SECURITY ADDENDUM (ENTERPRISE SAAS)

South Carolina Jurisdictional Version

Addendum Effective Date: [__/__/____]

Addendum Reference Number: [________________________________]

PARTIES

"Customer":
Name: [________________________________]
State of Organization: [________________________________]
Principal Office Address: [________________________________]
Contact Person: [________________________________]
Email: [________________________________]
Phone: [________________________________]

"Provider":
Name: [________________________________]
State of Organization: [________________________________]
Principal Office Address: [________________________________]
Security Contact Person: [________________________________]
Email: [________________________________]
Phone: [________________________________]

RECITALS

WHEREAS, Customer and Provider have entered into that certain Master Services Agreement, SaaS Subscription Agreement, or similar agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Provider delivers certain cloud-based software-as-a-service solutions and related services to Customer;

WHEREAS, in connection with the performance of the Master Agreement, Provider will Process, store, transmit, and/or have access to Customer Data, including Personal Information of South Carolina residents and other Confidential Information;

WHEREAS, Customer requires that Provider maintain a comprehensive Information Security Program that meets or exceeds industry standards and complies with all applicable federal and South Carolina state laws, including the South Carolina breach notification statute at S.C. Code Ann. § 39-1-90;

WHEREAS, South Carolina enacted the South Carolina Insurance Data Security Act (S.C. Code Ann. §§ 38-99-10 through 38-99-100) which imposes specific cybersecurity requirements on insurance licensees, and breach notification violations carry significant per-resident administrative penalties;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

For purposes of this Security Addendum, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.1 "Authorized Users" means Customer's employees, contractors, agents, and other individuals who have been granted access to the Provider Systems by Customer in accordance with this Addendum and who have a legitimate business need for such access.

1.2 "Confidential Information" means all non-public information disclosed by either Party to the other Party, whether orally, in writing, or in electronic form, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, without limitation, Customer Data, trade secrets as defined under the South Carolina Trade Secrets Act, business plans, technical specifications, source code, algorithms, and security configurations.

1.3 "Customer Data" means all data, records, files, content, and information of any type that Customer or its Authorized Users input, upload, transmit, or store within the Provider Systems, including Personal Information, High-Risk Data, and any data derived therefrom.

1.4 "Data Breach" means a breach of the security of the system as contemplated under S.C. Code Ann. § 39-1-90, specifically the unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods, that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, and that the person reasonably believes has caused or will cause identity theft or other fraud to a resident of South Carolina. For purposes of this Addendum, Data Breach also includes any Security Incident that results in the unauthorized access, acquisition, use, disclosure, or destruction of Customer Data.

1.5 "Data Processing" means any operation or set of operations performed on Customer Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.6 "Data Protection Agreement" or "DPA" means any separate data processing agreement or data protection addendum entered into between the Parties that governs the processing of personal data subject to applicable data protection laws.

1.7 "Encryption Standard" means: (a) for data in transit, Transport Layer Security (TLS) version 1.2 or higher using cipher suites with a minimum key length of 128 bits; and (b) for data at rest, Advanced Encryption Standard (AES) with a minimum key length of 256 bits (AES-256), or a cryptographic standard of equivalent or greater strength as recognized by NIST.

1.8 "High-Risk Data" means any subset of Customer Data that, if subject to unauthorized access, acquisition, or disclosure, would pose a significant risk of harm, including: (a) financial account numbers, credit card numbers, or debit card numbers in combination with any required security code, access code, or password; (b) Social Security numbers; (c) protected health information (PHI) as defined under HIPAA; (d) biometric data; (e) authentication credentials; and (f) any data classified as "Restricted" or "Highly Confidential" under Customer's data classification policy.

1.9 "Information Security Program" means Provider's comprehensive, written program of administrative, technical, and physical safeguards designed to protect the security, confidentiality, integrity, and availability of Customer Data, as more fully described in this Addendum.

1.10 "Malware" means any software or code designed to damage, disrupt, gain unauthorized access to, or perform unauthorized operations on a computer system, network, or data, including viruses, worms, Trojan horses, ransomware, spyware, adware, rootkits, keyloggers, and any other form of malicious code.

1.11 "Personal Information" means, consistent with S.C. Code Ann. § 39-1-90(D), the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of South Carolina, when the data elements are neither encrypted nor redacted: (a) Social Security number; (b) driver's license number or state identification card number; (c) financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or (d) other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.

