, or transmits payment card data in connection with Customer Data, Provider shall comply with the current version of the Payment Card Industry Data Security Standard ("PCI DSS") as required by Nev. Rev. Stat. § 603A.215. Provider shall provide Customer with evidence of PCI DSS compliance upon request.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control. Provider shall implement and maintain role-based access control ("RBAC") ensuring that access to Customer Data is limited to personnel whose job functions require such access.

4.2 Principle of Least Privilege. All access to Customer Data shall be granted on a need-to-know basis consistent with the principle of least privilege. Provider shall not grant standing administrative access where temporary or just-in-time access is feasible.

4.3 Multi-Factor Authentication. Provider shall require MFA for:

(a) All remote access to systems containing Customer Data;
(b) All administrative or privileged access to production environments;
(c) Access to security infrastructure including firewalls, SIEM, and identity management systems;
(d) Access to cloud management consoles and dashboards;
(e) VPN connections to Provider's network.

4.4 Authentication Standards. Provider shall enforce:

(a) Minimum password length of fourteen (14) characters with complexity requirements;
(b) Account lockout after no more than five (5) consecutive failed authentication attempts;
(c) Automatic session timeout after fifteen (15) minutes of inactivity for privileged sessions and thirty (30) minutes for standard sessions;
(d) Prohibition of shared or generic accounts for access to Customer Data.

4.5 Access Reviews. Provider shall conduct access reviews on the following schedule:

(a) Quarterly — Review of all user access rights to systems containing Customer Data;
(b) Monthly — Review of privileged and administrative access;
(c) Within twenty-four (24) hours — Revocation of access for terminated personnel;
(d) Within five (5) Business Days — Adjustment of access for personnel who change roles.

4.6 Access Logging. All access to Customer Data shall be logged, including the identity of the accessor, timestamp, data accessed, and actions performed. Access logs shall be retained for a minimum of twelve (12) months.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using TLS 1.2 or higher with cipher suites supporting forward secrecy. TLS 1.0 and 1.1 are prohibited. Certificate pinning shall be implemented where technically feasible.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using AES-256 or equivalent. Encryption shall apply to:

(a) Production databases and data stores;
(b) Backup and archival media;
(c) File systems and object storage;
(d) Removable media (where authorized by Customer);
(e) Laptop and workstation hard drives.

5.3 Nevada Encryption Requirements. In accordance with Nev. Rev. Stat. § 603A.215, where Provider processes payment card data, Provider shall use encryption to ensure the security of the data during transmission and while in storage, consistent with PCI DSS requirements. The encryption safe harbor under Nev. Rev. Stat. § 603A.220 applies only where Personal Information was encrypted at the time of a breach.

5.4 Key Management. Provider shall implement a key management program that includes:

(a) Generation of encryption keys using cryptographically secure methods;
(b) Separation of key management duties from data custodian duties;
(c) Storage of encryption keys in hardware security modules ("HSMs") or equivalent key management systems;
(d) Rotation of encryption keys at least annually and upon suspected compromise;
(e) Secure destruction of retired encryption keys.

5.5 Prohibition. Provider shall not transmit Customer Data in unencrypted form, including via email or unencrypted file transfer, unless expressly authorized in writing by Customer.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Architecture. Provider shall maintain a network architecture that segments Customer Data environments from other environments through firewalls, virtual LANs, or equivalent logical separation.

6.2 Firewall and Perimeter Controls. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny ingress and egress rules;
(b) Documented rule sets reviewed at least quarterly;
(c) Intrusion detection and prevention systems ("IDS/IPS") monitoring all traffic to Customer Data environments;
(d) Web application firewalls ("WAFs") protecting Customer-facing applications.

6.3 Network Monitoring. Provider shall implement continuous network monitoring including:

(a) Real-time traffic analysis for anomalous behavior;
(b) NetFlow or equivalent traffic logging;
(c) DNS monitoring and filtering;
(d) Automated alerting for suspicious network activity.

