Enterprise and Government Addendum

1. Scope

This Addendum governs the use of Services in enterprise, regulated, and government environments, including:

• Federal, state, and local government agencies
• Government contractors and subcontractors
• Regulated commercial entities

2. Commercial Item Designation

The Services are "Commercial Items" as defined in FAR 2.101.

• Licensed in accordance with FAR 12.212
• Subject to DFARS 227.7202 for DoD use
• No additional rights are granted beyond those expressly stated

3. Data Classification and Responsibility

The Customer is solely responsible for:

• Determining classification of data (e.g., public, sensitive, controlled)
• Ensuring appropriate handling of regulated data (e.g., CUI, FCI, PII)
• Complying with applicable laws, regulations, and agency requirements

The Company does not assume responsibility for Customer data classification.

4. Security Alignment

The Company maintains controls aligned with industry standards (e.g., NIST-based principles, SOC 2 concepts).

Unless explicitly stated in a separate agreement, the Services are not certified for:

• FedRAMP authorization
• DoD IL2–IL6 accreditation
• CJIS compliance
• HIPAA compliance

Use of the Services for regulated workloads requires Customer evaluation and acceptance of associated risk.

5. Deployment Models

The Company may support:

• Multi-tenant SaaS environments
• Dedicated or isolated deployments
• Self-hosted or hybrid configurations

Security and compliance posture may vary depending on deployment model.

6. Access and Identity Management

The Customer is responsible for:

• Identity provider configuration (e.g., SSO systems)
• Role-based access control and least-privilege enforcement
• User lifecycle management

The Company provides system-level controls but does not manage Customer identity governance.

7. Audit and Documentation

Upon reasonable request and subject to confidentiality:

• The Company may provide security documentation
• Responses to standard security questionnaires may be provided
• Formal audits may require separate agreement

Audit access will not expose other customer environments or proprietary systems.

8. Incident Response and Notification

The Company maintains an incident response process consistent with its Security Policy.

Where applicable:

• Incidents involving Customer data will be communicated without undue delay
• Notification obligations are subject to applicable law and contractual terms

9. Data Location and Transfers

Unless otherwise agreed:

• Data may be processed within the United States
• Cross-border transfers may occur subject to safeguards

Customers with data residency requirements must establish such requirements contractually.

10. Export Controls

Use of the Services is subject to U.S. export control laws, including:

• Export Administration Regulations (EAR)
• OFAC sanctions programs

The Customer is responsible for ensuring compliance with applicable restrictions.

11. Limitation of Liability

All liability, indemnification, and warranty provisions are governed by the Terms and Conditions unless modified by a separately executed agreement.

12. Order of Precedence

In the event of conflict:

• This Addendum governs enterprise/government-specific matters
• The DPA governs data protection
• The Terms govern all other matters

13. Governing Law

This Addendum is governed by the laws of the Commonwealth of Virginia, unless otherwise required by federal law for government entities.