ENTERPRISE SECURITY ADDENDUM

Ohio Jurisdictional Version

Addendum Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, the entity identified as "Customer" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) and the entity identified as "Provider" ("[________________________________]," a [________________________________] organized under the laws of [________________________________], with principal offices at [________________________________]) have entered into the Master Agreement referenced above (the "Master Agreement");

WHEREAS, Provider will Process, store, transmit, or otherwise have access to Customer Data, including Personal Information as defined under Ohio law, in connection with the services described in the Master Agreement;

WHEREAS, Ohio's data breach notification statute (Ohio Rev. Code § 1349.19) imposes specific obligations regarding notification to affected individuals following a breach of security of computerized personal information data;

WHEREAS, Ohio has enacted the Ohio Data Protection Act (Ohio Rev. Code §§ 1354.01 through 1354.05), providing an affirmative defense to certain tort claims for covered entities that maintain a cybersecurity program conforming to recognized industry frameworks;

WHEREAS, the Parties desire to leverage the protections available under Ohio's cybersecurity safe harbor while establishing robust security standards for the Processing of Customer Data;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and in the Master Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 "Authorized User" means any individual who has been granted access to Customer Data by Customer or through Customer's authorization, including employees, contractors, and agents operating under appropriate access controls.

1.2 "Business Day" means any day other than a Saturday, Sunday, or day on which banks in the State of Ohio are authorized or required to be closed.

1.3 "Confidential Information" means all non-public information disclosed by either Party to the other, including but not limited to Trade Secrets as defined under Ohio Rev. Code § 1333.61, Customer Data, business plans, technical specifications, and security configurations.

1.4 "Covered Entity" means a business that accesses, maintains, communicates, or processes Personal Information or restricted information in or through one or more systems, networks, or services located in or outside Ohio, as defined under Ohio Rev. Code § 1354.01.

1.5 "Customer Data" means all data, records, files, information, and materials provided by or on behalf of Customer or collected or generated by Provider on behalf of Customer in the course of performing services under the Master Agreement.

1.6 "Cybersecurity Program" means a written program that contains administrative, technical, and physical safeguards for the protection of Personal Information and restricted information, as described under Ohio Rev. Code § 1354.02.

1.7 "Encryption" means the transformation of data into a form in which meaning cannot be assigned without the use of a decryption key, using methods consistent with current industry standards including AES-256 for data at rest and TLS 1.2 or higher for data in transit.

1.8 "Incident" means any event that results in, or has the reasonable potential to result in, unauthorized access to, disclosure of, or loss of Customer Data, including Security Breaches.

1.9 "Multi-Factor Authentication" or "MFA" means an authentication mechanism requiring at least two distinct factors from: (a) something the user knows; (b) something the user possesses; and (c) something the user is.

1.10 "Ohio Data Protection Act" or "ODPA" means Ohio Rev. Code §§ 1354.01 through 1354.05, providing an affirmative defense to certain tort claims for covered entities maintaining recognized cybersecurity programs.

1.11 "Personal Information" means, as defined under Ohio Rev. Code § 1349.19(A)(7), an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (a) Social Security number; (b) driver's license number or state identification card number; (c) account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.

1.12 "Process" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, use, storage, disclosure, analysis, deletion, or modification.

1.13 "Recognized Cybersecurity Framework" means one of the industry-recognized cybersecurity frameworks enumerated in Ohio Rev. Code § 1354.03, including NIST SP 800-171, NIST SP 800-53, FedRAMP, CIS Critical Security Controls, ISO/IEC 27000 family, HIPAA security requirements, Gramm-Leach-Bliley Act requirements, FISMA, HITECH Act, and PCI DSS.

1.14 "Restricted Information" means any information about an individual, other than Personal Information, that, alone or in combination with other information including Personal Information, can be used to distinguish or trace the individual's identity or that is linked or linkable to the individual, if the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, as defined under Ohio Rev. Code § 1354.01.

1.15 "Security Breach" means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of Personal Information owned or licensed by a person and that causes, or reasonably is believed will cause, a material risk of identity theft or other fraud to the person or property of a resident of Ohio, as defined under Ohio Rev. Code § 1349.19.

1.16 "Subprocessor" means any third party engaged by Provider to Process Customer Data on behalf of Customer.

1.17 "Trade Secret" means information as defined under Ohio Rev. Code § 1333.61(D), including any business information or plans, financial information, or listing of names, addresses, or telephone numbers, that satisfies both of the following: (i) it derives independent economic value from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) it is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Customer Data that Provider Processes, accesses, stores, transmits, or otherwise handles in connection with the Master Agreement. This Addendum shall bind Provider and all Subprocessors.

