SECURITY ADDENDUM (ENTERPRISE SAAS)

Pennsylvania Jurisdictional Version

Addendum Effective Date: [__/__/____]

Addendum Reference Number: [________________________________]

PARTIES

"Customer":
Name: [________________________________]
State of Organization: [________________________________]
Principal Office Address: [________________________________]
Contact Person: [________________________________]
Email: [________________________________]
Phone: [________________________________]

"Provider":
Name: [________________________________]
State of Organization: [________________________________]
Principal Office Address: [________________________________]
Security Contact Person: [________________________________]
Email: [________________________________]
Phone: [________________________________]

RECITALS

WHEREAS, Customer and Provider have entered into that certain Master Services Agreement, SaaS Subscription Agreement, or similar agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Provider delivers certain cloud-based software-as-a-service solutions and related services to Customer;

WHEREAS, in connection with the performance of the Master Agreement, Provider will Process, store, transmit, and/or have access to Customer Data, including Personal Information of Pennsylvania residents and other Confidential Information;

WHEREAS, Customer requires that Provider maintain a comprehensive Information Security Program that meets or exceeds industry standards and complies with all applicable federal and Pennsylvania state laws, including the Pennsylvania Breach of Personal Information Notification Act (BPINA), 73 P.S. §§ 2301–2329;

WHEREAS, a violation of Pennsylvania's BPINA constitutes an unfair or deceptive act or practice under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), 73 P.S. § 201-1 et seq., which carries significant enforcement consequences;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

For purposes of this Security Addendum, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.1 "Authorized Users" means Customer's employees, contractors, agents, and other individuals who have been granted access to the Provider Systems by Customer in accordance with this Addendum and who have a legitimate business need for such access.

1.2 "Confidential Information" means all non-public information disclosed by either Party to the other Party, whether orally, in writing, or in electronic form, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, without limitation, Customer Data, trade secrets as defined under the Pennsylvania Uniform Trade Secrets Act, business plans, technical specifications, source code, algorithms, and security configurations.

1.3 "Customer Data" means all data, records, files, content, and information of any type that Customer or its Authorized Users input, upload, transmit, or store within the Provider Systems, including Personal Information, High-Risk Data, and any data derived therefrom.

1.4 "Data Breach" means a breach of the security of the system as defined under 73 P.S. § 2302, specifically the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of the Commonwealth. For purposes of this Addendum, Data Breach also includes any Security Incident that results in the unauthorized access, acquisition, use, disclosure, or destruction of Customer Data.

1.5 "Data Processing" means any operation or set of operations performed on Customer Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.6 "Data Protection Agreement" or "DPA" means any separate data processing agreement or data protection addendum entered into between the Parties that governs the processing of personal data subject to applicable data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1.7 "Encryption Standard" means: (a) for data in transit, Transport Layer Security (TLS) version 1.2 or higher using cipher suites with a minimum key length of 128 bits; and (b) for data at rest, Advanced Encryption Standard (AES) with a minimum key length of 256 bits (AES-256), or a cryptographic standard of equivalent or greater strength as recognized by the National Institute of Standards and Technology (NIST).

1.8 "High-Risk Data" means any subset of Customer Data that, if subject to unauthorized access, acquisition, or disclosure, would pose a significant risk of harm, including: (a) financial account numbers, credit card numbers, or debit card numbers in combination with any required security code, access code, or password; (b) Social Security numbers; (c) protected health information (PHI) as defined under HIPAA; (d) biometric data; (e) authentication credentials; and (f) any data classified as "Restricted" or "Highly Confidential" under Customer's data classification policy.

1.9 "Information Security Program" means Provider's comprehensive, written program of administrative, technical, and physical safeguards designed to protect the security, confidentiality, integrity, and availability of Customer Data, as more fully described in this Addendum.

1.10 "Malware" means any software or code designed to damage, disrupt, gain unauthorized access to, or perform unauthorized operations on a computer system, network, or data, including viruses, worms, Trojan horses, ransomware, spyware, adware, rootkits, keyloggers, and any other form of malicious code.

1.11 "Personal Information" means, consistent with 73 P.S. § 2302, an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: (a) Social Security number; (b) driver's license number or a state identification card number issued in lieu of a driver's license; (c) financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account; (d) medical information (any individually identifiable information contained in medical or health insurance records, including a medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional); and (e) health insurance information (an individual's health insurance policy number or subscriber identification number in combination with any other unique identifier used by a health insurer to identify the individual). The Pennsylvania definition notably includes medical information and health insurance information as protected data elements.

1.12 "Provider Systems" means all information technology infrastructure, systems, applications, networks, databases, servers (whether physical or virtual), cloud environments, and endpoints owned, operated, managed, or controlled by Provider that are used to Process, store, or transmit Customer Data.