6.4 Wireless Security. Where wireless networks are used in environments that Process Customer Data, Provider shall implement WPA3-Enterprise or equivalent encryption and authentication.

6.5 Remote Access. All remote access to environments containing Customer Data shall require VPN with MFA and shall be logged and monitored.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle. Provider shall maintain a documented Secure Software Development Lifecycle ("SSDLC") that incorporates security at every phase of development, including requirements, design, implementation, testing, deployment, and maintenance.

7.2 OWASP Compliance. Provider shall ensure that all applications that Process Customer Data are developed and tested to address, at minimum, the OWASP Top Ten risks in their most current version.

7.3 Code Review and Testing. Provider shall implement:

(a) Peer code review for all code changes affecting Customer Data processing;
(b) Static Application Security Testing ("SAST") integrated into the CI/CD pipeline;
(c) Dynamic Application Security Testing ("DAST") performed at least quarterly;
(d) Interactive Application Security Testing ("IAST") where feasible;
(e) Software Composition Analysis ("SCA") for all third-party libraries and dependencies.

7.4 Change Management. All changes to production systems Processing Customer Data shall follow a documented change management process including:

(a) Documented change requests with business justification;
(b) Risk and security impact assessment;
(c) Testing in non-production environments;
(d) Segregation of duties between development and production environments;
(e) Rollback procedures for failed changes.

7.5 API Security. Provider shall secure all APIs used to Process Customer Data with authentication, authorization, rate limiting, input validation, and logging.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall perform automated vulnerability scanning of all systems Processing Customer Data at least weekly and upon deployment of significant changes.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines from the date of detection:

8.3 Patch Management. Provider shall maintain a documented patch management program that includes:

(a) Monitoring of vendor security advisories and vulnerability databases (NVD, CVE);
(b) Testing of patches in non-production environments before deployment;
(c) Emergency patching procedures for zero-day vulnerabilities;
(d) Documentation of all patches applied and exceptions granted.

8.4 Exception Management. Where a vulnerability cannot be remediated within the timelines specified in Section 8.2, Provider shall document the exception including compensating controls and shall notify Customer of any Critical or High severity exceptions within five (5) Business Days.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Security Information and Event Management. Provider shall operate a Security Information and Event Management ("SIEM") system that aggregates, correlates, and analyzes security events from all systems Processing Customer Data.

9.2 Log Collection. Provider shall collect and retain logs from, at minimum:

(a) Authentication and authorization events;
(b) Administrative and privileged user activities;
(c) System and application events;
(d) Network traffic and firewall events;
(e) Data access and modification events;
(f) Security tool alerts (IDS/IPS, antivirus, endpoint detection);
(g) Cloud infrastructure events and API calls.

9.3 Log Retention. Security logs shall be retained for a minimum of twelve (12) months in active storage and an additional twelve (12) months in archival storage, for a total retention period of twenty-four (24) months.

9.4 Log Integrity. Provider shall implement controls to ensure the integrity of security logs, including:

(a) Write-once storage or immutable log repositories;
(b) Centralized log collection with restricted access;
(c) Time synchronization across all logging sources using NTP;
(d) Alerting on log tampering or deletion attempts.

9.5 Monitoring and Alerting. Provider shall maintain 24/7/365 security monitoring with defined escalation procedures and response times for security alerts. Critical alerts shall be investigated within fifteen (15) minutes of detection.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Customer Data shall be logically segregated from the data of Provider's other customers through database-level, application-level, or equivalent isolation controls.

10.2 Environment Segregation. Provider shall maintain strict separation between production, staging, development, and testing environments. Customer Data shall not be used in non-production environments unless anonymized or pseudonymized and approved in writing by Customer.

10.3 Data Residency. Unless otherwise agreed in writing, Customer Data shall be stored and Processed within the continental United States. Provider shall notify Customer at least sixty (60) days before any change in data storage location.