2.2 Order of Precedence. In the event of a conflict between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and privacy matters. In the event of a conflict between this Addendum and applicable Ohio law, applicable law shall control.

2.3 Minimum Standards. The requirements in this Addendum establish minimum standards. Where the Master Agreement or applicable law imposes more stringent requirements, Provider shall comply with the more stringent standard.

2.4 Regulatory Changes. Provider shall monitor changes to Ohio law, including amendments to the data breach notification statute and the ODPA, and shall notify Customer within thirty (30) days of any change that materially affects Provider's obligations under this Addendum.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Comprehensive Security Program. Provider shall establish, implement, and maintain a written information security program ("ISP") that includes administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction.

3.2 Ohio Data Protection Act — Framework Alignment. Provider's ISP shall reasonably conform to one or more Recognized Cybersecurity Frameworks as enumerated in Ohio Rev. Code § 1354.03. Provider shall select and implement a framework from the following:

☐ NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
☐ NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information
☐ ISO/IEC 27001:2022 — Information Security Management System
☐ CIS Critical Security Controls v8
☐ SOC 2 Type II — Trust Services Criteria
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ FedRAMP Security Assessment Framework
☐ PCI DSS (where applicable to payment card data)

3.3 ODPA Safe Harbor Qualification. Provider represents and warrants that its Cybersecurity Program is designed to qualify for the affirmative defense under Ohio Rev. Code § 1354.02 by:

(a) Creating, maintaining, and complying with a written Cybersecurity Program;
(b) Ensuring the program contains administrative, technical, and physical safeguards for the protection of Personal Information and Restricted Information;
(c) Reasonably conforming to a Recognized Cybersecurity Framework;
(d) Designing the program to: (i) protect the security and confidentiality of information; (ii) protect against anticipated threats or hazards to the security or integrity of information; and (iii) protect against unauthorized access to and acquisition of information likely to result in a material risk of identity theft or other fraud.

3.4 Scale and Scope. Consistent with Ohio Rev. Code § 1354.02(B), the scale and scope of Provider's Cybersecurity Program shall be appropriate based on:

(a) The size and complexity of Provider;
(b) The nature and scope of Provider's activities;
(c) The sensitivity of the Customer Data to be protected;
(d) The cost and availability of tools to improve information security and reduce vulnerabilities;
(e) The resources available to Provider.

3.5 Risk Assessment. Provider shall conduct a comprehensive risk assessment at least annually and whenever material changes occur to the processing environment. Risk assessments shall:

(a) Identify threats and vulnerabilities relevant to Customer Data;
(b) Evaluate the likelihood and potential impact of identified risks;
(c) Document risk treatment decisions and residual risk acceptance;
(d) Be reviewed and approved by Provider's senior information security leadership.

3.6 Security Policies. Provider shall maintain documented security policies covering, at minimum: access control, encryption, incident response, vulnerability management, change management, acceptable use, data classification, and business continuity. Policies shall be reviewed and updated at least annually.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control. Provider shall implement and maintain role-based access control ("RBAC") ensuring that access to Customer Data is limited to personnel whose job functions require such access.

4.2 Principle of Least Privilege. All access to Customer Data shall be granted on a need-to-know basis consistent with the principle of least privilege. Provider shall not grant standing administrative access where temporary or just-in-time access is feasible.

4.3 Multi-Factor Authentication. Provider shall require MFA for:

(a) All remote access to systems containing Customer Data;
(b) All administrative or privileged access to production environments;
(c) Access to security infrastructure including firewalls, SIEM, and identity management systems;
(d) Access to cloud management consoles and dashboards;
(e) VPN connections to Provider's network.

4.4 Authentication Standards. Provider shall enforce:

(a) Minimum password length of fourteen (14) characters with complexity requirements;
(b) Account lockout after no more than five (5) consecutive failed authentication attempts;
(c) Automatic session timeout after fifteen (15) minutes of inactivity for privileged sessions and thirty (30) minutes for standard sessions;
(d) Prohibition of shared or generic accounts for access to Customer Data.

4.5 Access Reviews. Provider shall conduct access reviews on the following schedule:

(a) Quarterly — Review of all user access rights to systems containing Customer Data;
(b) Monthly — Review of privileged and administrative access;
(c) Within twenty-four (24) hours — Revocation of access for terminated personnel;
(d) Within five (5) Business Days — Adjustment of access for personnel who change roles.