1.13 "Security Incident" means any event that results in or may reasonably result in unauthorized access, acquisition, use, disclosure, modification, or destruction of Customer Data or any component of the Provider Systems, including but not limited to successful or attempted unauthorized access, Malware infections, denial-of-service attacks, loss or theft of equipment containing Customer Data, and any event that triggers notification obligations under applicable law.

1.14 "Subprocessor" means any third party engaged by Provider to Process Customer Data on Provider's behalf, including cloud infrastructure providers, managed service providers, data center operators, and any other entity that has access to or processes Customer Data in connection with the services provided under the Master Agreement.

1.15 "Vulnerability" means a weakness, flaw, or deficiency in a system, application, process, or control that could be exploited by a threat actor to gain unauthorized access to or otherwise compromise the security, confidentiality, integrity, or availability of Customer Data or the Provider Systems. Vulnerabilities are classified by severity using the Common Vulnerability Scoring System (CVSS) as follows: Critical (CVSS 9.0–10.0), High (CVSS 7.0–8.9), Medium (CVSS 4.0–6.9), and Low (CVSS 0.1–3.9).

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Security Addendum applies to all Customer Data that Provider Processes, stores, transmits, or otherwise accesses in connection with the Master Agreement. This Addendum establishes the minimum security requirements that Provider must implement and maintain throughout the term of the Master Agreement and for so long as Provider retains any Customer Data.

2.2 Order of Precedence. In the event of any conflict or inconsistency between the terms of this Security Addendum and the Master Agreement, the terms of this Security Addendum shall prevail with respect to matters relating to information security, data protection, breach notification, and the safeguarding of Customer Data. In the event of any conflict between this Security Addendum and any DPA, the more protective provision shall govern.

2.3 Minimum Standards. The security obligations set forth in this Addendum represent minimum requirements. Provider shall implement additional or enhanced security measures to the extent required by applicable law, industry standards, or the nature and sensitivity of the Customer Data being processed.

2.4 Regulatory Compliance. Provider shall comply with all applicable federal, state, and local laws, regulations, and rules relating to information security and data protection, including but not limited to the Pennsylvania Breach of Personal Information Notification Act (73 P.S. §§ 2301–2329), the Pennsylvania Unfair Trade Practices and Consumer Protection Law (73 P.S. § 201-1 et seq.), and all applicable Pennsylvania cybersecurity requirements.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Program Requirements. Provider shall establish, implement, and maintain a comprehensive Information Security Program that is designed to:

(a) Protect the security, confidentiality, integrity, and availability of Customer Data;

(b) Protect against any anticipated threats or hazards to the security or integrity of Customer Data;

(c) Protect against unauthorized access to or use of Customer Data that could result in substantial harm or inconvenience to any individual;

(d) Comply with all applicable federal, state, and local laws, regulations, and rules, including the Pennsylvania BPINA; and

(e) Align with one or more of the following recognized security frameworks:

• ☐ ISO/IEC 27001:2022 (Information Security Management Systems)
• ☐ SOC 2 Type II (Trust Services Criteria)
• ☐ NIST Cybersecurity Framework (CSF) 2.0
• ☐ NIST Special Publication 800-53 Rev. 5
• ☐ CIS Controls v8

3.2 Risk Assessment. Provider shall conduct comprehensive risk assessments at least annually, and additionally whenever there is a material change in Provider's operations, technology, or threat landscape. Risk assessments shall:

(a) Identify reasonably foreseeable internal and external threats to the security, confidentiality, integrity, and availability of Customer Data;

(b) Assess the likelihood and potential impact of each identified threat;

(c) Evaluate the sufficiency of existing safeguards and controls;

(d) Document findings and remediation plans; and

(e) Be conducted by qualified information security professionals.

3.3 Security Officer. Provider shall designate a qualified individual as its Chief Information Security Officer (CISO) or equivalent security officer who shall be responsible for the development, implementation, maintenance, and enforcement of the Information Security Program. The designated security officer as of the Addendum Effective Date is:

Name: [________________________________]
Title: [________________________________]
Email: [________________________________]
Phone: [________________________________]

Provider shall notify Customer in writing within thirty (30) days of any change in the designated security officer.

3.4 Security Policies. Provider shall maintain comprehensive, written information security policies and procedures that address, at a minimum, the topics covered by this Addendum. Such policies shall be reviewed and updated at least annually and shall be made available to Customer upon request.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement and enforce a role-based access control model that restricts access to Customer Data and Provider Systems to only those individuals who require such access to perform their assigned duties. Access rights shall be granted based on the principle of least privilege and the principle of need-to-know.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to Provider Systems that contain or process Customer Data;

(b) All access to administrative or privileged accounts;

(c) All access to cloud management consoles and infrastructure;

(d) All VPN connections to Provider's internal network; and

(e) All access to Customer Data from outside Provider's secured network.