10.4 Cross-Border Transfers. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent and implementation of appropriate safeguards.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Penetration Testing. Provider shall engage an independent, qualified third-party firm to conduct penetration testing of all systems Processing Customer Data at least annually. Testing shall include:

(a) External network penetration testing;
(b) Internal network penetration testing;
(c) Web application penetration testing;
(d) API penetration testing;
(e) Social engineering testing (where agreed by the Parties).

11.2 Testing Standards. Penetration tests shall be conducted in accordance with recognized methodologies such as PTES, OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Provider shall deliver a written penetration test report to Customer within thirty (30) days of test completion. The report shall include identified vulnerabilities, severity ratings, and a remediation plan with timelines.

11.4 Remediation. Provider shall remediate all Critical and High severity findings from penetration tests within the timelines specified in Article 8 (Vulnerability Management) and shall provide evidence of remediation to Customer.

11.5 Customer Testing. Customer may, upon sixty (60) days' prior written notice and at Customer's expense, conduct or commission its own penetration testing of Provider systems that Process Customer Data, subject to reasonable scope and scheduling coordination.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan ("BCP") that addresses the continued availability of services and protection of Customer Data during and after disruptive events.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan ("DRP") that includes:

(a) Recovery Point Objective (RPO): Maximum data loss of [____] hours;
(b) Recovery Time Objective (RTO): Maximum service downtime of [____] hours;
(c) Defined recovery procedures for all critical systems;
(d) Communication protocols for notifying Customer during a disruptive event;
(e) Designated recovery sites with documented failover procedures.

12.3 Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises and at least once every two (2) years through a full functional recovery test. Test results and lessons learned shall be documented and shared with Customer upon request.

12.4 Backups. Provider shall perform regular backups of Customer Data at intervals consistent with the RPO. Backups shall be encrypted, stored in a geographically separate location, and tested for restorability at least quarterly.

12.5 Resilience. Provider shall design systems Processing Customer Data with appropriate redundancy to eliminate single points of failure, including redundant network paths, power supplies, and storage systems.

ARTICLE 13 — INCIDENT RESPONSE AND NEVADA BREACH NOTIFICATION

13.1 Incident Response Plan. Provider shall maintain a documented Incident Response Plan ("IRP") that includes:

(a) Defined incident classification and severity levels;
(b) Escalation procedures and contact information;
(c) Roles and responsibilities of incident response team members;
(d) Containment, eradication, and recovery procedures;
(e) Evidence preservation and chain-of-custody protocols;
(f) Post-incident review and lessons learned procedures.

13.2 Notification to Customer. Provider shall notify Customer of any Incident as follows:

(a) Confirmed Security Breach: Within twenty-four (24) hours of confirmation;
(b) Suspected Security Breach: Within forty-eight (48) hours of detection;
(c) Other Security Incidents: Within seventy-two (72) hours of detection.

Notification shall include the nature and scope of the Incident, the types of Customer Data affected, measures taken to contain and remediate, and a designated point of contact.

13.3 Nevada Breach Notification Requirements (Nev. Rev. Stat. § 603A.220).

(a) Trigger. Notification is required upon unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of Personal Information maintained by a Data Collector.

(b) Timeline. Disclosure of the breach must be made to affected Nevada residents in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(c) Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation, but must be provided promptly after law enforcement determines the notification will not compromise the investigation.

(d) Content of Notice. Although Nevada does not prescribe specific content requirements by statute, Provider shall include, at minimum:
- A description of the incident in general terms;
- The type of Personal Information that was or is reasonably believed to have been compromised;
- The approximate date of the breach;
- Contact information for Provider;
- Recommendations for monitoring credit reports and financial accounts;
- Contact information for the Federal Trade Commission and major credit reporting agencies.

(e) Methods of Notice. Notice may be provided by:
- Written notice mailed to the last known address;
- Electronic notice (if consistent with 15 U.S.C. § 7001 (E-SIGN Act));
- Substitute notice if the cost exceeds $250,000, more than 500,000 persons must be notified, or insufficient contact information is available. Substitute notice consists of email notice, conspicuous posting on the Data Collector's website, and notification to major statewide media.