4.6 Access Logging. All access to Customer Data shall be logged, including the identity of the accessor, timestamp, data accessed, and actions performed. Access logs shall be retained for a minimum of twelve (12) months.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using TLS 1.2 or higher with cipher suites supporting forward secrecy. TLS 1.0 and 1.1 are prohibited. Certificate pinning shall be implemented where technically feasible.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using AES-256 or equivalent. Encryption shall apply to:

(a) Production databases and data stores;
(b) Backup and archival media;
(c) File systems and object storage;
(d) Removable media (where authorized by Customer);
(e) Laptop and workstation hard drives.

5.3 Ohio Encryption Safe Harbor. The Parties acknowledge that under Ohio Rev. Code § 1349.19, data that is encrypted, redacted, or altered by any method or technology such that the data elements are unreadable is excluded from the definition of Personal Information for breach notification purposes. Provider shall maintain encryption at all times to benefit from this safe harbor.

5.4 Key Management. Provider shall implement a key management program that includes:

(a) Generation of encryption keys using cryptographically secure methods;
(b) Separation of key management duties from data custodian duties;
(c) Storage of encryption keys in hardware security modules ("HSMs") or equivalent key management systems;
(d) Rotation of encryption keys at least annually and upon suspected compromise;
(e) Secure destruction of retired encryption keys.

5.5 Prohibition. Provider shall not transmit Customer Data in unencrypted form, including via email or unencrypted file transfer, unless expressly authorized in writing by Customer.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Architecture. Provider shall maintain a network architecture that segments Customer Data environments from other environments through firewalls, virtual LANs, or equivalent logical separation.

6.2 Firewall and Perimeter Controls. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny ingress and egress rules;
(b) Documented rule sets reviewed at least quarterly;
(c) Intrusion detection and prevention systems ("IDS/IPS") monitoring all traffic to Customer Data environments;
(d) Web application firewalls ("WAFs") protecting Customer-facing applications.

6.3 Network Monitoring. Provider shall implement continuous network monitoring including:

(a) Real-time traffic analysis for anomalous behavior;
(b) NetFlow or equivalent traffic logging;
(c) DNS monitoring and filtering;
(d) Automated alerting for suspicious network activity.

6.4 Wireless Security. Where wireless networks are used in environments that Process Customer Data, Provider shall implement WPA3-Enterprise or equivalent encryption and authentication.

6.5 Remote Access. All remote access to environments containing Customer Data shall require VPN with MFA and shall be logged and monitored.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle. Provider shall maintain a documented Secure Software Development Lifecycle ("SSDLC") that incorporates security at every phase of development, including requirements, design, implementation, testing, deployment, and maintenance.

7.2 OWASP Compliance. Provider shall ensure that all applications that Process Customer Data are developed and tested to address, at minimum, the OWASP Top Ten risks in their most current version.

7.3 Code Review and Testing. Provider shall implement:

(a) Peer code review for all code changes affecting Customer Data processing;
(b) Static Application Security Testing ("SAST") integrated into the CI/CD pipeline;
(c) Dynamic Application Security Testing ("DAST") performed at least quarterly;
(d) Interactive Application Security Testing ("IAST") where feasible;
(e) Software Composition Analysis ("SCA") for all third-party libraries and dependencies.

7.4 Change Management. All changes to production systems Processing Customer Data shall follow a documented change management process including:

(a) Documented change requests with business justification;
(b) Risk and security impact assessment;
(c) Testing in non-production environments;
(d) Segregation of duties between development and production environments;
(e) Rollback procedures for failed changes.

7.5 API Security. Provider shall secure all APIs used to Process Customer Data with authentication, authorization, rate limiting, input validation, and logging.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall perform automated vulnerability scanning of all systems Processing Customer Data at least weekly and upon deployment of significant changes.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines from the date of detection:

8.3 Patch Management. Provider shall maintain a documented patch management program that includes:

(a) Monitoring of vendor security advisories and vulnerability databases (NVD, CVE);
(b) Testing of patches in non-production environments before deployment;
(c) Emergency patching procedures for zero-day vulnerabilities;
(d) Documentation of all patches applied and exceptions granted.

8.4 Exception Management. Where a vulnerability cannot be remediated within the timelines specified in Section 8.2, Provider shall document the exception including compensating controls and shall notify Customer of any Critical or High severity exceptions within five (5) Business Days.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Security Information and Event Management. Provider shall operate a Security Information and Event Management ("SIEM") system that aggregates, correlates, and analyzes security events from all systems Processing Customer Data.

