Wyoming Contracts Agreements

Enterprise Security Addendum — Wyoming

Ready to Edit

ENTERPRISE SECURITY ADDENDUM

State of Wyoming — Jurisdictional Version

Addendum Reference No.: [________________________________]

Effective Date: [__/__/____]

Master Agreement Reference: [________________________________]

Master Agreement Date: [__/__/____]

RECITALS

WHEREAS, [________________________________] ("Customer"), a [________________________________] organized under the laws of the State of [________________________________], with its principal place of business at [________________________________], and

WHEREAS, [________________________________] ("Provider"), a [________________________________] organized under the laws of the State of [________________________________], with its principal place of business at [________________________________], have entered into that certain Master Agreement referenced above (the "Master Agreement"); and

WHEREAS, the Master Agreement contemplates that Provider shall deliver certain enterprise software-as-a-service, cloud-hosted, or managed technology services (collectively, the "Services") to Customer that may involve the Processing of Customer Data, including Personal Identifying Information of Wyoming residents as defined under Wyo. Stat. § 40-12-501; and

WHEREAS, Customer requires Provider to implement and maintain a comprehensive information security program that meets or exceeds industry standards and complies with the data protection and breach notification requirements of Wyoming law, including Wyo. Stat. § 40-12-501 et seq.; and

WHEREAS, the Parties desire to set forth the specific security obligations, controls, and procedures that Provider shall implement and maintain in connection with the Services;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE 1 — DEFINITIONS

1.1 The following terms shall have the meanings set forth below when used in this Addendum. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Agreement.

1.2 "Access Credentials" means usernames, passwords, API keys, tokens, certificates, multi-factor authentication codes, biometric identifiers, and any other mechanism used to authenticate a user or system to Provider's infrastructure or the Services.

1.3 "Authorized Personnel" means employees, contractors, agents, or subprocessors of Provider who have undergone background screening and security training and have a demonstrated need to access Customer Data in the performance of the Services.

1.4 "Breach" or "Security Breach" means the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of Personal Identifying Information maintained by an individual or entity and that causes or is reasonably believed to cause loss or injury to a Wyoming resident, consistent with the definition of "breach of the security of the data system" under Wyo. Stat. § 40-12-501(a).

1.5 "Business Continuity Plan" or "BCP" means Provider's documented plan for maintaining essential business functions during and after a disaster or disruption, including recovery procedures for the Services.

1.6 "Customer Data" means all data, information, records, documents, files, and materials provided by or on behalf of Customer, or collected, generated, or processed by Provider in connection with the Services, including Personal Identifying Information, Confidential Information, and Trade Secrets.

1.7 "Data Processing" or "Processing" means any operation or set of operations performed on Customer Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.8 "Disaster Recovery Plan" or "DRP" means Provider's documented plan for the restoration of the Services, systems, and Customer Data following a disaster, outage, or material disruption.

1.9 "Encryption" means the process of converting data into a coded form using industry-standard cryptographic algorithms to prevent unauthorized access, rendering the data unreadable without the corresponding decryption key.

1.10 "Information Security Program" means Provider's comprehensive, written program of policies, procedures, standards, and technical, administrative, and physical safeguards designed to protect Customer Data, as more fully described in Article 3 of this Addendum.

1.11 "Key Personnel" means Provider's Chief Information Security Officer (CISO), Data Protection Officer (DPO), Security Operations Center (SOC) Manager, Incident Response Lead, and any other individuals designated by Provider as having primary responsibility for the security of Customer Data.

1.12 "NIST" means the National Institute of Standards and Technology, an agency of the United States Department of Commerce.

1.13 "Penetration Test" means a simulated cyberattack against Provider's systems, applications, and networks conducted by qualified third-party security professionals to evaluate the security posture and identify vulnerabilities.

1.14 "Personal Identifying Information" means, consistent with the definition under Wyo. Stat. § 40-12-501(b), an individual's first name or first initial and last name in combination with one or more of the following data elements when either the name or the data element is not encrypted:

(a) Social Security number;

(b) Driver's license number or Wyoming identification card number;

(d) Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;

(e) Username or email address, in combination with a password or security question and answer that would permit access to an online account;

(f) A birth or marriage certificate;

(g) Individual taxpayer identification number;

(h) Unique biometric data, including fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data;

(i) Shared secrets or security tokens that are known to be used for data-based authentication and identification;

(j) A username or email address in combination with a password, security question and answer, or other information that allows access to an online account affiliated with the individual or entity.

The term does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

1.15 "Recovery Point Objective" or "RPO" means the maximum acceptable amount of data loss measured in time, establishing the point in time to which Customer Data must be recovered following a disruption.

1.16 "Recovery Time Objective" or "RTO" means the maximum acceptable duration of time within which the Services must be restored following a disruption.

1.17 "Security Incident" means any event that may compromise the confidentiality, integrity, or availability of Customer Data or Provider's systems, but that does not rise to the level of a confirmed Breach.

1.18 "Subprocessor" means any third party engaged by Provider that Processes Customer Data on behalf of Provider in connection with the Services.

1.19 "Trade Secret" means information as defined in the Wyoming Uniform Trade Secrets Act, Wyo. Stat. § 40-24-101(d), including a formula, pattern, compilation, program, device, method, technique, or process that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1.20 "Vulnerability" means a weakness in a system, application, network, or process that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of Customer Data or the Services.