4.3 Privileged Access Management. Provider shall implement enhanced controls for privileged accounts, including:

(a) Maintaining a current inventory of all privileged accounts;

(b) Using dedicated administrative accounts separate from standard user accounts;

(c) Implementing privileged access workstations for high-risk administrative tasks;

(d) Logging and monitoring all privileged account activity;

(e) Rotating privileged account credentials at least every ninety (90) days; and

(f) Implementing just-in-time or time-limited privileged access where technically feasible.

4.4 Access Reviews. Provider shall conduct formal access reviews at least quarterly to verify that:

(a) All user accounts remain active, valid, and necessary;

(b) Access rights are commensurate with current job responsibilities;

(c) Terminated or transferred personnel have had their access promptly revoked;

(d) Service accounts and system accounts are reviewed and validated; and

(e) Any identified access anomalies are investigated and remediated.

4.5 Password and Authentication Policies. Provider shall enforce the following minimum password requirements:

(a) Minimum password length of fourteen (14) characters;

(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;

(c) Password history enforcement preventing reuse of the last twenty-four (24) passwords;

(d) Account lockout after no more than five (5) consecutive failed login attempts;

(e) Session timeout after no more than fifteen (15) minutes of inactivity for systems accessing Customer Data; and

(f) Prohibition of shared accounts and default credentials.

4.6 Access Termination. Provider shall revoke all access to Customer Data and Provider Systems within twenty-four (24) hours of an employee's or contractor's termination, and shall modify access rights within forty-eight (48) hours of any role change that no longer requires the current level of access.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Encryption in Transit. All Customer Data transmitted over any network, including but not limited to the internet, wireless networks, and Provider's internal network, shall be encrypted using TLS version 1.2 or higher with cipher suites that provide forward secrecy. Provider shall disable all deprecated protocols, including SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1.

5.2 Encryption at Rest. All Customer Data stored on any medium, including databases, file systems, backups, archives, and removable media, shall be encrypted using AES-256 or a cryptographic standard of equivalent or greater strength. Pennsylvania's BPINA provides an encryption safe harbor; personal information that is encrypted or redacted is excluded from the notification requirement, making consistent encryption essential.

5.3 Key Management. Provider shall implement a comprehensive key management program that includes:

(a) Generation of encryption keys using cryptographically secure random number generators;

(b) Secure storage of encryption keys separate from the data they protect;

(c) Access controls limiting key access to authorized personnel only;

(d) Key rotation at least annually and upon suspicion of compromise;

(e) Secure destruction of retired encryption keys using methods that prevent recovery; and

(f) Documented key management procedures aligned with NIST Special Publication 800-57.

5.4 Certificate Management. Provider shall maintain a comprehensive certificate management program that includes tracking certificate expiration dates, timely renewal of certificates, and immediate revocation of compromised certificates.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate Customer Data environments from other networks, including:

(a) Logical separation of Customer Data processing environments from Provider's corporate network;

(b) Segmentation between different customers' environments in multi-tenant architectures;

(c) Isolation of development, staging, and production environments; and

(d) Dedicated management networks for administrative access.

6.2 Firewalls and Access Control Lists. Provider shall deploy and maintain enterprise-grade firewalls and access control lists at all network perimeters and between network segments. Firewall rules shall follow a default-deny policy, permitting only traffic that is explicitly authorized.

6.3 Intrusion Detection and Prevention Systems (IDS/IPS). Provider shall deploy and maintain network-based and host-based intrusion detection and prevention systems that:

(a) Monitor all network traffic to and from Customer Data environments;

(b) Use signature-based and behavior-based detection methods;

(c) Generate real-time alerts for detected threats;

(d) Are updated with current threat signatures at least daily; and

(e) Are monitored twenty-four (24) hours per day, seven (7) days per week, three hundred sixty-five (365) days per year.

6.4 DDoS Protection. Provider shall implement distributed denial-of-service (DDoS) mitigation capabilities, including traffic analysis, rate limiting, and automated mitigation for volumetric, protocol, and application-layer attacks.

6.5 Virtual Private Network (VPN). All remote administrative access to Provider Systems containing Customer Data shall be conducted through encrypted VPN connections using current, industry-accepted protocols with multi-factor authentication.

6.6 Wireless Security. Provider shall implement WPA3 or equivalent security for any wireless networks that have connectivity to systems containing Customer Data, and shall maintain a separate guest wireless network that is fully isolated from production environments.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Software Development Lifecycle (SDLC). Provider shall implement and maintain a secure SDLC that incorporates security requirements, threat modeling, secure coding practices, security testing, and security review at each phase of development.

7.2 OWASP Top 10. Provider shall design, develop, and test all applications that process Customer Data to protect against the current OWASP Top 10 vulnerabilities and shall maintain documentation demonstrating compliance with OWASP security guidelines.

7.3 Static and Dynamic Application Security Testing. Provider shall perform:

(a) Static Application Security Testing (SAST) on all application source code prior to each release;

(b) Dynamic Application Security Testing (DAST) on all running applications at least quarterly; and

(c) Interactive Application Security Testing (IAST) during quality assurance testing as appropriate.