9.2 Log Collection. Provider shall collect and retain logs from, at minimum:

(a) Authentication and authorization events;
(b) Administrative and privileged user activities;
(c) System and application events;
(d) Network traffic and firewall events;
(e) Data access and modification events;
(f) Security tool alerts (IDS/IPS, antivirus, endpoint detection);
(g) Cloud infrastructure events and API calls.

9.3 Log Retention. Security logs shall be retained for a minimum of twelve (12) months in active storage and an additional twelve (12) months in archival storage, for a total retention period of twenty-four (24) months.

9.4 Log Integrity. Provider shall implement controls to ensure the integrity of security logs, including:

(a) Write-once storage or immutable log repositories;
(b) Centralized log collection with restricted access;
(c) Time synchronization across all logging sources using NTP;
(d) Alerting on log tampering or deletion attempts.

9.5 Monitoring and Alerting. Provider shall maintain 24/7/365 security monitoring with defined escalation procedures and response times for security alerts. Critical alerts shall be investigated within fifteen (15) minutes of detection.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Customer Data shall be logically segregated from the data of Provider's other customers through database-level, application-level, or equivalent isolation controls.

10.2 Environment Segregation. Provider shall maintain strict separation between production, staging, development, and testing environments. Customer Data shall not be used in non-production environments unless anonymized or pseudonymized and approved in writing by Customer.

10.3 Data Residency. Unless otherwise agreed in writing, Customer Data shall be stored and Processed within the continental United States. Provider shall notify Customer at least sixty (60) days before any change in data storage location.

10.4 Cross-Border Transfers. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent and implementation of appropriate safeguards.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Penetration Testing. Provider shall engage an independent, qualified third-party firm to conduct penetration testing of all systems Processing Customer Data at least annually. Testing shall include:

(a) External network penetration testing;
(b) Internal network penetration testing;
(c) Web application penetration testing;
(d) API penetration testing;
(e) Social engineering testing (where agreed by the Parties).

11.2 Testing Standards. Penetration tests shall be conducted in accordance with recognized methodologies such as PTES, OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Provider shall deliver a written penetration test report to Customer within thirty (30) days of test completion. The report shall include identified vulnerabilities, severity ratings, and a remediation plan with timelines.

11.4 Remediation. Provider shall remediate all Critical and High severity findings from penetration tests within the timelines specified in Article 8 (Vulnerability Management) and shall provide evidence of remediation to Customer.

11.5 Customer Testing. Customer may, upon sixty (60) days' prior written notice and at Customer's expense, conduct or commission its own penetration testing of Provider systems that Process Customer Data, subject to reasonable scope and scheduling coordination.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan ("BCP") that addresses the continued availability of services and protection of Customer Data during and after disruptive events.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan ("DRP") that includes:

(a) Recovery Point Objective (RPO): Maximum data loss of [____] hours;
(b) Recovery Time Objective (RTO): Maximum service downtime of [____] hours;
(c) Defined recovery procedures for all critical systems;
(d) Communication protocols for notifying Customer during a disruptive event;
(e) Designated recovery sites with documented failover procedures.

12.3 Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises and at least once every two (2) years through a full functional recovery test. Test results and lessons learned shall be documented and shared with Customer upon request.

12.4 Backups. Provider shall perform regular backups of Customer Data at intervals consistent with the RPO. Backups shall be encrypted, stored in a geographically separate location, and tested for restorability at least quarterly.

12.5 Resilience. Provider shall design systems Processing Customer Data with appropriate redundancy to eliminate single points of failure, including redundant network paths, power supplies, and storage systems.

ARTICLE 13 — INCIDENT RESPONSE AND OHIO BREACH NOTIFICATION

13.1 Incident Response Plan. Provider shall maintain a documented Incident Response Plan ("IRP") that includes:

(a) Defined incident classification and severity levels;
(b) Escalation procedures and contact information;
(c) Roles and responsibilities of incident response team members;
(d) Containment, eradication, and recovery procedures;
(e) Evidence preservation and chain-of-custody protocols;
(f) Post-incident review and lessons learned procedures.

13.2 Notification to Customer. Provider shall notify Customer of any Incident as follows:

(a) Confirmed Security Breach: Within twenty-four (24) hours of confirmation;
(b) Suspected Security Breach: Within forty-eight (48) hours of detection;
(c) Other Security Incidents: Within seventy-two (72) hours of detection.

Notification shall include the nature and scope of the Incident, the types of Customer Data affected, measures taken to contain and remediate, and a designated point of contact.