ARTICLE 2 — SCOPE AND ORDER OF PRECEDENCE

2.1 Scope. This Addendum applies to all Services provided under the Master Agreement that involve the Processing, storage, transmission, or access to Customer Data, including Personal Identifying Information of Wyoming residents. This Addendum establishes the minimum security obligations of Provider.

2.2 Order of Precedence. In the event of any conflict or inconsistency between this Addendum and the Master Agreement, this Addendum shall control with respect to information security, data protection, and breach notification matters. In the event of any conflict between this Addendum and applicable Wyoming law, the more protective provision shall apply.

2.3 Incorporation. This Addendum is incorporated into and forms an integral part of the Master Agreement. All terms and conditions of the Master Agreement that are not expressly modified by this Addendum shall remain in full force and effect.

2.4 Regulatory Floor. The security requirements set forth in this Addendum represent minimum standards. Provider shall comply with all applicable federal, state, and local laws, regulations, and industry standards that impose more stringent requirements, including Wyoming's blockchain and digital asset regulatory framework where applicable.

ARTICLE 3 — INFORMATION SECURITY PROGRAM

3.1 General Obligation. Provider shall establish, implement, maintain, and continuously improve a comprehensive, written Information Security Program designed to protect Customer Data against unauthorized access, acquisition, use, disclosure, modification, destruction, or other compromise.

3.2 Framework Alignment. Provider's Information Security Program shall be aligned with and shall materially conform to the following frameworks:

(a) ISO/IEC 27001:2022 — Information Security Management System (ISMS);

(b) SOC 2 Type II — Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy);

3.3 Certifications. Provider shall maintain current:

(a) ISO/IEC 27001:2022 certification covering all systems and environments used to Process Customer Data;

(b) SOC 2 Type II report covering the most recent twelve (12) month period;

(c) Provider shall furnish copies of all certifications and reports to Customer within thirty (30) days of issuance and promptly upon request.

3.4 Security Policies. Provider shall maintain documented security policies addressing, at a minimum: acceptable use, access control, asset management, business continuity, change management, cryptography, data classification, human resources security, incident management, network security, operations security, physical security, supplier relationships, and system acquisition and development.

3.5 Risk Assessments. Provider shall conduct comprehensive risk assessments at least annually, and additionally upon any material change to the Services, infrastructure, or threat landscape. Risk assessments shall follow NIST SP 800-30 or ISO 27005 methodology and shall be documented and made available to Customer upon request.

ARTICLE 4 — ACCESS CONTROLS

4.1 Role-Based Access Control (RBAC). Provider shall implement and enforce role-based access controls ensuring that Authorized Personnel are granted access to Customer Data solely on a need-to-know, least-privilege basis commensurate with their job responsibilities.

4.2 Multi-Factor Authentication (MFA). Provider shall require multi-factor authentication for:

(a) All remote access to systems containing Customer Data;

(b) All administrative and privileged access to production environments;

(d) All VPN and remote desktop connections;

(e) All access to code repositories containing application code for the Services.

4.3 Access Reviews. Provider shall conduct formal access reviews on a quarterly basis to verify that:

(a) Access rights remain appropriate and are consistent with the principle of least privilege;

(b) Terminated or transferred personnel have had access promptly revoked;

(d) Privileged accounts are inventoried and justified.

4.4 Password and Credential Management. Provider shall enforce password policies requiring:

(a) Minimum length of fourteen (14) characters;

(b) Complexity requirements including uppercase, lowercase, numeric, and special characters;

(d) Account lockout after no more than five (5) consecutive failed authentication attempts;

(e) Prohibition on the reuse of the last twelve (12) passwords.

4.5 Privileged Access Management. Provider shall implement a privileged access management (PAM) solution with session recording, just-in-time access provisioning, and automatic credential rotation for all administrative and service accounts.

ARTICLE 5 — ENCRYPTION STANDARDS

5.1 Data in Transit. All Customer Data transmitted over any network shall be encrypted using:

(a) TLS 1.2 or higher for all web-based and API communications;

(b) IPsec or WireGuard VPN for site-to-site and remote connections;

(d) Provider shall disable support for SSL, TLS 1.0, and TLS 1.1.

5.2 Data at Rest. All Customer Data stored in any medium shall be encrypted using:

(a) AES-256 (or equivalent) for databases, file systems, storage volumes, and backups;

(b) Full-disk encryption on all endpoints, workstations, and portable media;

5.3 Key Management. Provider shall implement a key management program that includes:

(a) Generation of cryptographic keys using FIPS 140-2 Level 3 (or higher) validated modules;

(b) Separation of key management duties with dual control and split knowledge;

(d) Secure key storage in dedicated HSMs or equivalent FIPS-validated devices;

(e) Key revocation and destruction procedures in accordance with NIST SP 800-57.

5.4 Wyoming Encryption Safe Harbor. The Parties acknowledge that under Wyo. Stat. § 40-12-501(a), a "breach of the security of the data system" applies to data when either the name or the data element is not encrypted. Encryption of Personal Identifying Information in accordance with this Article may mitigate notification requirements under Wyo. Stat. § 40-12-502, provided the encryption keys have not been compromised.

ARTICLE 6 — NETWORK SECURITY

6.1 Network Segmentation. Provider shall implement network segmentation to isolate Customer Data environments from corporate networks, development environments, and other customer environments. Segmentation shall be enforced through firewalls, VLANs, or software-defined networking controls.