7.4 API Security. Provider shall secure all application programming interfaces (APIs) through:

(a) Authentication and authorization for all API calls;

(b) Input validation and output encoding;

(c) Rate limiting and throttling;

(d) API versioning and deprecation management;

(e) Comprehensive API logging and monitoring; and

(f) Regular security testing of all APIs.

7.5 Code Review. All code changes affecting systems that process Customer Data shall undergo peer review by at least one qualified developer other than the author prior to deployment to production environments.

7.6 Third-Party Components. Provider shall maintain an inventory of all third-party libraries, frameworks, and components used in applications that process Customer Data, and shall monitor such components for known vulnerabilities and apply patches or updates in accordance with the vulnerability management timelines specified in Article 9.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Provider shall conduct automated vulnerability scans of all Provider Systems at least monthly, and additionally after any significant change to the environment.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities according to the following timelines, measured from the date of discovery or notification:

8.3 Patch Management. Provider shall implement a formal patch management program that includes:

(a) Monitoring vendor announcements and security advisories for applicable patches;

(b) Testing patches in a non-production environment prior to deployment;

(c) Deploying security patches within the remediation timelines specified in Section 8.2;

(d) Emergency patching procedures for actively exploited zero-day vulnerabilities; and

(e) Documentation and tracking of all patch activities.

8.4 Compensating Controls. Where immediate remediation of a vulnerability is not technically feasible, Provider shall implement compensating controls to mitigate the risk and shall document the compensating controls, the justification for the delayed remediation, and the planned remediation date. Provider shall notify Customer of any Critical or High vulnerability for which compensating controls are implemented in lieu of timely remediation.

8.5 Vulnerability Reporting. Provider shall provide Customer with quarterly vulnerability management reports that include the number of vulnerabilities identified by severity, remediation status, average time to remediate, and any exceptions or compensating controls in place.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Security Information and Event Management (SIEM). Provider shall deploy and maintain an enterprise SIEM system that aggregates, correlates, and analyzes security logs from all Provider Systems that process, store, or transmit Customer Data.

9.2 Logging Requirements. Provider shall maintain comprehensive audit logs that capture, at a minimum:

(a) All user authentication events (successful and failed);

(b) All access to Customer Data, including read, write, modify, and delete operations;

(c) All administrative and privileged account activities;

(d) All changes to system configurations, security policies, and access controls;

(e) All network security events, including firewall, IDS/IPS, and VPN activity;

(f) All data export, download, and transfer events; and

(g) All system and application errors related to security functions.

9.3 Log Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in an immediately accessible format and for an additional twelve (12) months in archive storage.

9.4 Real-Time Alerting. Provider shall implement real-time alerting for security events that indicate potential threats to Customer Data, including but not limited to:

(a) Multiple failed authentication attempts;

(b) Unauthorized access attempts or privilege escalation;

(c) Anomalous data access patterns or bulk data extraction;

(d) Malware detection;

(e) Changes to critical system configurations; and

(f) Communication with known malicious IP addresses or domains.

9.5 Monitoring. Provider shall monitor all Provider Systems containing Customer Data on a twenty-four (24) hours per day, seven (7) days per week, three hundred sixty-five (365) days per year basis through a combination of automated tools and qualified security personnel.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Tenant Isolation. In multi-tenant environments, Provider shall implement logical and, where appropriate, physical controls to ensure that Customer Data is segregated from the data of other customers.

10.2 Data Residency. Unless otherwise agreed in writing, Provider shall store and process all Customer Data within the continental United States. Provider shall not transfer Customer Data outside the United States without Customer's prior written consent. Current data storage locations are:

Primary Data Center: [________________________________]
Secondary/DR Data Center: [________________________________]

10.3 Data Classification. Provider shall support Customer's data classification requirements and shall implement appropriate technical and organizational controls for each classification level. At a minimum, Provider shall recognize the following categories:

(a) Public — Information intended for public disclosure;
(b) Internal — Information for internal use that is not intended for public disclosure;
(c) Confidential — Sensitive business information requiring enhanced protection; and
(d) Restricted — Highly sensitive information, including High-Risk Data, requiring the highest level of protection.

10.4 Environment Separation. Provider shall maintain separate environments for development, testing, staging, and production. Customer Data shall not be used in development or testing environments unless it has been de-identified or anonymized in a manner that prevents re-identification.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Penetration Testing. Provider shall engage a qualified, independent third-party security firm to conduct comprehensive penetration testing of all Provider Systems that process or store Customer Data at least annually. Penetration testing shall include:

(a) External network penetration testing;

(b) Internal network penetration testing;

(c) Web application penetration testing;

(d) API penetration testing;

(e) Social engineering testing; and

(f) Wireless network penetration testing (where applicable).

11.2 Testing Standards. Penetration tests shall be conducted in accordance with recognized methodologies, including the Penetration Testing Execution Standard (PTES), OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Provider shall provide Customer with an executive summary of penetration test results within thirty (30) days of test completion. Full reports shall be available under NDA.

