SECURITY ADDENDUM (ENTERPRISE SAAS)

Texas Jurisdictional Version

TABLE OF CONTENTS

1. Scope and Order of Precedence
2. Security Program
3. Access Controls and Authentication
4. Encryption
5. Network and Infrastructure Security
6. Application Security and SDLC
7. Vulnerability Management
8. Logging and Monitoring
9. Business Continuity and Disaster Recovery
10. Data Segregation and Residency
11. Penetration Testing and Assessments
12. Incident Response and Notification
13. Audit and Compliance Reports
14. Third-Party Subprocessors
15. Physical Security
16. Personnel Security and Training
17. Data Return and Deletion
18. Changes to Security Controls
19. Texas-Specific Data Protection Requirements
20. Governing Law and Dispute Resolution

1. SCOPE AND ORDER OF PRECEDENCE

• Applies to the Services under the [SaaS Agreement name/date].
• If conflict with the SaaS Agreement/DPA on security matters, this Addendum governs; otherwise, SaaS Agreement controls.

2. SECURITY PROGRAM

• Provider maintains a written information security program with administrative, technical, and physical safeguards appropriate to risk, aligned to [ISO 27001/SOC 2/other].
• Provider's security program shall comply with the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Chapter 521) and the Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code Chapter 541, including implementation of reasonable procedures to protect sensitive data identifying information from unlawful use or disclosure.
• Provider shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained in the regular course of business.

3. ACCESS CONTROLS AND AUTHENTICATION

• Role-based access; least privilege; MFA for administrative access; strong password/secret policies; session management; timely deprovisioning.

4. ENCRYPTION

• In transit: TLS [1.2/1.3] or better; at rest: industry-standard encryption for Customer Data stores.
• Key management: [KMS/HSM], separation of duties, rotation policies.

5. NETWORK AND INFRASTRUCTURE SECURITY

• Segmentation of environments (prod/non-prod); firewalls/security groups; DDoS protections; hardened images; configuration management and baselines.

6. APPLICATION SECURITY AND SDLC

• Secure development lifecycle with code review, dependency scanning, SAST/DAST for relevant components; change management with approvals and rollback plans.

7. VULNERABILITY MANAGEMENT

• Regular scanning; prioritization/remediation targets:
• Critical: [X] hours/days; High: [Y] days; Medium: [Z] days; Low: [define].
• Patch management process; emergency patching for exploited vulnerabilities.

8. LOGGING AND MONITORING

• Centralized logging for auth, access, admin actions, and security events; time-synchronized; retention [X] days/months; alerting for anomalous events.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

• Documented BC/DR plan; tested [annually/semi-annually]; RPO [X hours], RTO [Y hours]; backups encrypted and tested for restoration.

10. DATA SEGREGATION AND RESIDENCY

• Logical/tenant isolation; data residency options [Regions] if offered; no relocation without notice and updated transfer mechanisms.

11. PENETRATION TESTING AND ASSESSMENTS

• Independent penetration tests [annually/semi-annually]; summary reports available under NDA; remediation tracked to closure.
• Customer-sourced testing requires prior written approval and coordinated scope.

12. INCIDENT RESPONSE AND NOTIFICATION

• Incident response plan with roles, runbooks, and communications.
• Notification to Customer without undue delay and within [X] hours of confirming a Security Incident affecting Customer Data; include nature, scope, mitigations, and recommended actions.
• In compliance with Tex. Bus. & Com. Code section 521.053, Provider shall disclose any breach of system security to Customer as expeditiously as possible after discovering or receiving notification of the breach; delay is permitted only if a law enforcement agency determines notification will impede a criminal investigation or jeopardize national or homeland security.
• Provider shall notify the Texas Attorney General if a breach involves at least 250 Texas residents, in accordance with Tex. Bus. & Com. Code section 521.053(i).
• Post-incident report for material incidents within [Y] business days.

13. AUDIT AND COMPLIANCE REPORTS

• Provide current SOC 2 / ISO 27001 certificate and summary upon request; significant exceptions disclosed with remediation plans.
• Onsite/customer audits: [once per year] with reasonable notice; subject to confidentiality and limited to security controls; time/materials fees if onsite.