6.2 Firewalls and Access Control Lists. Provider shall deploy and maintain enterprise-grade firewalls with:

(a) Default-deny inbound and outbound rules;

(b) Stateful packet inspection;

(d) Rule reviews at least quarterly with documentation of business justification for each rule;

(e) Geo-blocking of traffic from jurisdictions not required for the Services.

6.3 Intrusion Detection and Prevention. Provider shall deploy and maintain network-based and host-based intrusion detection and prevention systems (IDS/IPS) that:

(a) Monitor all network traffic to and from Customer Data environments;

(b) Are updated with current threat signatures and behavioral analytics;

(d) Integrate with Provider's SIEM platform for correlation and analysis.

6.4 DDoS Mitigation. Provider shall implement distributed denial-of-service (DDoS) mitigation measures including volumetric, protocol, and application-layer protections through dedicated DDoS mitigation services or content delivery networks (CDNs).

6.5 Wireless Security. Provider shall secure all wireless networks using WPA3 Enterprise or equivalent, with separate SSIDs for corporate and guest networks, and no wireless access to Customer Data environments.

6.6 DNS Security. Provider shall implement DNSSEC, DNS filtering, and monitoring of DNS queries for indicators of compromise.

ARTICLE 7 — APPLICATION SECURITY

7.1 Secure Development Lifecycle (SDLC). Provider shall maintain a secure software development lifecycle that incorporates security at every phase:

(a) Requirements — Security and privacy requirements defined and documented;

(b) Design — Threat modeling conducted for all new features and material changes;

(d) Testing — Security testing integrated into CI/CD pipeline;

(e) Deployment — Hardened configurations, least-privilege service accounts;

(f) Maintenance — Patch management and ongoing vulnerability monitoring.

7.2 OWASP Compliance. Provider shall test for and remediate all vulnerabilities identified in the current OWASP Top 10 and OWASP API Security Top 10 prior to production deployment.

7.3 Static Application Security Testing (SAST). Provider shall perform automated SAST on all application code at each build, with blocking rules for critical and high-severity findings.

7.4 Dynamic Application Security Testing (DAST). Provider shall perform DAST scans against staging and production environments at least monthly, with remediation in accordance with the timelines set forth in Article 8.

7.5 Software Composition Analysis (SCA). Provider shall maintain an inventory of all third-party and open-source components, monitor for known vulnerabilities (CVEs), and remediate or replace vulnerable components in accordance with Article 8.

7.6 Code Reviews. All code changes to production systems shall undergo peer review by at least one developer other than the author, with documented approval prior to merge.

ARTICLE 8 — VULNERABILITY MANAGEMENT

8.1 Scanning. Provider shall conduct authenticated vulnerability scans of all systems, networks, and applications in the Customer Data environment at least weekly, using industry-recognized scanning tools.

8.2 Remediation Timelines. Provider shall remediate identified vulnerabilities within the following timelines measured from the date of discovery or notification:

(a) Critical Severity (CVSS 9.0–10.0): Twenty-four (24) hours;

(b) High Severity (CVSS 7.0–8.9): Seven (7) calendar days;

(d) Low Severity (CVSS 0.1–3.9): Ninety (90) calendar days.

8.3 Zero-Day Vulnerabilities. Upon identification of a zero-day vulnerability affecting systems Processing Customer Data, Provider shall implement compensating controls (e.g., WAF rules, network isolation, access restrictions) within four (4) hours and permanent remediation within forty-eight (48) hours, or as soon as a patch becomes available.

8.4 Patch Management. Provider shall maintain a formal patch management program with:

(a) Automated patch deployment where feasible;

(b) Testing of patches in a staging environment prior to production deployment;

(d) Documentation of patching decisions, including risk acceptance for deferred patches.

8.5 Vulnerability Reporting. Provider shall furnish Customer with monthly vulnerability summary reports, including metrics on scan coverage, identified vulnerabilities, remediation rates, and open items.

ARTICLE 9 — LOGGING, MONITORING, AND AUDIT

9.1 Logging Requirements. Provider shall generate and maintain comprehensive audit logs for all systems Processing Customer Data, including:

(a) Authentication events (successful and failed);

(b) Authorization changes and privilege escalations;

(d) Administrative and configuration changes;

(e) Network traffic logs (flow and connection logs);

(f) Application-level events and errors;

(g) Security events (firewall, IDS/IPS, anti-malware).

9.2 Log Integrity. Provider shall ensure the integrity of audit logs through:

(a) Write-once or append-only storage mechanisms;

(b) Cryptographic hash verification;

(d) Separation of duties between log administrators and system administrators.

9.3 SIEM Platform. Provider shall operate a Security Information and Event Management (SIEM) platform that:

(a) Aggregates and correlates logs from all systems in real-time;

(b) Applies behavioral analytics and threat intelligence feeds;

(d) Is monitored by qualified security analysts on a 24/7/365 basis.

9.4 Retention. Provider shall retain all security-relevant logs for a minimum of twelve (12) months in immediately accessible online storage, and for an additional twelve (12) months in secure archival storage, for a total retention period of twenty-four (24) months.

9.5 Log Access. Customer shall have the right to request and receive relevant log data pertaining to Customer Data and Customer's use of the Services within five (5) business days of such request.

ARTICLE 10 — DATA SEGREGATION AND RESIDENCY

10.1 Logical Segregation. Provider shall maintain logical segregation of Customer Data from the data of other customers and Provider's own corporate data at all layers of the architecture (application, database, storage, network, and backup).