11.4 Remediation. Provider shall remediate all findings in accordance with the timelines set forth in Article 8. Provider shall conduct re-testing to confirm successful remediation of all Critical and High findings.

11.5 Customer Testing. Customer may, upon thirty (30) days' prior written notice and subject to mutually agreed scope and rules of engagement, conduct its own penetration testing or engage a third party to do so.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan (BCP). Provider shall develop, implement, and maintain a comprehensive business continuity plan that ensures the continued availability of the services and the protection of Customer Data in the event of a disaster, disruption, or other emergency.

12.2 Disaster Recovery Plan (DRP). Provider shall maintain a disaster recovery plan that includes, at a minimum:

(a) Recovery Point Objective (RPO): Maximum tolerable data loss shall not exceed [____] hours;

(b) Recovery Time Objective (RTO): Maximum tolerable downtime shall not exceed [____] hours;

(c) Documented recovery procedures for all critical systems;

(d) Identified recovery team roles and responsibilities;

(e) Communication procedures for notifying Customer of disaster events; and

(f) Procedures for failover to geographically redundant facilities.

12.3 Geographic Redundancy. Provider shall maintain geographically redundant data processing and storage capabilities at facilities separated by a minimum of [____] miles to protect against regional disasters.

12.4 Annual Testing. Provider shall test its BCP and DRP at least annually through tabletop exercises, functional exercises, or full-scale tests. Provider shall provide Customer with a summary of test results and any identified improvements within thirty (30) days of each test.

12.5 Backup Requirements. Provider shall maintain regular, encrypted backups of all Customer Data in accordance with the following schedule:

(a) Full backups at least weekly;

(b) Incremental or differential backups at least daily;

(c) Transaction log backups at least every four (4) hours for database systems; and

(d) Backup integrity verification through regular restoration testing at least quarterly.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

Pennsylvania-Specific Breach Notification Requirements (73 P.S. §§ 2301–2329 — BPINA)

13.1 Incident Response Plan. Provider shall develop, implement, and maintain a comprehensive incident response plan that addresses the identification, containment, eradication, recovery, and post-incident review of Security Incidents. The plan shall be tested at least annually through tabletop exercises or simulations.

13.2 Initial Notification to Customer. Provider shall notify Customer of any confirmed or suspected Security Incident or Data Breach affecting Customer Data as follows:

(a) Initial notification: Within twenty-four (24) hours of discovery or becoming aware of the Security Incident;

(b) Method: Via telephone to Customer's designated security contact, followed by written notification via email; and

(c) Content of initial notification: A description of the incident, the date and time of discovery, the categories of data affected, the estimated number of records affected, and the immediate steps taken to contain the incident.

13.3 Pennsylvania Statutory Breach Notification. In the event of a Data Breach involving Personal Information of Pennsylvania residents as defined under 73 P.S. § 2302:

(a) Notification to Affected Individuals. Provider shall, at its own cost and in coordination with Customer, provide notice to affected Pennsylvania residents without unreasonable delay. The notice may be provided by:

• (i) Written notice sent to the individual's last known home address;
• (ii) Telephonic notice, if the affected individual can be reasonably expected to receive the notice and the notice is given in a clear and conspicuous manner, describes the breach in general terms, verifies personal information but does not require the individual to disclose personal information, and provides a telephone number for further information;
• (iii) E-mail notice, if a prior business relationship exists and the entity has a valid e-mail address for the individual; or
• (iv) Substitute notice (if the cost exceeds One Hundred Thousand Dollars ($100,000.00), the affected class exceeds one hundred seventy-five thousand (175,000) persons, or the entity does not have sufficient contact information), consisting of: e-mail notice, conspicuous posting on the entity's website, and notification to major statewide media.

(b) Notification to Pennsylvania Attorney General. Pursuant to 73 P.S. § 2303, if more than five hundred (500) Pennsylvania residents are to be notified, Provider shall provide notice to the Pennsylvania Attorney General without unreasonable delay. The notification shall include:

• (i) The nature of the breach;
• (ii) The number of Pennsylvania residents affected;
• (iii) The types of personal information involved;
• (iv) A description of the steps taken to investigate and remediate the breach; and
• (v) Contact information for the reporting entity.

(c) Credit Reporting and Monitoring. Pursuant to 73 P.S. § 2303, an entity that provides notice of a breach involving a Social Security number or driver's license number must also offer the affected individual credit monitoring services for a minimum of one (1) year at no cost to the individual. If the breach involves the individual's financial information, the entity may instead provide a notice of the breach and a description of the affected individual's rights under the Fair Credit Reporting Act.

(d) Vendor Notification to Owner/Licensee. Under 73 P.S. § 2303, an entity that maintains, stores, or manages computerized data on behalf of another entity (such as Provider) shall provide notice of the breach to the entity on whose behalf the data is maintained (Customer) within a reasonable time following discovery, so that Customer can make any required notifications. Provider shall provide such notice to Customer within twenty-four (24) hours as specified in Section 13.2.