1.12 "Provider Systems" means all information technology infrastructure, systems, applications, networks, databases, servers (whether physical or virtual), cloud environments, and endpoints owned, operated, managed, or controlled by Provider that are used to Process, store, or transmit Customer Data.

1.13 "Security Incident" means any event that results in or may reasonably result in unauthorized access, acquisition, use, disclosure, modification, or destruction of Customer Data or any component of the Provider Systems, including but not limited to successful or attempted unauthorized access, Malware infections, denial-of-service attacks, loss or theft of equipment containing Customer Data, and any event that triggers notification obligations under applicable law.

1.14 "Subprocessor" means any third party engaged by Provider to Process Customer Data on Provider's behalf, including cloud infrastructure providers, managed service providers, data center operators, and any other entity that has access to or processes Customer Data in connection with the services provided under the Master Agreement.

1.15 "Vulnerability" means a weakness, flaw, or deficiency in a system, application, process, or control that could be exploited by a threat actor to gain unauthorized access to or otherwise compromise the security, confidentiality, integrity, or availability of Customer Data or the Provider Systems. Vulnerabilities are classified by severity using the Common Vulnerability Scoring System (CVSS) as follows: Critical (CVSS 9.0–10.0), High (CVSS 7.0–8.9), Medium (CVSS 4.0–6.9), and Low (CVSS 0.1–3.9).

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Security Addendum applies to all Customer Data that Provider Processes, stores, transmits, or otherwise accesses in connection with the Master Agreement.

2.2 Order of Precedence. In the event of any conflict between this Security Addendum and the Master Agreement, this Addendum shall prevail with respect to information security, data protection, and breach notification. The more protective provision governs conflicts with any DPA.

2.3 Minimum Standards. The security obligations set forth herein are minimum requirements. Provider shall implement additional measures as required by applicable law, industry standards, or the sensitivity of the data.

2.4 Regulatory Compliance. Provider shall comply with all applicable laws, including S.C. Code Ann. § 39-1-90 and, to the extent applicable, the South Carolina Insurance Data Security Act (S.C. Code Ann. §§ 38-99-10 through 38-99-100).

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 Program Requirements. Provider shall establish, implement, and maintain a comprehensive Information Security Program designed to:

(a) Protect the security, confidentiality, integrity, and availability of Customer Data;

(b) Protect against anticipated threats or hazards to Customer Data;

(c) Protect against unauthorized access that could cause substantial harm;

(d) Comply with all applicable laws including South Carolina data protection requirements; and

(e) Align with one or more of the following recognized security frameworks:

• ☐ ISO/IEC 27001:2022 (Information Security Management Systems)
• ☐ SOC 2 Type II (Trust Services Criteria)
• ☐ NIST Cybersecurity Framework (CSF) 2.0
• ☐ NIST Special Publication 800-53 Rev. 5
• ☐ CIS Controls v8

3.2 Risk Assessment. Provider shall conduct comprehensive risk assessments at least annually, and additionally upon material changes to operations or threat landscape.

3.3 Security Officer. Provider shall designate a qualified CISO or equivalent:

Name: [________________________________]
Title: [________________________________]
Email: [________________________________]
Phone: [________________________________]

Provider shall notify Customer in writing within thirty (30) days of any change.

3.4 Security Policies. Provider shall maintain written security policies reviewed and updated at least annually.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement RBAC restricting access based on least privilege and need-to-know principles.

4.2 Multi-Factor Authentication (MFA). Provider shall require MFA for: (a) all remote access; (b) administrative accounts; (c) cloud management consoles; (d) VPN connections; and (e) access from outside secured networks.

4.3 Privileged Access Management. Provider shall: maintain a privileged account inventory; use dedicated admin accounts; implement privileged access workstations; log all privileged activity; rotate credentials every ninety (90) days; and implement just-in-time access where feasible.

4.4 Access Reviews. Quarterly reviews to verify accounts are active, rights are appropriate, terminated users are revoked, and anomalies are investigated.

4.5 Password and Authentication Policies. Minimum fourteen (14) character passwords; complexity requirements; twenty-four (24) password history; five (5) attempt lockout; fifteen (15) minute session timeout; no shared or default credentials.

4.6 Access Termination. Revocation within twenty-four (24) hours of termination; modification within forty-eight (48) hours of role change.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Encryption in Transit. TLS 1.2 or higher with forward secrecy. All deprecated protocols disabled.