13.3 Ohio Breach Notification Requirements (Ohio Rev. Code § 1349.19).

(a) Trigger. Notification is required upon unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of Personal Information and that causes, or is reasonably believed will cause, a material risk of identity theft or other fraud to the person or property of a resident of Ohio.

(b) Timeline. Disclosure must be made in the most expedient time possible but no later than forty-five (45) days following the discovery or notification of the Security Breach, subject to the legitimate needs of law enforcement and measures necessary to determine the scope of the breach, identify affected individuals, and restore the reasonable integrity of the data system.

(c) Content of Notice. Notification to affected individuals shall include, at minimum:
- A description of the Security Breach in general terms;
- The type of Personal Information that was the subject of the breach;
- Contact information for Provider;
- Contact information for the Federal Trade Commission and major credit reporting agencies;
- Advice to the individual regarding monitoring of financial accounts and credit reports.

(d) Methods of Notice. Notice may be provided by:
- Written notice sent to the last known address of the individual;
- Electronic notice, if consistent with 15 U.S.C. § 7001 (E-SIGN Act);
- Telephonic notice;
- Substitute notice, if the cost exceeds $250,000, more than 500,000 persons must be notified, or insufficient contact information is available. Substitute notice consists of email notice, conspicuous posting on Provider's website, and notification to major statewide media.

(e) Credit Reporting Agency Notification. If the Security Breach requires notification to more than 1,000 Ohio residents in a single occurrence, Provider shall notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure.

(f) Encryption Safe Harbor. Notification is not required if the Personal Information was encrypted, redacted, or altered by any method or technology such that the data elements are unreadable, and the encryption key was not compromised.

(g) Attorney General Enforcement. The Ohio Attorney General may conduct an investigation and bring a civil action for violations of Ohio Rev. Code § 1349.19.

(h) Penalties. The Attorney General may impose:
- Up to $1,000 per day for the first sixty (60) days of non-compliance;
- Up to $5,000 per day for non-compliance after sixty (60) days;
- Up to $10,000 per day for non-compliance after ninety (90) days.

13.4 Cooperation. Provider shall fully cooperate with Customer in investigating and responding to any Incident, including providing access to relevant logs, personnel, and systems. Provider shall preserve all evidence related to the Incident for a minimum of three (3) years.

13.5 Responsibility. Provider shall bear all costs and expenses arising from any Security Breach caused by Provider's failure to comply with this Addendum, including notification costs, credit monitoring services, regulatory fines, and legal fees.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain and provide to Customer a current list of all approved Subprocessors.

14.2 Due Diligence. Before engaging any Subprocessor, Provider shall conduct due diligence to verify that the Subprocessor can meet security requirements at least as protective as those set forth in this Addendum, including compliance with a Recognized Cybersecurity Framework.

14.3 Contractual Requirements. Provider shall enter into a written agreement with each Subprocessor that imposes data protection and security obligations no less stringent than those in this Addendum, including compliance with applicable Ohio law.

14.4 Ongoing Monitoring. Provider shall monitor each Subprocessor's compliance with its contractual obligations at least annually and shall promptly notify Customer of any material deficiency.

14.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors with respect to Customer Data as if such acts and omissions were Provider's own.

14.6 Objection Right. Customer may object to any proposed Subprocessor within fifteen (15) Business Days of receiving notice. If Customer objects and Provider cannot reasonably accommodate the objection, either Party may terminate the affected services upon thirty (30) days' written notice.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data prior to granting access, to the extent permitted by Ohio Rev. Code § 4113 and applicable law.

15.2 Security Training. Provider shall provide security awareness training to all personnel at onboarding and at least annually thereafter. Training shall cover:

(a) Information security policies and procedures;
(b) Identification and reporting of security incidents;
(c) Phishing and social engineering awareness;
(d) Data handling and classification requirements;
(e) Ohio-specific data protection requirements, including ODPA safe harbor obligations.

15.3 Confidentiality Agreements. All Provider personnel and contractors with access to Customer Data shall execute confidentiality or non-disclosure agreements before being granted access.

15.4 Disciplinary Measures. Provider shall maintain and enforce disciplinary procedures for personnel who violate security policies, up to and including termination of employment.