(e) Encryption Safe Harbor. The notification requirements under the BPINA do not apply to personal information that is encrypted or redacted.

(f) Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines and advises the entity in writing that the notification will impede a criminal or civil investigation. The notification shall be made without unreasonable delay after the law enforcement agency determines it will no longer impede the investigation.

13.4 UTPCPL Enforcement. A violation of the BPINA constitutes an unfair or deceptive act or practice in violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law (73 P.S. § 201-1 et seq.). The consequences include:

(a) The Office of the Pennsylvania Attorney General has exclusive enforcement authority for violations of the notification requirements;

(b) The Attorney General may seek injunctive relief to require proper notification or prevent future violations;

(c) The Attorney General may seek civil penalties in the event of willful violations, including up to One Thousand Dollars ($1,000.00) per violation;

(d) The Attorney General may also seek restitution for affected individuals; and

(e) Provider acknowledges these enforcement provisions and agrees to cooperate fully with Customer in any regulatory investigation or enforcement action.

13.5 Ongoing Updates. Following the initial notification, Provider shall provide Customer with regular updates, no less frequently than every twenty-four (24) hours during active incident response and every seventy-two (72) hours thereafter, until the incident is fully resolved. Updates shall include:

(a) Status of containment and eradication efforts;

(b) Root cause analysis progress;

(c) Updated scope and impact assessment;

(d) Remediation steps taken and planned; and

(e) Evidence preservation status.

13.6 Post-Incident Report. Provider shall deliver a comprehensive written post-incident report to Customer within thirty (30) days of the resolution of any Security Incident.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Subprocessor Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written consent.

14.2 Current Subprocessors. Provider's current Subprocessors as of the Addendum Effective Date are listed in Exhibit A attached hereto.

14.3 New Subprocessor Notification. Provider shall provide Customer with at least thirty (30) days' prior written notice before engaging any new Subprocessor. Customer may object within fifteen (15) days. If no resolution is reached, Customer may terminate the affected services without penalty.

14.4 Flow-Down Requirements. Provider shall ensure that all Subprocessors are bound by written agreements that impose data protection and security obligations no less protective than those set forth in this Addendum. Consistent with 73 P.S. § 2303, Subprocessors maintaining data on behalf of Provider must notify Provider of any breach in a reasonable time. Provider shall be fully responsible and liable for the acts and omissions of its Subprocessors.

14.5 Subprocessor Audit. Provider shall conduct an initial security assessment of each Subprocessor prior to engagement and shall conduct ongoing assessments at least annually thereafter.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct pre-employment background checks on all personnel who will have access to Customer Data, to the extent permitted by applicable law. Background checks shall include, at a minimum:

(a) Criminal history check;

(b) Employment verification for the prior seven (7) years;

(c) Education verification; and

(d) Reference checks.

15.2 Confidentiality Agreements. All Provider personnel who have access to Customer Data shall execute written confidentiality and non-disclosure agreements prior to being granted access.

15.3 Security Awareness Training. Provider shall require all personnel with access to Customer Data to complete security awareness training:

(a) Upon hire or initial assignment;

(b) At least annually thereafter; and

(c) Upon the occurrence of material changes to security policies or procedures, or following a Security Incident.

Training shall cover, at a minimum, data handling procedures, phishing awareness, social engineering, password security, incident reporting, and applicable regulatory requirements including the Pennsylvania BPINA, UTPCPL implications, and the handling of medical and health insurance information.

15.4 Specialized Training. Personnel with specific security responsibilities shall receive specialized training appropriate to their roles, including secure coding practices for developers, incident response training for security team members, and compliance training for personnel handling regulated data.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Standards. All data centers used to store or process Customer Data shall maintain, at a minimum, SOC 2 Type II certification or equivalent third-party security certification. Data center physical security controls shall include:

(a) Twenty-four (24) hour, seven (7) day per week physical security personnel;

(b) Multi-factor physical access controls (badge, biometric, PIN);

(c) Closed-circuit television (CCTV) surveillance with a minimum retention of ninety (90) days;

(d) Visitor escort requirements and visitor logs;

(e) Mantrap or airlock entry systems for sensitive areas; and

(f) Perimeter security including fencing, barriers, and lighting.

16.2 Environmental Controls. Provider shall maintain environmental controls at all facilities housing Customer Data, including:

(a) Redundant HVAC systems;

(b) Fire detection and suppression systems;

(c) Water leak detection systems;

(d) Uninterruptible power supply (UPS) systems;

(e) Backup power generators with a minimum of seventy-two (72) hours of fuel capacity; and

(f) Environmental monitoring and alerting.

16.3 Media Handling and Destruction. Provider shall implement secure media handling procedures in accordance with NIST Special Publication 800-88 Rev. 1 and shall provide certificates of destruction upon request.