10.2 Tenant Isolation. Where multi-tenant architecture is employed, Provider shall implement tenant isolation controls that prevent any cross-tenant data access, including through application logic, database schemas or separate databases, encryption with customer-specific keys, and network-level isolation.

10.3 Data Residency. Provider shall store and process Customer Data solely within the continental United States unless Customer provides prior written consent to a specific alternative location. Provider shall promptly notify Customer of any proposed change to data storage or processing locations.

10.4 Data Classification. Provider shall apply Customer's data classification scheme (or a comparable scheme agreed upon by the Parties) to Customer Data and implement security controls proportionate to the classification level.

ARTICLE 11 — PENETRATION TESTING

11.1 Annual Testing. Provider shall engage an independent, qualified third-party security firm to conduct comprehensive penetration testing at least annually. Testing shall include:

(a) External network penetration testing;

(b) Internal network penetration testing;

(d) API security testing;

(e) Social engineering and phishing assessments;

(f) Wireless network penetration testing.

11.2 Scope. Penetration testing shall cover all systems, applications, networks, and infrastructure used to Process, store, or transmit Customer Data.

11.3 Methodology. Penetration testing shall follow industry-recognized methodologies (e.g., PTES, OWASP Testing Guide, NIST SP 800-115) and shall simulate realistic threat scenarios.

11.4 Reporting. Provider shall furnish Customer with complete, unredacted penetration test reports within thirty (30) days of test completion, subject to Provider's execution of a mutual non-disclosure agreement with the testing firm where required.

11.5 Remediation. Provider shall remediate all findings in accordance with the timelines set forth in Article 8 (Vulnerability Management), measured from the date of the final penetration test report.

11.6 Customer Testing. Customer shall have the right to conduct or commission its own penetration testing of Provider's environments used for the Services, upon thirty (30) days' written notice and subject to reasonable scheduling coordination, at Customer's expense.

ARTICLE 12 — BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Plan. Provider shall maintain a documented Business Continuity Plan covering all aspects of the Services, including:

(a) Business impact analysis (BIA) identifying critical functions and dependencies;

(b) Succession planning for Key Personnel;

(d) Alternative processing capabilities and facilities;

(e) Supply chain continuity measures.

12.2 Disaster Recovery Plan. Provider shall maintain a documented Disaster Recovery Plan providing for the recovery of the Services, systems, and Customer Data following a disaster or material disruption.

12.3 Recovery Objectives. Provider shall achieve the following recovery objectives:

(a) Recovery Point Objective (RPO): [____] hours — the maximum data loss measured in time;

(b) Recovery Time Objective (RTO): [____] hours — the maximum downtime for the Services.

12.4 Backup and Restoration. Provider shall:

(a) Perform automated backups of all Customer Data at least daily;

(b) Store backups in a geographically separate facility at least [____] miles from the primary data center;

(d) Test backup restoration at least quarterly and document results;

(e) Retain backups for a minimum of thirty (30) days.

12.5 Annual Testing. Provider shall test the BCP and DRP at least annually through tabletop exercises, functional tests, or full-scale simulations, and shall furnish Customer with a written summary of test results, findings, and corrective actions within thirty (30) days of each test.

12.6 Notification. Provider shall notify Customer within one (1) hour of declaring a disaster or invoking the DRP, and shall provide ongoing status updates at least every four (4) hours until full restoration.

ARTICLE 13 — INCIDENT RESPONSE AND BREACH NOTIFICATION

13.1 Incident Response Plan

Provider shall maintain a documented Incident Response Plan that includes:

(a) Defined incident classification and severity levels;

(b) Roles and responsibilities of the incident response team;

(d) Containment, eradication, and recovery procedures;

(e) Evidence preservation and chain of custody procedures;

(f) Post-incident review and lessons-learned processes;

(g) Integration with Wyoming-specific breach notification requirements under Wyo. Stat. § 40-12-502.

13.2 Incident Notification to Customer

Provider shall notify Customer of any Security Incident or Breach as follows:

(a) Initial Notification: Within twenty-four (24) hours of Provider's confirmation of a Security Incident that may involve Customer Data;

(b) Detailed Notification: Within seventy-two (72) hours, including a description of the incident, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address the incident;

13.3 Wyoming Breach Notification — Wyo. Stat. § 40-12-501 et seq.

This section establishes obligations specific to compliance with Wyoming's data breach notification statute.

13.3.1 Investigation Obligation. Under Wyo. Stat. § 40-12-502, any individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes Personal Identifying Information shall, when it becomes aware of a breach of the security of the data system, conduct a reasonable and prompt investigation to determine the likelihood that Personal Identifying Information has been or will be misused.

13.3.2 Notification Trigger. If the investigation determines that the misuse of Personal Identifying Information about a Wyoming resident has occurred or is reasonably likely to occur, Provider shall cooperate with Customer to give notice to the affected Wyoming residents, in accordance with Wyo. Stat. § 40-12-502(a).

13.3.3 Notification Timeline. Notification shall be made in the most expedient time possible and without unreasonable delay, but not later than forty-five (45) days after the entity determines that a breach has occurred. Delay is permitted only: (a) to take measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system; or (b) at the request of a law enforcement agency when notification would impede a criminal investigation.

