KEYMARK SECURITY ADDENDUM
Version 1 Effective 12/1/2025
This KeyMark Security Addendum (the “Security Addendum”) forms part of the Master Agreement, Order Form, or any other agreement that refers to them (“Incorporating Document”). As used in this Security Addendum, “Agreement” means the Incorporating Document, including this Security Addendum, and any other documents or terms incorporated or referenced in the Incorporating Document.
1. DEFINITIONS
“Certification” means the annual independent third-party auditing of the Security Program to one or more security standards.
“Security Measures” means the administrative, physical and technical security measures that KM implements in accordance with the Security Program.
“Security Program” means KM’s comprehensive information security management system security program based on industry standards, including but not limited to NIST standards and ISO 27001.
2. SHARED SECURITY MODEL. The Security Addendum defines the Security Program, including the Security Measures and Certification, that KM offers to Customer as part of the KSS included in the Agreement and provides the boundaries for KM’s responsibility. The Security Addendum does not provide all security governance for Customer, and Customer remains responsible for the governance and maintenance of its own security program, including but not limited to personnel requirements, password management, data access and data use rights. KM is not responsible for any system components, personnel, or processes that are outside of the Security Program.
3. SECURITY PROGRAM.
3.1 CERTIFICATION.
3.1.1 KM maintains an Information Security Management System (ISMS) certified to ISO/IEC 27001, subject to annual independent audits. The ISMS governs KM’s approach to risk management, access control, incident response, and regulatory compliance.
3.1.2 If KM discontinues ISO/IEC 27001 certification, KM shall adopt and maintain an equivalent industry-standard security framework.
3.1.3 KM may update its Security Program from time to time, provided that such updates do not result in a material reduction in the overall security posture.
3.2 DATA CENTER AND INFRASTRUCTURE SECURITY.
3.2.1 KM utilizes third-party data center providers that are ISO/IEC 27001 and/or SOC 2 Type II compliant.
3.2.2 These providers deliver core infrastructure services including physical security, environmental controls, power redundancy, and secure internet connectivity.
3.2.3 Physical security measures include 24/7 surveillance, biometric access controls, and on-site security personnel.
3.2.4 Environmental safeguards include redundant HVAC systems, fire suppression, and flood detection.
3.2.5 Power systems include uninterruptible power supplies (UPS) and backup generators.
3.3 ACCESS CONTROLS.
3.3.1 KM enforces role-based access controls across its systems, ensuring that access to Customer Data is restricted to authorized personnel only.
3.3.2 Multi-factor authentication (MFA) is required for administrative access.
3.3.3 The principle of least privilege is applied throughout KM’s systems.
3.3.4 Access rights are reviewed quarterly.
3.3.5 All access attempts are logged and monitored for anomalies.
3.4 PERSONNEL SECURITY AND TRAINING.
3.4.1 All KM personnel are required to sign confidentiality agreements and comply with KM’s internal security and privacy policies.
3.4.2 Security training is provided upon hire and annually thereafter, including phishing awareness and secure data handling practices.
3.4.3 Personnel with access to Customer Data receive role-specific training.
3.4.4 All employees receive incident response training.
3.4.5 Where legally permissible and in accordance with applicable labor laws, KM conducts background checks and drug testing.
3.4.6 Violations of KM’s security policies may result in disciplinary action, up to and including termination.
3.5 DATA PROTECTION.
3.5.1 Customer Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
3.5.2 Encryption keys are managed securely in accordance with industry best practices.
3.5.3 Logical data segregation is enforced to ensure isolation between customer environments.
3.6 MONITORING AND INCIDENT RESPONSE.
3.6.1 KM maintains automated systems for logging, monitoring, and intrusion detection.
3.6.2 Security events are analyzed and escalated as appropriate.
3.6.3 KM’s incident response plan includes procedures for identification, containment, eradication, recovery, and post-incident review.
3.6.4 In the event of a confirmed data breach, KM shall notify affected customers within the timeframes required by applicable law and provide relevant details regarding the nature and scope of the incident.
3.7 VULNERABILITY MANAGEMENT.
3.7.1 KM continuously performs vulnerability scans on production systems.
3.7.2 Critical patches are applied within 48 hours; high-risk patches within seven days.
3.7.3 Annual penetration testing is conducted by independent third parties.
3.7.4 All findings are tracked through remediation until closure.
3.8 BUSINESS CONTINUITY AND DISASTER RECOVERY.
3.8.1 KM maintains business continuity and disaster recovery plans.
3.8.2 Daily encrypted backups are performed.
3.8.3 Recovery testing is conducted semi-annually.
3.8.4 KM targets a Recovery Time Objective (RTO) of four hours and a Recovery Point Objective (RPO) of one hour.
3.9 SUBPROCESSORS
3.9.1 KM may engage subprocessors to support service delivery.
3.9.2 All subprocessors are contractually bound to meet KM’s security and privacy standards.
3.9.3 A list of subprocessors is available upon request.
3.9.4 KM conducts periodic reviews of subprocessor compliance.
3.10 COMPLIANCE
3.10.1 KM’s ISMS supports compliance with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), where applicable.
3.10.2 KM aligns its practices with recognized frameworks such as the NIST Cybersecurity Framework and CIS.