ARTICLE 17 — INSURANCE REQUIREMENTS

17.1 Cyber Liability Insurance. Provider shall obtain and maintain cyber liability / technology errors and omissions insurance with a minimum limit of Five Million Dollars ($5,000,000.00) per occurrence and in the aggregate, covering data breach notification costs, regulatory defense and penalty coverage, business interruption, cyber extortion, media liability, and network security liability.

17.2 Professional Liability / Errors and Omissions Insurance. Provider shall maintain professional liability / errors and omissions insurance with a minimum limit of Two Million Dollars ($2,000,000.00) per occurrence and in the aggregate.

17.3 General Requirements. All insurance policies shall: (a) be maintained with insurers rated A- VII or better by A.M. Best; (b) name Customer as an additional insured where applicable; (c) require at least thirty (30) days' prior written notice to Customer of cancellation or material modification; (d) include a waiver of subrogation in favor of Customer; and (e) be primary and non-contributory.

17.4 Certificates of Insurance. Provider shall furnish certificates of insurance to Customer upon request and at each policy renewal.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right to conduct security audits at least once annually and additionally following any Security Incident or Data Breach.

18.2 Audit Procedures. Customer shall provide Provider with at least thirty (30) days' prior written notice of any planned audit. Audits shall be conducted during normal business hours.

18.3 SOC 2 / ISO Acceptance. Customer may accept Provider's current SOC 2 Type II report, ISO/IEC 27001 certification, or equivalent in lieu of a direct audit. Acceptance does not waive Customer's audit rights.

18.4 Regulatory Cooperation. Provider shall cooperate fully with any audit or investigation by the Pennsylvania Attorney General or other regulatory authority.

18.5 Remediation. Provider shall develop and implement a corrective action plan within thirty (30) days of receiving audit findings.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Quarterly Security Reviews. The Parties shall conduct quarterly security governance meetings to review security incident trends, vulnerability management, threat landscape changes, regulatory developments including any changes to Pennsylvania law, and KPIs.

19.2 Annual Security Assessment. Provider shall deliver an annual comprehensive security assessment report including program effectiveness, risk assessment results, penetration test results, and planned improvements.

19.3 Key Performance Indicators (KPIs). Provider shall track and report on: mean time to detect and respond to incidents, vulnerability remediation percentages, training completion rates, system uptime, incident severity trends, and phishing simulation results.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon expiration or termination of the Master Agreement, Provider shall return all Customer Data within thirty (30) days in a mutually agreed format.

20.2 Data Destruction. Following return and confirmation, Provider shall destroy all copies within sixty (60) days per NIST SP 800-88 Rev. 1.

20.3 Certification of Destruction. Provider shall provide written certification within ten (10) days of completion.

20.4 Retention Exceptions. Provider may retain Customer Data only as required by law, with continued protection and prompt destruction when the retention requirement expires.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer from and against all claims, damages, losses, liabilities, costs, and expenses arising from:

(a) A Data Breach caused by Provider's breach of this Addendum;

(b) Provider's failure to comply with the BPINA or other applicable breach notification laws;

(c) Any UTPCPL enforcement action arising from Provider's failure to comply with the BPINA;

(d) Any regulatory investigation or penalty arising from Provider's acts or omissions; and

(e) Any third-party claim arising from unauthorized access to Customer Data.

21.2 Covered Costs. Provider's indemnification includes: notification costs, credit monitoring costs (minimum one year for SSN/driver's license breaches per 73 P.S. § 2303), call center costs, forensic investigation costs, regulatory filing costs, civil penalties under the UTPCPL, public relations costs, and fraud-related losses.

21.3 Limitation. The indemnification obligations under this Article shall not be subject to any limitation of liability in the Master Agreement.

ARTICLE 22 — PENNSYLVANIA-SPECIFIC LEGAL PROVISIONS

22.1 Governing Law. This Security Addendum shall be governed by and construed in accordance with the laws of the Commonwealth of Pennsylvania, without regard to its conflict of law principles.

22.2 Forum and Jurisdiction. Any dispute arising out of or relating to this Addendum shall be brought exclusively in the Court of Common Pleas of Philadelphia County, Pennsylvania, or the United States District Court for the Eastern District of Pennsylvania. Each Party irrevocably consents to the personal jurisdiction and venue of such courts.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY AND UNCONDITIONALLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS SECURITY ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY. EACH PARTY CERTIFIES AND ACKNOWLEDGES THAT: (A) NO REPRESENTATIVE OF THE OTHER PARTY HAS REPRESENTED THAT SUCH OTHER PARTY WOULD NOT SEEK TO ENFORCE THIS WAIVER; (B) SUCH PARTY HAS CONSIDERED THE IMPLICATIONS; (C) SUCH PARTY MAKES THIS WAIVER KNOWINGLY AND VOLUNTARILY; AND (D) SUCH PARTY HAS BEEN INDUCED TO ENTER INTO THIS ADDENDUM BY, AMONG OTHER THINGS, THE MUTUAL WAIVERS IN THIS SECTION.