13.3.4 Wyoming Attorney General Notification. Provider shall cooperate with Customer in notifying the Wyoming Attorney General of any breach affecting Wyoming residents, as required or recommended under Wyoming law.

13.3.5 Notice Content. The breach notification shall include, at a minimum:

(a) A description of the classes of Personal Identifying Information that were subject to the breach;

(b) The date or estimated date of the breach;

(c) A general description of the actions taken by the entity to protect the Personal Identifying Information from further breach;

(d) Contact information for the notifying entity, including a toll-free telephone number, postal address, and email address;

(e) Advice directing the affected individual to remain vigilant by reviewing account statements and monitoring free credit reports;

(f) The toll-free numbers, addresses, and websites for the three major credit reporting agencies;

(g) The toll-free number, address, and website for the Federal Trade Commission.

13.3.6 Methods of Notice. Notice may be provided by:

(a) Written notice sent to the most recent address on file for the affected individual;

(b) Electronic notice, if the entity's primary method of communication with the affected individual is electronic and the notice is consistent with the provisions of 15 U.S.C. § 7001 (E-SIGN Act);

(d) Substitute notice, if the cost of providing notice under the above methods exceeds Two Hundred Fifty Thousand Dollars ($250,000) or the affected class of persons exceeds five hundred thousand (500,000) persons, or the entity does not have sufficient contact information, consisting of: (i) email notice when available, (ii) conspicuous posting on the entity's internet website, and (iii) notice to statewide media.

13.3.7 Penalties. The Wyoming Attorney General has enforcement authority over violations of Wyo. Stat. § 40-12-502. Violations may result in civil penalties, injunctive relief, and recovery of costs and attorneys' fees. The Attorney General may also pursue enforcement under the Wyoming Consumer Protection Act.

13.3.8 Third-Party Data Holders. Under Wyo. Stat. § 40-12-502(c), any entity that maintains computerized data that includes Personal Identifying Information that the entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the data system following discovery of the breach, so that the owner or licensee may comply with notification obligations.

13.4 Provider Obligations During a Breach

Provider shall:

(a) Immediately contain and investigate the Breach;

(b) Preserve all evidence and maintain chain of custody documentation;

(d) Provide Customer with complete forensic reports within thirty (30) days of incident closure;

(e) Implement corrective measures to prevent recurrence;

(f) Fund credit monitoring and identity theft protection services for affected individuals for a period of at least twenty-four (24) months;

(g) Coordinate with law enforcement as appropriate;

(h) Not issue any public statement or notification regarding the Breach without Customer's prior written approval unless legally compelled.

ARTICLE 14 — SUBPROCESSOR MANAGEMENT

14.1 Prior Approval. Provider shall not engage any Subprocessor to Process Customer Data without Customer's prior written approval. Provider shall maintain a current list of all approved Subprocessors, including their identity, location, and scope of processing.

14.2 Due Diligence. Before engaging any Subprocessor, Provider shall conduct a thorough security assessment of the Subprocessor's security practices, policies, and technical controls to ensure they meet or exceed the requirements of this Addendum.

14.3 Contractual Flow-Down. Provider shall impose on each Subprocessor, by written contract, data protection and security obligations no less protective than those imposed on Provider under this Addendum, including compliance with Wyo. Stat. § 40-12-502(c) third-party data holder notification requirements.

14.4 Oversight and Audit. Provider shall monitor and audit each Subprocessor's compliance with security requirements at least annually and shall promptly address any deficiencies.

14.5 Liability. Provider shall remain fully liable for the acts and omissions of its Subprocessors in relation to Customer Data, as if such acts or omissions were Provider's own.

14.6 Notification of Changes. Provider shall notify Customer at least thirty (30) days in advance of any proposed addition or replacement of a Subprocessor. Customer shall have the right to object to any proposed Subprocessor and, if the objection cannot be resolved, to terminate the affected Services without penalty.

ARTICLE 15 — PERSONNEL SECURITY

15.1 Background Checks. Provider shall conduct comprehensive background checks on all Authorized Personnel prior to granting access to Customer Data, including criminal history, employment verification, and education verification, to the extent permitted by Wyoming law.

15.2 Security Training. Provider shall require all Authorized Personnel to complete:

(a) Security awareness training upon hiring and at least annually thereafter;

(b) Role-specific security training for personnel with elevated access privileges;

(d) Training on Wyoming-specific data protection requirements, including Wyo. Stat. § 40-12-501 et seq.

15.3 Confidentiality Agreements. All Authorized Personnel shall execute written confidentiality and non-disclosure agreements prior to accessing Customer Data.

15.4 Termination Procedures. Upon termination or transfer of any Authorized Personnel, Provider shall:

(a) Revoke all access to Customer Data and related systems within four (4) hours of termination;

(b) Collect and secure all company-issued devices, badges, and credentials;

ARTICLE 16 — PHYSICAL SECURITY

16.1 Data Center Requirements. Provider shall ensure that all data centers and facilities housing Customer Data maintain the following physical security controls:

(a) 24/7/365 on-site security personnel or remote monitoring;

(b) Multi-layered perimeter security with barriers, fencing, and controlled entry points;

(d) Mantrap or airlock entry systems for sensitive areas;

(e) Closed-circuit television (CCTV) surveillance with recording and at least ninety (90) days retention;

(f) Environmental controls including fire suppression, climate control, water detection, and redundant power;

(g) Visitor management with photo identification, escort requirements, and access logs;

(h) SOC 2 Type II or ISO 27001 certification for all data center facilities.