5.2 Encryption at Rest. AES-256 or equivalent for all Customer Data. South Carolina law provides a safe harbor for data rendered unusable through encryption, making consistent encryption critical.

5.3 Key Management. Cryptographically secure key generation; separate storage from data; access controls; annual rotation; secure destruction; alignment with NIST SP 800-57.

5.4 Certificate Management. Tracking, timely renewal, and immediate revocation of compromised certificates.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Logical separation of customer environments, isolation of dev/staging/production, dedicated management networks.

6.2 Firewalls. Enterprise-grade firewalls with default-deny policy at all perimeters.

6.3 IDS/IPS. Network and host-based systems with signature and behavior detection, daily signature updates, 24/7/365 monitoring.

6.4 DDoS Protection. Traffic analysis, rate limiting, and automated mitigation.

6.5 VPN. Encrypted VPN with MFA for all remote administrative access.

6.6 Wireless Security. WPA3 or equivalent; guest networks fully isolated from production.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure SDLC. Security at every phase: requirements, threat modeling, coding, testing, and review.

7.2 OWASP Top 10. All applications designed and tested against current OWASP Top 10.

7.3 SAST/DAST. SAST before each release; DAST at least quarterly; IAST during QA as appropriate.

7.4 API Security. Authentication, input validation, rate limiting, versioning, logging, and regular testing.

7.5 Code Review. Peer review by at least one qualified developer before production deployment.

7.6 Third-Party Components. Inventory maintained; monitored for vulnerabilities; patched per Article 8 timelines.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Vulnerability Scanning. Monthly automated scans of all systems; additional scans after significant changes.

8.2 Remediation Timelines.

8.3 Patch Management. Formal program with vendor monitoring, pre-deployment testing, emergency patching, and documentation.

8.4 Compensating Controls. Documented when immediate remediation is not feasible; Customer notified for Critical and High vulnerabilities.

8.5 Vulnerability Reporting. Quarterly reports with severity counts, remediation status, and exceptions.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 SIEM. Enterprise SIEM aggregating and correlating logs from all systems processing Customer Data.

9.2 Logging. Comprehensive logs covering: authentication events, data access, privileged activities, configuration changes, network events, data transfers, and security errors.

9.3 Log Retention. Twelve (12) months immediately accessible; additional twelve (12) months archived. Write-once or equivalent protection.

9.4 Real-Time Alerting. Alerts for: failed authentication, unauthorized access, anomalous data patterns, malware, configuration changes, and malicious communications.

9.5 Monitoring. 24/7/365 monitoring through automated tools and qualified security personnel.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Tenant Isolation. Logical and physical controls preventing unauthorized access or commingling.

10.2 Data Residency. Customer Data stored within the continental United States unless otherwise agreed in writing.

Primary Data Center: [________________________________]
Secondary/DR Data Center: [________________________________]

10.3 Data Classification. Public, Internal, Confidential, and Restricted tiers supported.

10.4 Environment Separation. Separate dev, test, staging, and production environments. No Customer Data in non-production without de-identification.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Independent third-party penetration testing annually covering external/internal networks, web applications, APIs, social engineering, and wireless.

11.2 Testing Standards. PTES, OWASP Testing Guide, or NIST SP 800-115.

11.3 Reporting. Executive summary to Customer within thirty (30) days. Full reports under NDA.

11.4 Remediation. Per Article 8 timelines. Re-testing for Critical and High findings.

11.5 Customer Testing. Permitted with thirty (30) days' notice and mutually agreed scope.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 BCP. Comprehensive plan ensuring service availability and data protection.

12.2 DRP. Including: (a) RPO not exceeding [____] hours; (b) RTO not exceeding [____] hours; (c) documented recovery procedures; (d) defined team roles; (e) customer communication procedures; and (f) geographic failover.

12.3 Geographic Redundancy. Minimum [____] miles separation between facilities.

12.4 Annual Testing. Tabletop, functional, or full-scale exercises with results shared within thirty (30) days.

12.5 Backups. Weekly full; daily incremental; four-hour transaction log; quarterly restoration testing.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

South Carolina-Specific Breach Notification Requirements (S.C. Code Ann. § 39-1-90)

13.1 Incident Response Plan. Provider shall maintain a comprehensive incident response plan tested at least annually.

13.2 Initial Notification to Customer. Provider shall notify Customer within twenty-four (24) hours of discovery of any confirmed or suspected Security Incident or Data Breach.