15.5 Offboarding. Provider shall implement offboarding procedures that ensure all access to Customer Data is revoked within twenty-four (24) hours of personnel departure or role change, and all Customer Data in the departing individual's possession is returned or securely destroyed.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Security. All facilities where Customer Data is stored or Processed shall implement, at minimum:

(a) 24/7 on-site security personnel or equivalent monitoring;
(b) Access control systems requiring badge, biometric, or multi-factor authentication;
(c) Visitor management and escort procedures;
(d) Video surveillance with a minimum retention period of ninety (90) days;
(e) Intrusion detection and alarm systems;
(f) Environmental controls (fire suppression, HVAC, water detection);
(g) Redundant power with UPS and generator backup.

16.2 Media Handling. Physical media containing Customer Data shall be:

(a) Encrypted in accordance with Article 5;
(b) Tracked through an asset management system;
(c) Transported in secure, tamper-evident containers;
(d) Destroyed in accordance with Article 20 when no longer needed.

16.3 Clean Desk Policy. Provider shall enforce a clean desk policy in all areas where Customer Data may be accessed, ensuring that printed or written Customer Data is secured when not in active use.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall maintain the following insurance coverages throughout the term of the Master Agreement and for a period of three (3) years following termination:

(a) Cyber Liability / Technology Errors & Omissions Insurance: Minimum coverage of $5,000,000 per occurrence and in the aggregate, covering data breaches, network security failures, privacy liability, regulatory defense, and crisis management expenses;

(b) Professional Liability / Errors & Omissions Insurance: Minimum coverage of $2,000,000 per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: Minimum coverage of $1,000,000 per occurrence and $2,000,000 in the aggregate;

(d) Workers' Compensation Insurance: As required by Ohio law (Ohio Rev. Code § 4123).

17.2 Policy Requirements. All policies shall:

(a) Be issued by carriers with an AM Best rating of A- VII or better;
(b) Name Customer as an additional insured where applicable;
(c) Provide for thirty (30) days' prior written notice to Customer of cancellation or material change;
(d) Include a waiver of subrogation in favor of Customer.

17.3 Certificates of Insurance. Provider shall deliver certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon Customer's request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Audit Right. Customer, or its authorized representative, shall have the right to audit Provider's compliance with this Addendum upon thirty (30) days' prior written notice, no more than once per calendar year (except following an Incident, in which case additional audits may be conducted).

18.2 Scope. Audits may include review of:

(a) Security policies, procedures, and documentation;
(b) Cybersecurity Program documentation and framework conformance;
(c) Access control records and logs;
(d) Vulnerability scan and penetration test results;
(e) Incident response records;
(f) Subprocessor agreements and compliance documentation;
(g) Training records and personnel security documentation;
(h) Business continuity and disaster recovery plans and test results.

18.3 Cooperation. Provider shall cooperate fully with audits, providing timely access to relevant documentation, personnel, and systems. Provider shall designate a point of contact for audit coordination.

18.4 Third-Party Audit Reports. Provider shall make available to Customer, upon request, current copies of:

(a) SOC 2 Type II audit reports;
(b) ISO 27001 certification and statement of applicability;
(c) Penetration test executive summaries;
(d) Recognized Cybersecurity Framework compliance documentation;
(e) Any other relevant third-party audit or assessment reports.

18.5 Remediation. Provider shall develop and implement a remediation plan for any deficiencies identified during an audit within thirty (30) days of receipt of audit findings. Critical deficiencies shall be remediated within fifteen (15) days.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Officer. Provider shall designate a qualified senior-level employee as its Chief Information Security Officer ("CISO") or equivalent, with responsibility for Provider's information security program and Cybersecurity Program.

19.2 Security Committee. Provider shall maintain a security governance committee that meets at least quarterly to review the security program, risk assessments, incident trends, compliance status, and ODPA safe harbor qualification.

19.3 Reporting to Customer. Provider shall deliver the following reports to Customer:

(a) Quarterly Security Report — Summary of security metrics, incidents, vulnerability trends, and remediation status;
(b) Annual Security Assessment — Comprehensive review of the security program, risk posture, framework compliance, and ODPA safe harbor status;
(c) Incident Reports — As required under Article 13;
(d) Ad hoc Reports — Upon Customer's reasonable request regarding specific security matters.

19.4 Security Meetings. The Parties shall conduct security review meetings at least semi-annually to discuss security posture, emerging threats, and any changes to the processing environment.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon termination or expiration of the Master Agreement, or upon Customer's written request, Provider shall return all Customer Data to Customer in a mutually agreed-upon, industry-standard format within thirty (30) days.

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall securely destroy all copies of Customer Data, including backups, within sixty (60) days. Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization").