16.2 Media Handling. Provider shall implement secure media handling procedures including:

(a) Encryption of all portable media containing Customer Data;

(b) Tracking and inventory of all media;

(d) Certificates of destruction furnished to Customer upon request.

ARTICLE 17 — INSURANCE

17.1 Required Coverage. Provider shall obtain and maintain throughout the term of the Master Agreement and this Addendum, at its own expense, the following insurance coverage:

(a) Cyber Liability / Technology Errors and Omissions Insurance: No less than Five Million Dollars ($5,000,000) per occurrence and in the aggregate, covering:

Data breach response costs, including notification, credit monitoring, and forensic investigation;
Network security liability;
Privacy liability;
Media liability;
Regulatory defense and penalties;
PCI-DSS fines and assessments;
Cyber extortion and ransomware;

(b) Professional Liability / Errors and Omissions Insurance: No less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate;

(c) Commercial General Liability Insurance: No less than One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate;

(d) Workers' Compensation Insurance: As required by Wyoming law (Wyo. Stat. § 27-14-101 et seq.).

17.2 Policy Requirements. All insurance policies shall:

(a) Be issued by insurers with an A.M. Best rating of A- VII or better;

(b) Name Customer as an additional insured on the CGL policy;

(d) Require the insurer to provide Customer with thirty (30) days' prior written notice of cancellation or material modification;

(e) Be primary and non-contributory with respect to any insurance maintained by Customer.

17.3 Evidence of Insurance. Provider shall furnish certificates of insurance to Customer upon execution of this Addendum and annually thereafter, and promptly upon request.

ARTICLE 18 — AUDIT RIGHTS

18.1 Customer Audit Rights. Customer shall have the right, at its own expense and upon thirty (30) days' prior written notice, to audit Provider's compliance with this Addendum. Such audit may include:

(a) On-site inspection of facilities, systems, and records;

(b) Review of policies, procedures, and security documentation;

(d) Review of penetration test reports, vulnerability scan results, and incident response records;

(e) Testing of technical controls.

18.2 Frequency. Customer may conduct audits up to once per year under normal circumstances, and at any time following a Security Incident, Breach, or material change in Provider's security posture.

18.3 Third-Party Auditors. Customer may engage qualified third-party auditors to conduct audits on its behalf, subject to such auditors executing a non-disclosure agreement acceptable to Provider.

18.4 Cooperation. Provider shall cooperate fully with all audits, provide timely access to facilities, systems, records, and personnel, and respond to audit findings with a remediation plan within fifteen (15) business days.

18.5 Regulatory Audits. Provider shall cooperate with audits or examinations by any regulatory authority with jurisdiction over Customer, including the Wyoming Attorney General's Office and the Wyoming Department of Audit.

ARTICLE 19 — SECURITY GOVERNANCE AND REPORTING

19.1 Security Governance Committee. The Parties shall establish a joint Security Governance Committee consisting of designated representatives from each Party, which shall meet at least quarterly to:

(a) Review Provider's security posture and compliance with this Addendum;

(b) Discuss emerging threats, vulnerabilities, and security trends;

(d) Address any security concerns raised by either Party;

(e) Review and approve changes to security policies and procedures.

19.2 Security Reporting. Provider shall furnish Customer with the following reports:

(a) Monthly: Vulnerability scan summaries, patch compliance metrics, and security incident summaries;

(b) Quarterly: Access review results, security awareness training completion rates, and KPI dashboards;

(c) Annually: Penetration test reports, risk assessment results, BCP/DRP test results, SOC 2 Type II reports, and ISO 27001 certification status;

(d) Ad Hoc: Any material change in security posture, key personnel, or Subprocessor arrangements.

19.3 Key Performance Indicators. Provider shall track and report on the following security KPIs:

(a) Mean time to detect (MTTD) security incidents;

(b) Mean time to respond (MTTR) to security incidents;

(d) Patch compliance percentage;

(e) Security training completion rates;

(f) Uptime and availability of the Services.

ARTICLE 20 — DATA RETURN AND DESTRUCTION

20.1 Data Return. Upon expiration or termination of the Master Agreement, or upon Customer's written request at any time, Provider shall:

(a) Return all Customer Data to Customer in a mutually agreed-upon, industry-standard, machine-readable format within thirty (30) calendar days;

(b) Provide reasonable assistance to Customer in migrating Customer Data, at Provider's standard professional services rates (unless termination is due to Provider's breach, in which case at no charge).

20.2 Data Destruction. Following confirmation of successful data return, or upon Customer's written instruction, Provider shall:

(a) Securely destroy all copies of Customer Data in Provider's possession or control, including copies in backup systems, disaster recovery environments, and archival storage;

(b) Destruction shall be performed in accordance with NIST SP 800-88 Rev. 1 guidelines (Clear, Purge, or Destroy as appropriate to the media type);

(c) Provider shall furnish Customer with a written certificate of destruction, signed by an authorized officer of Provider, within fifteen (15) calendar days of destruction;

(d) The certificate shall specify the data destroyed, the method of destruction, the date of destruction, and the identity of the person who performed the destruction.

20.3 Retention Exception. Provider may retain Customer Data only to the extent required by applicable law, regulation, or court order, provided that Provider: (a) notifies Customer of such retention requirement, (b) limits retention to the minimum data and duration required, and (c) continues to protect such retained data in accordance with this Addendum.