13.3 South Carolina Statutory Breach Notification. In the event of a Data Breach involving Personal Information of South Carolina residents as defined under S.C. Code Ann. § 39-1-90:

(a) Notification to Affected Individuals. Provider shall, at its own cost and in coordination with Customer, provide notice to affected South Carolina residents in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The notice may be provided by:

• (i) Written notice;
• (ii) Electronic notice, consistent with 15 U.S.C. § 7001;
• (iii) Telephonic notice; or
• (iv) Substitute notice (if the cost exceeds Two Hundred Fifty Thousand Dollars ($250,000.00), the affected class exceeds five hundred thousand (500,000), or insufficient contact information is available), consisting of: email notice, conspicuous website posting, and notification to major statewide media.

(b) Notification to South Carolina Consumer Protection Division. If more than one thousand (1,000) South Carolina residents are to be notified, Provider shall, without unreasonable delay, notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs of the timing, distribution, and content of the notice. The notification shall include:

• (i) The nature and scope of the breach;
• (ii) The number of South Carolina residents affected;
• (iii) The types of personal information involved;
• (iv) A description of the steps taken to investigate and remediate; and
• (v) A copy of the notification provided to affected individuals.

(c) Notification to Consumer Reporting Agencies. If more than one thousand (1,000) South Carolina residents are notified, Provider shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined under 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

(d) Third-Party Vendor Notification. Under S.C. Code Ann. § 39-1-90(B), any person or business that maintains computerized data that includes personal identifying information that the person or business does not own must notify the owner or licensee of the information of any breach immediately following discovery. Provider shall comply with this requirement by providing Customer with the notification specified in Section 13.2.

(e) Encryption Safe Harbor. Notification is not required if the personal identifying information was rendered unusable through encryption, redaction, or other methods and the encryption key or security credential was not also acquired.

(f) Law Enforcement Delay. Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Notification shall be made promptly after law enforcement determines it will no longer impede the investigation.

13.4 Penalties for Non-Compliance. Under S.C. Code Ann. § 39-1-90(G):

(a) A person who knowingly and willfully violates the notification requirements is subject to an administrative fine of One Thousand Dollars ($1,000.00) for each South Carolina resident whose information was accessible by reason of the breach, with no stated cap on the aggregate penalty;

(b) The South Carolina Attorney General or the Department of Consumer Affairs may bring an enforcement action;

(c) The per-resident penalty structure means penalties can accumulate rapidly for large-scale breaches; and

(d) Provider acknowledges these penalty provisions and agrees to cooperate fully with Customer in any regulatory investigation or enforcement action.

13.5 South Carolina Insurance Data Security Act. To the extent applicable (if Customer or Provider is a licensed insurer), the South Carolina Insurance Data Security Act (S.C. Code Ann. §§ 38-99-10 through 38-99-100) imposes additional cybersecurity requirements including: (a) a comprehensive written information security program; (b) a designated person responsible for the program; (c) risk assessments; (d) cybersecurity event investigation and notification to the Director of Insurance within seventy-two (72) hours; and (e) annual certification of compliance to the Director. Provider shall comply with these requirements to the extent applicable.

13.6 Ongoing Updates. Provider shall provide Customer with regular updates no less than every twenty-four (24) hours during active response and every seventy-two (72) hours thereafter.

13.7 Post-Incident Report. Comprehensive written report within thirty (30) days of resolution.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Subprocessor Approval. Prior written consent required for all Subprocessors.

14.2 Current Subprocessors. Listed in Exhibit A.

14.3 New Subprocessor Notification. Thirty (30) days' prior notice; fifteen (15) day objection period; termination without penalty if unresolved.

14.4 Flow-Down Requirements. Written agreements with protections no less than this Addendum, including compliance with S.C. Code Ann. § 39-1-90(B) vendor notification requirements. Provider fully liable for Subprocessor acts and omissions.

14.5 Subprocessor Audit. Initial and annual security assessments; results available to Customer upon request.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Criminal history, seven-year employment verification, education verification, and reference checks.

15.2 Confidentiality Agreements. Required for all personnel with access to Customer Data; survive termination.

15.3 Security Awareness Training. Upon hire, annually, and upon material changes or incidents. Covers data handling, phishing, social engineering, passwords, incident reporting, and South Carolina data protection laws.