20.3 Destruction Methods. Acceptable destruction methods include:

(a) Electronic media: Cryptographic erasure, degaussing, or physical destruction;
(b) Physical media: Cross-cut shredding (minimum DIN 66399 Level P-4) or incineration;
(c) Cloud-hosted data: Cryptographic key destruction rendering data unrecoverable, with vendor-provided certification.

20.4 Certification. Provider shall deliver to Customer a written certification of destruction, signed by an authorized officer, within ten (10) Business Days of completing destruction, specifying the data destroyed, methods used, and date of destruction.

20.5 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law or regulation, provided that such retained data remains subject to the confidentiality and security obligations of this Addendum and is destroyed promptly when the retention obligation expires.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

(a) Any Security Breach caused by Provider's failure to comply with the obligations set forth in this Addendum;
(b) Any violation of Ohio Rev. Code § 1349.19 attributable to Provider;
(c) Any unauthorized access to, use of, or disclosure of Customer Data caused by Provider's negligence or willful misconduct;
(d) Any regulatory fines, penalties, or enforcement actions resulting from Provider's acts or omissions;
(e) Loss of the ODPA affirmative defense due to Provider's failure to maintain a conforming Cybersecurity Program.

21.2 Customer Indemnification. Customer shall indemnify, defend, and hold harmless Provider from and against claims arising from Customer's provision of data to Provider in violation of applicable law, or Customer's instructions that cause Provider to violate applicable law, provided that Provider has complied with this Addendum.

21.3 Indemnification Procedures. The indemnified Party shall: (a) provide prompt written notice of any claim; (b) grant the indemnifying Party sole control of the defense and settlement, provided that no settlement shall impose obligations on the indemnified Party without its consent; and (c) provide reasonable cooperation at the indemnifying Party's expense.

ARTICLE 22 — OHIO-SPECIFIC LEGAL PROVISIONS

22.1 Ohio Data Protection Act — Safe Harbor Compliance (Ohio Rev. Code §§ 1354.01–1354.05)

(a) Affirmative Defense. The Parties acknowledge that Ohio Rev. Code § 1354.02 provides a Covered Entity that creates, maintains, and complies with a written Cybersecurity Program reasonably conforming to a Recognized Cybersecurity Framework with an affirmative defense to any cause of action sounding in tort that is brought under Ohio law and alleges that the failure to implement reasonable information security controls resulted in a data breach.

(b) Provider's Safe Harbor Commitment. Provider shall:

(i) Maintain a written Cybersecurity Program that reasonably conforms to at least one Recognized Cybersecurity Framework listed in Ohio Rev. Code § 1354.03;
(ii) Document the specific framework(s) to which its Cybersecurity Program conforms;
(iii) Conduct annual assessments to verify reasonable conformance with the selected framework(s);
(iv) Provide Customer with written evidence of framework conformance upon request, including third-party certifications or assessments;
(v) Promptly notify Customer if Provider ceases to maintain reasonable conformance with its selected framework(s).

(c) Reasonable Conformance. Consistent with Ohio Rev. Code § 1354.03, a Cybersecurity Program "reasonably conforms" to a Recognized Cybersecurity Framework if the entity's program is designed to protect the security and confidentiality of information, protect against anticipated threats, and protect against unauthorized access. Reasonable conformance does not require perfect compliance.

(d) Regulatory Updates. Provider shall monitor any regulatory developments, including rule-making by the Ohio Attorney General or other state agencies, that affect the requirements for qualifying for the ODPA affirmative defense, and shall adjust its Cybersecurity Program accordingly.

(e) Joint Safe Harbor Strategy. Upon Customer's request, Provider shall collaborate with Customer to develop and document a joint cybersecurity posture that maximizes the availability of the ODPA affirmative defense for both Parties.

22.2 Ohio Trade Secret Protections

Provider acknowledges that Customer Data may contain Trade Secrets as defined by the Ohio Uniform Trade Secrets Act (Ohio Rev. Code §§ 1333.61 through 1333.69). Provider shall:

(a) Implement reasonable measures to maintain the secrecy of any Trade Secrets contained in Customer Data;
(b) Limit access to Trade Secrets to personnel with a demonstrated need to know;
(c) Not use Trade Secrets for any purpose other than performing services under the Master Agreement;
(d) Cooperate with Customer in seeking injunctive relief under Ohio Rev. Code § 1333.62 if any unauthorized disclosure occurs;
(e) Comply with court-ordered measures to preserve secrecy under Ohio Rev. Code § 1333.65, including protective orders, in-camera hearings, and sealing of records.

22.3 Governing Law and Forum

(a) This Addendum shall be governed by and construed in accordance with the laws of the State of Ohio, without regard to conflict-of-law principles.