(f) Credit Reporting Agency Notification. If notification is required for more than 1,000 persons at any one time, Provider shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

(g) Encryption Safe Harbor. Notification is not required if the Personal Information was encrypted and the encryption key was not or is not reasonably believed to have been acquired by an unauthorized person.

(h) Penalties. Violations may result in civil penalties of up to $5,000 per violation. Courts may order restitution for reasonable costs incurred in providing notification. The Attorney General or district attorney may bring actions for temporary or permanent injunctive relief.

13.4 Cooperation. Provider shall fully cooperate with Customer in investigating and responding to any Incident, including providing access to relevant logs, personnel, and systems. Provider shall preserve all evidence related to the Incident for a minimum of three (3) years.

13.5 Responsibility. Provider shall bear all costs and expenses arising from any Security Breach caused by Provider's failure to comply with this Addendum, including notification costs, credit monitoring services, regulatory fines, and legal fees.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain and provide to Customer a current list of all approved Subprocessors.

14.2 Due Diligence. Before engaging any Subprocessor, Provider shall conduct due diligence to verify that the Subprocessor can meet security requirements at least as protective as those set forth in this Addendum.

14.3 Contractual Requirements. Provider shall enter into a written agreement with each Subprocessor that imposes data protection and security obligations no less stringent than those in this Addendum, including compliance with applicable Nevada law.

14.4 Ongoing Monitoring. Provider shall monitor each Subprocessor's compliance with its contractual obligations at least annually and shall promptly notify Customer of any material deficiency.

14.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors with respect to Customer Data as if such acts and omissions were Provider's own.

14.6 Objection Right. Customer may object to any proposed Subprocessor within fifteen (15) Business Days of receiving notice. If Customer objects and Provider cannot reasonably accommodate the objection, either Party may terminate the affected services upon thirty (30) days' written notice.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data prior to granting access, to the extent permitted by Nevada law, including Nev. Rev. Stat. § 613.

15.2 Security Training. Provider shall provide security awareness training to all personnel at onboarding and at least annually thereafter. Training shall cover:

(a) Information security policies and procedures;
(b) Identification and reporting of security incidents;
(c) Phishing and social engineering awareness;
(d) Data handling and classification requirements;
(e) Nevada-specific privacy and data protection requirements, including SB 220 opt-out obligations.

15.3 Confidentiality Agreements. All Provider personnel and contractors with access to Customer Data shall execute confidentiality or non-disclosure agreements before being granted access.

15.4 Disciplinary Measures. Provider shall maintain and enforce disciplinary procedures for personnel who violate security policies, up to and including termination of employment.

15.5 Offboarding. Provider shall implement offboarding procedures that ensure all access to Customer Data is revoked within twenty-four (24) hours of personnel departure or role change, and all Customer Data in the departing individual's possession is returned or securely destroyed.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Security. All facilities where Customer Data is stored or Processed shall implement, at minimum:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Access control systems requiring badge, biometric, or multi-factor authentication;
(c) Visitor management and escort procedures;
(d) Video surveillance with a minimum retention period of ninety (90) days;
(e) Intrusion detection and alarm systems;
(f) Environmental controls (fire suppression, HVAC, water detection);
(g) Redundant power with UPS and generator backup.

16.2 Media Handling. Physical media containing Customer Data shall be:

(a) Encrypted in accordance with Article 5;
(b) Tracked through an asset management system;
(c) Transported in secure, tamper-evident containers;
(d) Destroyed in accordance with Article 20 when no longer needed.