20.4 Subprocessor Data. Provider shall ensure that all Subprocessors return or destroy Customer Data in accordance with the same standards set forth in this Article.

ARTICLE 21 — INDEMNIFICATION FOR SECURITY BREACHES

21.1 Provider Indemnification. Provider shall defend, indemnify, and hold harmless Customer, its officers, directors, employees, agents, and affiliates from and against all claims, demands, actions, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees and court costs) arising from or related to:

(a) Any Breach of Customer Data caused by Provider's negligence, willful misconduct, or failure to comply with this Addendum;

(b) Provider's failure to comply with Wyo. Stat. § 40-12-502 or any other applicable data breach notification law;

(c) Any unauthorized access to, acquisition of, or disclosure of Customer Data resulting from Provider's failure to implement or maintain the security controls required by this Addendum;

(d) Any regulatory investigation, enforcement action, fine, or penalty arising from Provider's acts or omissions with respect to Customer Data;

(e) Any third-party claims arising from a Breach, including class action lawsuits, individual claims, and regulatory proceedings.

21.2 Costs and Expenses. Provider's indemnification obligations shall include, without limitation:

(a) Costs of breach notification to affected individuals and regulatory authorities;

(b) Credit monitoring and identity theft protection services;

(d) Public relations and crisis management costs;

(e) Call center costs for affected individuals;

(f) Regulatory fines and penalties;

(g) Costs of litigation defense and settlement.

21.3 Limitation. The indemnification obligations under this Article shall not be subject to any limitation of liability caps set forth in the Master Agreement, unless expressly stated otherwise in a separate written amendment executed by both Parties.

ARTICLE 22 — STATE-SPECIFIC LEGAL PROVISIONS — WYOMING

22.1 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of Wyoming, without regard to its conflict of laws principles.

22.2 Venue and Jurisdiction. Any dispute, claim, or controversy arising out of or relating to this Addendum shall be brought exclusively in the state or federal courts located in Laramie County, Wyoming, or such other county as may be agreed by the Parties. Each Party irrevocably consents to the exclusive jurisdiction and venue of such courts.

22.3 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY WYOMING LAW, EACH PARTY HEREBY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ALL RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS ADDENDUM OR THE TRANSACTIONS CONTEMPLATED HEREBY.

22.4 Trade Secret Protection. Provider acknowledges that Customer Data may contain Trade Secrets as defined in the Wyoming Uniform Trade Secrets Act (Wyo. Stat. § 40-24-101 et seq.). Provider shall maintain all such Trade Secrets in strict confidence and shall implement protections consistent with Wyo. Stat. § 40-24-101(d), including reasonable measures to maintain secrecy. In the event of misappropriation, Customer shall be entitled to all remedies available under the Act, including injunctive relief (§ 40-24-103), damages (§ 40-24-104), and attorneys' fees (§ 40-24-105).

22.5 Computer Crimes. Provider acknowledges that unauthorized access to or modification of Customer Data may constitute a violation of the Wyoming computer crimes statutes, Wyo. Stat. § 6-3-501 et seq., which provide for criminal penalties including fines and imprisonment.

22.6 Wyoming Consumer Protection Act. This Addendum shall be interpreted consistently with the Wyoming Consumer Protection Act (Wyo. Stat. § 40-12-101 et seq.), and Provider shall not engage in any deceptive trade practices in connection with its handling of Customer Data.

22.7 Late Payment Interest. Any amounts due under this Addendum that are not paid when due shall bear interest at the rate of seven percent (7%) per annum, in accordance with Wyoming statutory interest rates.

22.8 Digital Assets and Blockchain. To the extent the Services involve digital assets, tokenized data, or blockchain technology, Provider shall comply with applicable Wyoming digital asset laws, including the Wyoming Digital Asset Act (Wyo. Stat. § 34-29-101 et seq.) and related regulations, and shall maintain security controls appropriate for such assets.

ARTICLE 23 — ELECTRONIC SIGNATURES

23.1 Validity. This Addendum may be executed by electronic signature in accordance with the Wyoming Uniform Electronic Transactions Act, Wyo. Stat. § 40-21-101 et seq. The Parties agree that electronic signatures shall have the same legal effect, validity, and enforceability as manual ink signatures.

23.2 Legal Recognition. Pursuant to the Wyoming UETA, a record or signature may not be denied legal effect or enforceability solely because it is in electronic form. A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.

23.3 Consent to Electronic Records. Each Party consents to the use of electronic records and electronic signatures in connection with this Addendum and all related communications and documents, in accordance with Wyoming UETA.

23.4 Retention of Electronic Records. Electronic records of this Addendum shall be retained in accordance with the Wyoming UETA and shall be accessible and capable of being accurately reproduced for later reference.

23.5 Counterparts. This Addendum may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Delivery of an executed counterpart by electronic transmission (including PDF, DocuSign, or other secure electronic signature platform) shall be effective as delivery of a manually executed counterpart.

ARTICLE 24 — GENERAL PROVISIONS

24.1 Entire Agreement. This Addendum, together with the Master Agreement and all exhibits, schedules, and attachments hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written, relating to the security of Customer Data.

24.2 Amendment. This Addendum may not be amended, modified, or supplemented except by a written instrument executed by authorized representatives of both Parties.

24.3 Waiver. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the Party against whom the waiver is sought to be enforced. No failure or delay by either Party in exercising any right or remedy shall operate as a waiver thereof.