14. THIRD-PARTY SUBPROCESSORS

• Subprocessors must meet equivalent security standards; list available at [URL/Annex]; notice of new subprocessors with [X] days to object on reasonable grounds; Provider remains liable.
• Subprocessors must implement reasonable procedures to protect sensitive personal information consistent with Texas Identity Theft Act and TDPSA requirements.

15. PHYSICAL SECURITY

• Data centers with industry-standard controls: access badges/biometrics, CCTV, visitor logging, environmental controls, and redundant power/cooling.

16. PERSONNEL SECURITY AND TRAINING

• Background checks where lawful for personnel with Customer Data access, subject to Texas Labor Code Chapter 411 and applicable fair credit reporting requirements; confidentiality agreements; security and privacy training at onboarding and [annual] refreshers.

17. DATA RETURN AND DELETION

• Upon termination/expiry, Customer Data returned or deleted per Agreement/DPA within [X] days; secure deletion methods; backups aged out on standard cycles unless legal hold applies.
• Data disposal shall comply with Tex. Bus. & Com. Code section 521.052 requirements for proper destruction or disposal of business records containing personal identifying information.

18. CHANGES TO SECURITY CONTROLS

• Material reductions not permitted without Customer consent; non-material updates allowed to improve or maintain security posture.
• Notice of material changes to contact [security contact].

19. TEXAS-SPECIFIC DATA PROTECTION REQUIREMENTS

19.1 Texas Identity Theft Enforcement and Protection Act Compliance

• Provider shall comply with the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Chapter 521), including:
• Implementing and maintaining reasonable procedures to protect sensitive personal information from unlawful use or disclosure;
• Properly destroying or arranging for destruction of customer records containing personal identifying information;
• Providing breach notification as required by section 521.053.

19.2 Texas Data Privacy and Security Act (TDPSA) Compliance

• Provider, acting as a processor under the TDPSA (Tex. Bus. & Com. Code Chapter 541), shall:
• Process personal data only according to Customer's instructions;
• Ensure each person processing personal data is subject to a duty of confidentiality;
• Delete or return all personal data to Customer upon request after the end of service provision;
• Make available to Customer all information necessary to demonstrate compliance;
• Allow and cooperate with reasonable assessments by Customer or Customer's designated assessor;
• Engage subcontractors only pursuant to a written contract that requires the subcontractor to meet the same obligations as Provider.

19.3 Texas Trade Secret Protection

• Provider acknowledges that Customer's Confidential Information may include trade secrets as defined under the Texas Uniform Trade Secrets Act (Tex. Civ. Prac. & Rem. Code Chapter 134A) and the federal Defend Trade Secrets Act (18 U.S.C. section 1836 et seq.), and shall protect such information accordingly.

19.4 Texas E-Signatures

• Electronic signatures under this Addendum shall be valid and enforceable pursuant to the Texas Uniform Electronic Transactions Act (Tex. Bus. & Com. Code Chapter 322) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

20. GOVERNING LAW AND DISPUTE RESOLUTION

20.1 Governing Law

This Addendum and any dispute arising out of or relating hereto shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws rules.

20.2 Forum Selection

Subject to any arbitration provisions in the Master Agreement, the Parties consent to the exclusive jurisdiction of the state and federal courts located in [Travis County / Harris County / Dallas County / Bexar County], Texas, for any litigation arising out of or relating to this Addendum, and waive any objection to venue or forum non conveniens.

20.3 Jury Trial Waiver

EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATING TO THIS ADDENDUM.
[// GUIDANCE: Texas courts generally enforce contractual jury waivers between sophisticated commercial parties. The waiver should be conspicuous and knowing. Consider bold text or separate signature line for additional enforceability.]

20.4 Injunctive Relief

Each Party acknowledges that a breach of the security obligations herein would cause irreparable harm for which monetary damages are an inadequate remedy. Accordingly, in the event of any such breach, the non-breaching Party may seek injunctive relief in addition to any other remedy available at law or equity, without posting bond or other security to the extent permitted under Texas Civil Practice and Remedies Code section 65.011 and applicable Texas Rules of Civil Procedure.

20.5 Late Payment Interest

Late payments under this Addendum shall accrue interest at the rate specified in the Master Agreement, or if not specified, at 18% per annum, the maximum rate permitted under Texas Finance Code section 302.001 for commercial transactions, or such lower rate as specified by the parties.