16.3 Clean Desk Policy. Provider shall enforce a clean desk policy in all areas where Customer Data may be accessed, ensuring that printed or written Customer Data is secured when not in active use.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall maintain the following insurance coverages throughout the term of the Master Agreement and for a period of three (3) years following termination:

(a) Cyber Liability / Technology Errors & Omissions Insurance: Minimum coverage of $5,000,000 per occurrence and in the aggregate, covering data breaches, network security failures, privacy liability, regulatory defense, and crisis management expenses;

(b) Professional Liability / Errors & Omissions Insurance: Minimum coverage of $2,000,000 per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: Minimum coverage of $1,000,000 per occurrence and $2,000,000 in the aggregate;

(d) Workers' Compensation Insurance: As required by Nevada law (Nev. Rev. Stat. § 616A et seq.).

17.2 Policy Requirements. All policies shall:

(a) Be issued by carriers with an AM Best rating of A- VII or better;
(b) Name Customer as an additional insured where applicable;
(c) Provide for thirty (30) days' prior written notice to Customer of cancellation or material change;
(d) Include a waiver of subrogation in favor of Customer.

17.3 Certificates of Insurance. Provider shall deliver certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon Customer's request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Audit Right. Customer, or its authorized representative, shall have the right to audit Provider's compliance with this Addendum upon thirty (30) days' prior written notice, no more than once per calendar year (except following an Incident, in which case additional audits may be conducted).

18.2 Scope. Audits may include review of:

(a) Security policies, procedures, and documentation;
(b) Access control records and logs;
(c) Vulnerability scan and penetration test results;
(d) Incident response records;
(e) Subprocessor agreements and compliance documentation;
(f) Training records and personnel security documentation;
(g) Business continuity and disaster recovery plans and test results.

18.3 Cooperation. Provider shall cooperate fully with audits, providing timely access to relevant documentation, personnel, and systems. Provider shall designate a point of contact for audit coordination.

18.4 Third-Party Audit Reports. Provider shall make available to Customer, upon request, current copies of:

(a) SOC 2 Type II audit reports;
(b) ISO 27001 certification and statement of applicability;
(c) Penetration test executive summaries;
(d) PCI DSS attestation of compliance (where applicable);
(e) Any other relevant third-party audit or assessment reports.

18.5 Remediation. Provider shall develop and implement a remediation plan for any deficiencies identified during an audit within thirty (30) days of receipt of audit findings. Critical deficiencies shall be remediated within fifteen (15) days.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Officer. Provider shall designate a qualified senior-level employee as its Chief Information Security Officer ("CISO") or equivalent, with responsibility for Provider's information security program.

19.2 Security Committee. Provider shall maintain a security governance committee that meets at least quarterly to review the security program, risk assessments, incident trends, and compliance status.

19.3 Reporting to Customer. Provider shall deliver the following reports to Customer:

(a) Quarterly Security Report — Summary of security metrics, incidents, vulnerability trends, and remediation status;
(b) Annual Security Assessment — Comprehensive review of the security program, risk posture, and framework compliance;
(c) Incident Reports — As required under Article 13;
(d) Ad hoc Reports — Upon Customer's reasonable request regarding specific security matters.

19.4 Security Meetings. The Parties shall conduct security review meetings at least semi-annually to discuss security posture, emerging threats, and any changes to the processing environment.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon termination or expiration of the Master Agreement, or upon Customer's written request, Provider shall return all Customer Data to Customer in a mutually agreed-upon, industry-standard format within thirty (30) days.

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall securely destroy all copies of Customer Data, including backups, within sixty (60) days. Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization").

20.3 Destruction Methods. Acceptable destruction methods include:

(a) Electronic media: Cryptographic erasure, degaussing, or physical destruction;
(b) Physical media: Cross-cut shredding (minimum DIN 66399 Level P-4) or incineration;
(c) Cloud-hosted data: Cryptographic key destruction rendering data unrecoverable, with vendor-provided certification.

20.4 Nevada Destruction Requirements. Consistent with Nev. Rev. Stat. § 603A.200, Provider shall take reasonable measures to destroy or arrange for the destruction of records containing Personal Information that are no longer needed, by shredding, erasing, or otherwise modifying the Personal Information to make it unreadable or undecipherable.