24.4 Severability. If any provision of this Addendum is held to be invalid, illegal, or unenforceable under Wyoming law, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.

24.5 Assignment. Neither Party may assign this Addendum or any of its rights or obligations hereunder without the prior written consent of the other Party, which consent shall not be unreasonably withheld; provided, however, that either Party may assign this Addendum to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets.

24.6 Notices. All notices required or permitted under this Addendum shall be in writing and shall be delivered by hand, certified mail (return receipt requested), or recognized overnight courier service to the addresses set forth below, or to such other address as a Party may designate by written notice.

24.7 Survival. The provisions of this Addendum that by their nature should survive expiration or termination of the Master Agreement shall so survive, including without limitation the obligations related to data return/destruction, indemnification, confidentiality, breach notification, and audit rights.

ARTICLE 25 — EXECUTION

Compliance Checklist (Pre-Execution):

☐ Master Agreement fully executed and referenced herein

☐ Provider's Information Security Program documentation reviewed by Customer

☐ Provider's most recent SOC 2 Type II report reviewed by Customer

☐ Provider's ISO 27001 certification verified

☐ Provider's most recent penetration test report reviewed by Customer

☐ Subprocessor list reviewed and approved by Customer

☐ Insurance certificates reviewed and verified by Customer

☐ RPO and RTO values agreed upon and documented in Section 12.3

☐ Data residency requirements confirmed

☐ Wyoming-licensed legal counsel has reviewed this Addendum for both Parties

☐ Key Personnel and escalation contacts identified

☐ Security Governance Committee members designated

SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties have caused this Enterprise Security Addendum to be executed by their duly authorized representatives as of the Effective Date.

CUSTOMER

Field	Details
Legal Entity Name:	[________________________________]
Authorized Signatory Name:	[________________________________]
Title:	[________________________________]
Signature:	[________________________________]
Date:	[__/__/____]
Email:	[________________________________]
Phone:	[________________________________]

PROVIDER

Field	Details
Legal Entity Name:	[________________________________]
Authorized Signatory Name:	[________________________________]
Title:	[________________________________]
Signature:	[________________________________]
Date:	[__/__/____]
Email:	[________________________________]
Phone:	[________________________________]

EXHIBIT A — SECURITY CONTACT INFORMATION

Role	Name	Email	Phone	Escalation Order
Customer Security Lead	[________________________________]	[________________________________]	[________________________________]	1
Customer Legal Counsel	[________________________________]	[________________________________]	[________________________________]	2
Customer Executive Sponsor	[________________________________]	[________________________________]	[________________________________]	3
Provider CISO	[________________________________]	[________________________________]	[________________________________]	1
Provider Incident Response Lead	[________________________________]	[________________________________]	[________________________________]	2
Provider Account Executive	[________________________________]	[________________________________]	[________________________________]	3

EXHIBIT B — APPROVED SUBPROCESSOR LIST

Subprocessor Name	Service Provided	Data Processed	Location	Approval Date
[________________________________]	[________________________________]	[________________________________]	[________________________________]	[__/__/____]
[________________________________]	[________________________________]	[________________________________]	[________________________________]	[__/__/____]
[________________________________]	[________________________________]	[________________________________]	[________________________________]	[__/__/____]

SOURCES AND REFERENCES

Wyoming Data Breach Notification Law — Definitions — Wyo. Stat. § 40-12-501: https://law.justia.com/codes/wyoming/title-40/chapter-12/article-5/section-40-12-501/
Wyoming Computer Security Breach; Notice to Affected Persons — Wyo. Stat. § 40-12-502: https://law.justia.com/codes/wyoming/title-40/chapter-12/article-5/section-40-12-502/
Wyoming Uniform Trade Secrets Act — Wyo. Stat. § 40-24-101 et seq.: https://law.justia.com/codes/wyoming/title-40/chapter-24/
Wyoming Uniform Electronic Transactions Act — Wyo. Stat. § 40-21-101 et seq.: https://law.justia.com/codes/wyoming/title-40/chapter-21/
Wyoming Computer Crimes — Wyo. Stat. § 6-3-501 et seq.: https://law.justia.com/codes/wyoming/title-6/chapter-3/article-5/
Wyoming Consumer Protection Act — Wyo. Stat. § 40-12-101 et seq.: https://law.justia.com/codes/wyoming/title-40/chapter-12/
NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
NIST SP 800-88 Rev. 1 — Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
ISO/IEC 27001:2022: https://www.iso.org/standard/27001
SOC 2 Trust Services Criteria: https://www.aicpa.org/soc2

This Enterprise Security Addendum is intended for use on the ezel.ai platform and must be reviewed by Wyoming-licensed legal counsel before execution. Last updated: 2026-02-21.

Ezel AI

Hi! I can rewrite every section of this to your exact case in about 5 minutes. Heads up: I'm $49 for a one-shot, or $249/mo if you want unlimited docs. But that's still less than 10 minutes of what a lawyer charges to even look at this. Want me to do it?

AI Legal Assistant

Ezel AI

Insert Image

Insert Table

Need to customize this document?

About This Template

A contract is a written record of what two or more parties agreed to and what happens if someone does not follow through. Clear language, defined terms, and clean signature blocks keep disputes small and enforceable. The most common mistakes in contracts come from vague promises, missing details about timing or payment, and skipping standard protective clauses like governing law and dispute resolution.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: March 2026