Draft template
Security Addendum & Incident Terms
Proposed security responsibilities, safeguards, and incident-notification process.
DRAFT TEMPLATE — NOT LEGAL ADVICE. This document has not been approved by an attorney. It must be reviewed, completed, and approved by qualified counsel before CatOps or any Client signs it or relies on it.
Bracketed fields require a business decision or verified fact. Do not remove this notice or present this document as final until counsel has approved it and CatOps has verified every operational and security statement.
Security Program
CatOps will maintain a risk-based information-security program with reasonable administrative, technical, and organizational safeguards appropriate to the service and Client Data. The final addendum must describe only controls that are implemented, monitored, and supported by evidence.
Control Areas to Verify
- Tenant isolation and server-side authorization for every Client-data read and write.
- Authentication, password handling, administrative MFA, session expiration, and session revocation.
- Encryption in transit and the verified storage/database encryption configuration.
- Least-privilege production access, access review, secrets management, and personnel offboarding.
- Secure development, dependency scanning, change review, vulnerability remediation, and migration rollback.
- Logging, monitoring, alerting, incident response, backup protection, and tested restoration.
- File-upload restrictions, malware-risk controls, rate limiting, and brute-force protection.
- Service-provider due diligence and written subprocessor obligations.
Client Security Responsibilities
- Configure users, permissions, enabled features, and shared devices appropriately.
- Protect credentials, use supported browsers and devices, and promptly remove unauthorized access.
- Avoid uploading unnecessary sensitive information and maintain appropriate endpoint and network security.
- Notify CatOps promptly of suspected compromise and cooperate with investigation and containment.
Security Incident
A “Security Incident” means confirmed unauthorized access to, acquisition of, or disclosure, alteration, or destruction of Client Data in CatOps’ control, excluding unsuccessful attempts and events caused solely by Client systems or authorized activity. Counsel must align this definition with applicable law and the DPA.
CatOps will investigate, contain, mitigate, and remediate a Security Incident and notify affected Client contacts without undue delay after confirmation, subject to law-enforcement restrictions. A final outer notification deadline, if any, must be approved by counsel and supported operationally.
Incident Notice and Cooperation
Available notices should describe the nature of the incident, affected information and users, known timing, containment and remediation, and recommended Client actions. Information may be provided in phases as the investigation develops. The parties will coordinate legally required notices; neither party will name the other publicly without authorization except as required by law.
Assessment, Evidence, and Changes
Any Client audit rights, security questionnaire process, testing summaries, confidentiality restrictions, frequency, cost allocation, and remediation commitments must be set in the final agreement. CatOps may update safeguards as technology and threats evolve, without materially reducing overall protection during an active subscription.