SECURITY ADDENDUM

Effective Date

February 17, 2026

1. Purpose & Relationship to the Agreement

This Security Addendum ("Addendum") describes the technical and organizational measures ("TOMs") Ourfirm.ai maintains to protect Customer Data processed under the applicable master terms (the "Agreement"). Capitalized terms not defined here have the meanings in the Agreement or the Data Processing Addendum ("DPA").

2. Scope

This Addendum applies to Customer Data that customers upload to, receive from, or generate within the Services, including case files, notes, prompts/outputs, and account metadata.

3. Security Program

We maintain a documented, risk-based information security program designed to preserve the confidentiality, integrity, and availability of Customer Data; protect against anticipated threats; and meet legal and contractual obligations.

4. Governance, Risk, and Access Controls

• Segregation. Logical tenant separation of Customer Data.
• Access Control. Role-based access; least privilege; SSO/MFA for administrative access; timely access reviews; prompt revocation upon role change or separation.
• Risk Management. Annual risk assessments; remediation tracking; executive oversight.
• Governance & Policies. Written policies covering data handling, access, encryption, logging, incident response, vendor risk, SDLC, and acceptable use. Annual review.

5. Encryption & Key Management

• Keys. Centralized key management; restricted access; rotation and revocation procedures.
• At Rest. Industry-standard encryption (e.g., AES-256) for storage and backups.
• In Transit. TLS 1.2+ for all external connections.

6. Secure Development & Change Management

• Changes. Documented approvals and rollback procedures for material changes.
• Testing. Pre-deployment testing in non-production environments with scrubbed or synthetic data.
• SDLC. Code reviews, dependency scanning, and secret-leak detection.

7. Logging & Monitoring

Security and application logs for authentication, administrative actions, data access, and system events; protected against tampering; retention consistent with our retention policy; alerting for suspicious activity.

8. Vulnerability Management & Testing

• Remediation Targets. Critical: 7 days; High: 30 days; Medium: 90 days; Low: risk-based.
• Penetration Testing. At least annually by qualified independent testers, with remediation tracking.
• Scanning. Regular vulnerability scanning of applications and infrastructure.

9. Business Continuity & Disaster Recovery

• Resilience. Multi-AZ deployment (where available) and infrastructure as code for rapid rebuilds.
• Objectives. Target RPO <= 24 hours and RTO <= 24 hours for core services.
• Backups. Encrypted backups with periodic restore testing.

10. Personnel Security

Background checks as permitted by law; confidentiality obligations; security awareness training at onboarding and annually; need-to-know access.

11. Vendor and Subprocessor Management

Security and privacy reviews before onboarding; contractual security and confidentiality obligations; data processing terms; region alignment; ongoing monitoring.

12. Data Retention & Deletion

• Upon termination, we delete Customer Data within standard timelines unless legally required to retain.
• Customer-initiated deletion: upon verified request, we delete or de-identify Customer Data from active systems; backups age out on a rolling schedule.
• Retention aligned to customer configuration and legal requirements.

13. Incident Response & Breach Notification

• Notification. We will notify the customer without undue delay and within 72 hours of confirming a Security Incident affecting Customer Data, including known facts, likely impact, and remediation steps, consistent with legal and law-enforcement requirements.
• IR Plan. Defined roles, triage, containment, eradication, and post-incident review.

14. Customer Responsibilities

Configure access controls appropriately; manage user accounts; classify and lawfully collect data; avoid uploading prohibited sensitive data unless expressly permitted; maintain your own device and network security.

15. Changes

We may update this Addendum to reflect evolving practices and legal requirements. Material reductions in protection will be announced in advance via the customer admin contact or posted notice.