(b) Any dispute arising out of or relating to this Addendum shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of Ohio.

(c) JURY WAIVER. EACH PARTY HEREBY WAIVES, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ANY RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM.

22.4 Late Payment

Any amounts due under this Addendum that are not paid when due shall accrue interest at the rate permitted by Ohio Rev. Code § 1343.03 (currently the federal short-term rate plus three percent), or the maximum rate permitted by law, whichever is less.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Ohio Uniform Electronic Transactions Act (Ohio Rev. Code §§ 1306.01 through 1306.23) and the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).

23.2 Legal Effect. Electronic signatures applied to this Addendum shall have the same legal force and effect as original handwritten signatures. A record or signature shall not be denied legal effect or enforceability solely because it is in electronic form.

23.3 Consent. By executing this Addendum electronically, each Party consents to the use of electronic signatures and agrees that such execution is sufficient to bind the Party.

23.4 Retention. Each Party shall retain an electronic copy of this executed Addendum in accordance with Ohio Rev. Code § 1306.12 and applicable record retention requirements.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement, constitutes the entire agreement between the Parties with respect to information security and data protection for the services described therein.

24.2 Amendments. This Addendum may be amended only by a written instrument executed by authorized representatives of both Parties.

24.3 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

24.4 Waiver. No waiver of any right under this Addendum shall be effective unless in writing and signed by the waiving Party.

24.5 Notices. All notices under this Addendum shall be in writing and delivered to the addresses specified in the Master Agreement.

24.6 Term. This Addendum shall remain in effect for the duration of the Master Agreement and shall survive termination with respect to any Customer Data that remains in Provider's possession.

24.7 Counterparts. This Addendum may be executed in counterparts, each of which shall be deemed an original.

EXECUTION

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SCHEDULE A — SECURITY CONTACTS

SCHEDULE B — APPROVED SUBPROCESSORS

SCHEDULE C — RECOGNIZED CYBERSECURITY FRAMEWORK ATTESTATION

Provider hereby attests that its Cybersecurity Program reasonably conforms to the following Recognized Cybersecurity Framework(s) under Ohio Rev. Code § 1354.03:

☐ NIST SP 800-53 Rev. 5
☐ NIST SP 800-171 Rev. 2
☐ NIST Cybersecurity Framework (CSF) 2.0
☐ ISO/IEC 27001:2022
☐ CIS Critical Security Controls v8
☐ FedRAMP
☐ PCI DSS (current version)
☐ Other: [________________________________]

Last Framework Assessment Date: [__/__/____]

Assessment Conducted By: [________________________________]

Certification/Attestation Expiration: [__/__/____]

PRE-EXECUTION CHECKLIST

☐ Master Agreement fully executed and referenced above
☐ All blanks and variable fields completed
☐ RPO and RTO values agreed upon and inserted in Article 12
☐ Approved Subprocessor list completed in Schedule B
☐ Security contact information completed in Schedule A
☐ Recognized Cybersecurity Framework attestation completed in Schedule C
☐ Insurance certificates obtained and reviewed
☐ Provider's current SOC 2 Type II or ISO 27001 certification reviewed
☐ ODPA safe harbor qualification verified
☐ Ohio-licensed counsel review completed
☐ Both Parties' authorized signatories confirmed

SOURCES AND REFERENCES

1. Ohio Data Breach Notification Law — Ohio Rev. Code § 1349.19
   https://codes.ohio.gov/ohio-revised-code/section-1349.19
2. Ohio Data Protection Act (Cybersecurity Safe Harbor) — Ohio Rev. Code §§ 1354.01–1354.05
   https://codes.ohio.gov/ohio-revised-code/chapter-1354
3. Ohio Safe Harbor Requirements — Ohio Rev. Code § 1354.02
   https://codes.ohio.gov/ohio-revised-code/section-1354.02
4. Ohio Reasonable Conformance — Ohio Rev. Code § 1354.03
   https://law.justia.com/codes/ohio/title-13/chapter-1354/section-1354-03/
5. Ohio Uniform Trade Secrets Act — Ohio Rev. Code §§ 1333.61–1333.69
   https://codes.ohio.gov/ohio-revised-code/section-1333.61
6. Ohio Uniform Electronic Transactions Act — Ohio Rev. Code §§ 1306.01–1306.23
   https://codes.ohio.gov/ohio-revised-code/chapter-1306
7. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
8. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework
9. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001
10. OWASP Top Ten
    https://owasp.org/www-project-top-ten/