20.5 Certification. Provider shall deliver to Customer a written certification of destruction, signed by an authorized officer, within ten (10) Business Days of completing destruction, specifying the data destroyed, methods used, and date of destruction.

20.6 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law or regulation, provided that such retained data remains subject to the confidentiality and security obligations of this Addendum and is destroyed promptly when the retention obligation expires.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

(a) Any Security Breach caused by Provider's failure to comply with the obligations set forth in this Addendum;
(b) Any violation of Nev. Rev. Stat. Chapter 603A attributable to Provider;
(c) Any unauthorized access to, use of, or disclosure of Customer Data caused by Provider's negligence or willful misconduct;
(d) Any regulatory fines, penalties, or enforcement actions resulting from Provider's acts or omissions;
(e) Any failure to comply with SB 220 opt-out requirements attributable to Provider.

21.2 Customer Indemnification. Customer shall indemnify, defend, and hold harmless Provider from and against claims arising from Customer's provision of data to Provider in violation of applicable law, or Customer's instructions that cause Provider to violate applicable law, provided that Provider has complied with this Addendum.

21.3 Indemnification Procedures. The indemnified Party shall: (a) provide prompt written notice of any claim; (b) grant the indemnifying Party sole control of the defense and settlement, provided that no settlement shall impose obligations on the indemnified Party without its consent; and (c) provide reasonable cooperation at the indemnifying Party's expense.

ARTICLE 22 — NEVADA-SPECIFIC LEGAL PROVISIONS

22.1 Nevada SB 220 — Consumer Opt-Out Compliance (Nev. Rev. Stat. §§ 603A.300–603A.360)

(a) Applicability. Where Provider operates as an Operator (as defined under Nev. Rev. Stat. § 603A.330) with respect to Customer Data, Provider shall comply with all requirements of SB 220.

(b) Designated Request Address. Provider shall establish and maintain a designated request address through which Nevada consumers may submit Verified Requests to opt out of the sale of their Covered Information. The designated request address may be a toll-free telephone number, email address, or internet website.

(c) Response Timeline. Provider shall respond to a Verified Request within sixty (60) days of receipt. Provider may take an additional thirty (30) days to respond if reasonably necessary, provided it informs the consumer of the extension.

(d) Privacy Policy Requirements. Where Provider maintains a privacy policy in connection with services provided under the Master Agreement, Provider shall ensure that the policy includes:
- Categories of Covered Information collected;
- Categories of third parties with whom information is shared;
- Description of tracking technologies used (e.g., cookies);
- Process for consumer review and correction of personal information;
- Process for notification of changes to the privacy policy;
- Effective date of the privacy policy;
- Whether Covered Information is sold;
- Designated request address for opt-out requests.

(e) No Sale Without Consent. After receiving a Verified Request, Provider shall not sell the consumer's Covered Information unless the consumer subsequently provides express consent.

(f) Coordination with Customer. Provider shall coordinate with Customer regarding consumer opt-out requests that affect Customer Data and shall promptly inform Customer of any such requests received.

22.2 Nevada Data Destruction Requirements (Nev. Rev. Stat. § 603A.200)

Provider shall comply with Nevada's data destruction requirements by taking reasonable measures to destroy, or arrange for the destruction of, records containing Personal Information of a consumer by shredding, erasing, or otherwise modifying the Personal Information in those records to make it unreadable or undecipherable through any means.

22.3 Nevada Trade Secret Protections

Provider acknowledges that Customer Data may contain Trade Secrets as defined by the Nevada Uniform Trade Secrets Act (Nev. Rev. Stat. §§ 600A.010 through 600A.100). Provider shall:

(a) Implement reasonable measures to maintain the secrecy of any Trade Secrets contained in Customer Data;
(b) Limit access to Trade Secrets to personnel with a demonstrated need to know;
(c) Not use Trade Secrets for any purpose other than performing services under the Master Agreement;
(d) Acknowledge that the unauthorized use or disclosure of Trade Secrets may result in criminal penalties under Nev. Rev. Stat. § 600A.035;
(e) Cooperate with Customer in seeking injunctive relief under Nev. Rev. Stat. § 600A.040 if any unauthorized disclosure occurs.