22.4 Injunctive Relief. Either Party shall be entitled to seek injunctive relief, specific performance, or other equitable remedies without the necessity of proving actual damages or posting a bond.

22.5 Trade Secrets Protection. Confidential Information constituting trade secrets shall be protected under the Pennsylvania Uniform Trade Secrets Act, 12 Pa. C.S. §§ 5301–5308. Remedies include injunctive relief, damages for actual loss and unjust enrichment, and exemplary damages for willful and malicious misappropriation not to exceed twice the damages awarded. A prevailing party may recover reasonable attorneys' fees.

22.6 Interest on Late Payments. Any amounts owed that are not paid when due shall bear interest at the rate of six percent (6%) per annum as permitted under 41 P.S. § 202, or the maximum rate permitted by applicable law, whichever is less.

22.7 Attorneys' Fees. In any action to enforce this Addendum, the prevailing Party shall be entitled to recover its reasonable attorneys' fees, court costs, and expenses.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Electronic Signature Validity. This Security Addendum may be executed by electronic signature in accordance with the Pennsylvania Electronic Transactions Act, 73 P.S. §§ 2260.101–2260.5103. Electronic signatures shall have the same legal effect, validity, and enforceability as original ink signatures.

23.2 Consent to Electronic Transactions. By executing this Addendum electronically, each Party consents to conduct the transactions contemplated herein by electronic means.

23.3 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original. Delivery by electronic transmission (PDF, DocuSign, or similar) shall be effective as delivery of an original.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Security Addendum, together with the Master Agreement and any exhibits, constitutes the entire agreement with respect to the subject matter hereof.

24.2 Amendment. This Addendum may not be amended except by written instrument signed by both Parties.

24.3 Severability. Invalid provisions shall be modified to the minimum extent necessary while preserving original intent.

24.4 Waiver. No waiver shall be effective unless in writing. A waiver on one occasion is not a waiver on subsequent occasions.

24.5 Notices. All notices shall be in writing and deemed given when delivered personally, by certified mail, or overnight courier.

24.6 Assignment. Provider shall not assign this Addendum without Customer's prior written consent.

24.7 Survival. Articles 1, 13, 14 (as applicable), 20, 21, 22, and this Section 24.7 survive termination.

24.8 Force Majeure. Neither Party shall be liable for failures beyond its reasonable control, provided this shall not excuse Provider from data security, backup, disaster recovery, and breach notification obligations.

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Security Addendum to be executed by their duly authorized representatives as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

EXHIBIT A — APPROVED SUBPROCESSORS

EXHIBIT B — SECURITY REQUIREMENTS CHECKLIST

Pre-Execution Verification

☐ Master Agreement fully executed and in effect
☐ Provider's Information Security Program documentation reviewed
☐ Provider's most recent SOC 2 Type II report or ISO 27001 certification reviewed
☐ Provider's most recent penetration test executive summary reviewed
☐ Subprocessor list reviewed and approved
☐ Insurance certificates reviewed and verified
☐ Data processing locations confirmed within the United States
☐ Provider's designated security officer contact information confirmed
☐ Business continuity and disaster recovery plan reviewed
☐ Incident response plan reviewed
☐ Credit monitoring service provider identified for SSN/DL breach scenarios

Ongoing Compliance

☐ Quarterly security governance meetings scheduled
☐ Annual security assessment scheduled
☐ Annual penetration test scheduled
☐ Annual audit or SOC 2/ISO 27001 review scheduled
☐ Security awareness training records reviewed annually
☐ Subprocessor list reviewed at least annually
☐ Insurance certificates reviewed at each renewal
☐ Data breach notification procedures tested
☐ PA AG notification threshold (500 residents) monitoring in place
☐ Medical and health insurance information handling procedures reviewed

SOURCES AND REFERENCES

1. 73 P.S. §§ 2301–2329 — Breach of Personal Information Notification Act (BPINA)
   https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/2005/0/0094..HTM

2. Pennsylvania Attorney General — BPINA Information
   https://www.attorneygeneral.gov/bpina/

3. 73 P.S. § 201-1 et seq. — Unfair Trade Practices and Consumer Protection Law
   https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/1968/0/0387..HTM

4. 12 Pa. C.S. §§ 5301–5308 — Pennsylvania Uniform Trade Secrets Act
   https://law.justia.com/codes/pennsylvania/title-12/chapter-53/

5. 73 P.S. §§ 2260.101–2260.5103 — Electronic Transactions Act
   https://law.justia.com/codes/pennsylvania/title-73/chapter-22/

6. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework

7. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

8. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001

9. OWASP Top 10
   https://owasp.org/www-project-top-ten/

10. SOC 2 Trust Services Criteria
    https://www.aicpa.org/soc2