15.4 Specialized Training. Role-appropriate training for developers, security personnel, and compliance staff.

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Standards. SOC 2 Type II minimum. 24/7 security personnel; multi-factor physical access; CCTV with 90-day retention; visitor controls; mantrap entry; perimeter security.

16.2 Environmental Controls. Redundant HVAC; fire detection/suppression; water leak detection; UPS; 72-hour backup generators; environmental monitoring.

16.3 Media Destruction. Per NIST SP 800-88 Rev. 1. Certificates of destruction provided upon request.

ARTICLE 17 — INSURANCE REQUIREMENTS

17.1 Cyber Liability Insurance. Five Million Dollars ($5,000,000.00) minimum covering breach notification, regulatory defense, business interruption, cyber extortion, media liability, and network security liability.

17.2 Professional Liability / E&O. Two Million Dollars ($2,000,000.00) minimum.

17.3 General Requirements. A- VII A.M. Best rated; additional insured; 30-day cancellation notice; subrogation waiver; primary and non-contributory.

17.4 Certificates of Insurance. Upon request and at each renewal.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Annual audits and post-incident audits permitted.

18.2 Audit Procedures. Thirty (30) days' notice; normal business hours; reasonable cooperation.

18.3 SOC 2 / ISO Acceptance. May substitute for direct audit at Customer's sole discretion.

18.4 Regulatory Cooperation. Full cooperation with the South Carolina Attorney General, Department of Consumer Affairs, and Department of Insurance.

18.5 Remediation. Corrective action plan within thirty (30) days; monthly progress reports.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Quarterly Security Reviews. Incident trends, vulnerability management, threat landscape, regulatory developments, and KPIs.

19.2 Annual Security Assessment. Program effectiveness, risk assessment, penetration test results, audit status, training completion, DR test results, and planned improvements.

19.3 KPIs. Mean time to detect/respond, vulnerability remediation rates, training completion, uptime, incident counts, and phishing simulation results.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Within thirty (30) days in mutually agreed format.

20.2 Data Destruction. Within sixty (60) days per NIST SP 800-88 Rev. 1, including all Subprocessor copies.

20.3 Certification. Written certification within ten (10) days of completion.

20.4 Retention Exceptions. Only as required by law, with continued protection and prompt destruction upon expiration.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider indemnifies Customer against claims from: (a) Data Breaches caused by Provider's breach of this Addendum; (b) failure to comply with S.C. Code Ann. § 39-1-90; (c) regulatory investigations or penalties; and (d) third-party claims from unauthorized access.

21.2 Covered Costs. Notification costs, credit monitoring (minimum 24 months), call center, forensic investigation, regulatory filings, administrative fines ($1,000 per affected resident under S.C. Code Ann. § 39-1-90(G)), public relations, and fraud-related losses.

21.3 Limitation. Indemnification obligations are not subject to any limitation of liability in the Master Agreement, reflecting the per-resident penalty structure under South Carolina law.

ARTICLE 22 — SOUTH CAROLINA-SPECIFIC LEGAL PROVISIONS

22.1 Governing Law. This Addendum is governed by the laws of the State of South Carolina.

22.2 Forum and Jurisdiction. Exclusive jurisdiction in the Court of Common Pleas for Richland County, South Carolina, or the U.S. District Court for the District of South Carolina. Both Parties consent to personal jurisdiction and waive inconvenient forum objections.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY HEREBY IRREVOCABLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING OUT OF OR RELATING TO THIS SECURITY ADDENDUM. EACH PARTY CERTIFIES THAT: (A) NO REPRESENTATIVE OF THE OTHER PARTY HAS REPRESENTED THAT SUCH OTHER PARTY WOULD NOT ENFORCE THIS WAIVER; (B) SUCH PARTY HAS CONSIDERED THE IMPLICATIONS; (C) SUCH PARTY MAKES THIS WAIVER KNOWINGLY AND VOLUNTARILY; AND (D) SUCH PARTY HAS BEEN INDUCED TO ENTER INTO THIS ADDENDUM BY, AMONG OTHER THINGS, THE MUTUAL WAIVERS IN THIS SECTION.

22.4 Injunctive Relief. Either Party may seek injunctive relief, specific performance, or other equitable remedies without proving actual damages or posting bond.