22.4 Governing Law and Forum

(a) This Addendum shall be governed by and construed in accordance with the laws of the State of Nevada, without regard to conflict-of-law principles.

(b) Any dispute arising out of or relating to this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of Nevada.

(c) JURY WAIVER. EACH PARTY HEREBY WAIVES, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ANY RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM.

22.5 Late Payment

Any amounts due under this Addendum that are not paid when due shall accrue interest at the prime rate as published by the Federal Reserve, or such higher rate as may be agreed by the Parties, or the maximum rate permitted by Nevada law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Nevada Uniform Electronic Transactions Act (Nev. Rev. Stat. §§ 719.010 through 719.350) and the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).

23.2 Legal Effect. Electronic signatures applied to this Addendum shall have the same legal force and effect as original handwritten signatures. A record or signature shall not be denied legal effect or enforceability solely because it is in electronic form.

23.3 Consent. By executing this Addendum electronically, each Party consents to the use of electronic signatures and agrees that such execution is sufficient to bind the Party.

23.4 Retention. Each Party shall retain an electronic copy of this executed Addendum in accordance with Nev. Rev. Stat. § 719.120 and applicable record retention requirements.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the Parties with respect to information security and data protection for the services described therein.

24.2 Amendments. This Addendum may be amended only by a written instrument executed by authorized representatives of both Parties.

24.3 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

24.4 Waiver. No waiver of any right under this Addendum shall be effective unless in writing and signed by the waiving Party.

24.5 Notices. All notices under this Addendum shall be in writing and delivered to the addresses specified in the Master Agreement.

24.6 Term. This Addendum shall remain in effect for the duration of the Master Agreement and shall survive termination with respect to any Customer Data that remains in Provider's possession.

24.7 Counterparts. This Addendum may be executed in counterparts, each of which shall be deemed an original.

EXECUTION

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SCHEDULE A — SECURITY CONTACTS

SCHEDULE B — APPROVED SUBPROCESSORS

PRE-EXECUTION CHECKLIST

☐ Master Agreement fully executed and referenced above
☐ All blanks and variable fields completed
☐ RPO and RTO values agreed upon and inserted in Article 12
☐ Approved Subprocessor list completed in Schedule B
☐ Security contact information completed in Schedule A
☐ Insurance certificates obtained and reviewed
☐ Provider's current SOC 2 Type II or ISO 27001 certification reviewed
☐ SB 220 compliance assessment completed
☐ PCI DSS compliance verified (if applicable)
☐ Nevada-licensed counsel review completed
☐ Both Parties' authorized signatories confirmed

SOURCES AND REFERENCES

1. Nevada Security and Privacy of Personal Information — Nev. Rev. Stat. Chapter 603A
   https://www.leg.state.nv.us/nrs/nrs-603a.html
2. Nevada SB 220 — Consumer Opt-Out of Sale of Personal Information (Nev. Rev. Stat. §§ 603A.300–603A.360)
   https://trustarc.com/resource/nevadas-privacy-law-sb-220/
3. Nevada Data Breach Notification — Nev. Rev. Stat. § 603A.220
   https://law.justia.com/codes/nevada/chapter-603a/statute-603a-220/
4. Nevada Trade Secrets (Uniform Act) — Nev. Rev. Stat. Chapter 600A
   https://law.justia.com/codes/nevada/chapter-600a/
5. Nevada Uniform Electronic Transactions Act — Nev. Rev. Stat. §§ 719.010–719.350
   https://law.justia.com/codes/nevada/title-59/chapter-719/
6. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
7. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework
8. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001
9. OWASP Top Ten
   https://owasp.org/www-project-top-ten/