22.5 Trade Secrets Protection. Confidential Information constituting trade secrets is protected under the South Carolina Trade Secrets Act, S.C. Code Ann. §§ 39-8-10 through 39-8-130. Remedies include injunctive relief, damages for actual loss and unjust enrichment, and exemplary damages for willful and malicious misappropriation not to exceed twice the damages awarded. A prevailing party may recover reasonable attorneys' fees.

22.6 Interest on Late Payments. Amounts not paid when due bear interest at eight and three-quarters percent (8.75%) per annum under S.C. Code Ann. § 34-31-20, or the maximum rate permitted by law, whichever is less.

22.7 Attorneys' Fees. The prevailing Party may recover reasonable attorneys' fees, costs, and expenses.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Electronic Signature Validity. This Addendum may be executed by electronic signature under the South Carolina Uniform Electronic Transactions Act, S.C. Code Ann. §§ 26-6-10 through 26-6-210. Electronic signatures have the same legal effect as original ink signatures.

23.2 Consent to Electronic Transactions. Each Party consents to electronic transactions and agrees electronic records and signatures satisfy writing requirements.

23.3 Counterparts. May be executed in counterparts; electronic delivery (PDF, DocuSign, or similar) is effective as original delivery.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum and the Master Agreement constitute the entire agreement on information security.

24.2 Amendment. Amendments require written instrument signed by both Parties.

24.3 Severability. Invalid provisions modified to minimum extent necessary.

24.4 Waiver. Written waivers only; no precedential effect.

24.5 Notices. Written notice by personal delivery, certified mail, or overnight courier.

24.6 Assignment. Provider may not assign without Customer's prior written consent.

24.7 Survival. Articles 1, 13, 14 (as applicable), 20, 21, 22, and this Section 24.7 survive termination.

24.8 Force Majeure. Standard force majeure excluding data security, backup, DR, and breach notification obligations.

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Security Addendum to be executed as of the Addendum Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

EXHIBIT A — APPROVED SUBPROCESSORS

EXHIBIT B — SECURITY REQUIREMENTS CHECKLIST

Pre-Execution Verification

☐ Master Agreement fully executed and in effect
☐ Provider's Information Security Program documentation reviewed
☐ Provider's most recent SOC 2 Type II report or ISO 27001 certification reviewed
☐ Provider's most recent penetration test executive summary reviewed
☐ Subprocessor list reviewed and approved
☐ Insurance certificates reviewed and verified
☐ Data processing locations confirmed within the United States
☐ Provider's designated security officer contact information confirmed
☐ Business continuity and disaster recovery plan reviewed
☐ Incident response plan reviewed
☐ SC Insurance Data Security Act applicability assessed

Ongoing Compliance

☐ Quarterly security governance meetings scheduled
☐ Annual security assessment scheduled
☐ Annual penetration test scheduled
☐ Annual audit or SOC 2/ISO 27001 review scheduled
☐ Security awareness training records reviewed annually
☐ Subprocessor list reviewed at least annually
☐ Insurance certificates reviewed at each renewal
☐ Data breach notification procedures tested
☐ Consumer Protection Division notification threshold (1,000 residents) monitored
☐ Per-resident penalty exposure assessed and documented

SOURCES AND REFERENCES

1. S.C. Code Ann. § 39-1-90 — Breach of Security of Business Data; Notification
   https://law.justia.com/codes/south-carolina/title-39/chapter-1/section-39-1-90/

2. S.C. Code Ann. §§ 38-99-10 through 38-99-100 — South Carolina Insurance Data Security Act
   https://www.scstatehouse.gov/code/t38c099.php

3. S.C. Code Ann. §§ 39-8-10 through 39-8-130 — South Carolina Trade Secrets Act
   https://law.justia.com/codes/south-carolina/title-39/chapter-8/

4. S.C. Code Ann. §§ 26-6-10 through 26-6-210 — Uniform Electronic Transactions Act
   https://law.justia.com/codes/south-carolina/title-26/chapter-6/

5. South Carolina Department of Consumer Affairs — Security Breach Information
   https://consumer.sc.gov/

6. NIST Cybersecurity Framework 2.0
   https://www.nist.gov/cyberframework

7. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
   https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

8. ISO/IEC 27001:2022 — Information Security Management Systems
   https://www.iso.org/standard/27001

9. OWASP Top 10
   https://owasp.org/www-project-top-ten/

10. SOC 2 Trust Services Criteria
    https://www.aicpa.org/soc2