Sample DPA Template

This U.S. Data Processing Agreement template is provided by TrueVault for informational purposes only and does not constitute legal advice. Use of this template is no guarantee that you are upholding your legal obligations. If you have any questions about your legal obligations, you should consult an attorney. 

U.S. Data Processing Agreement

This Data Processing Agreement (the “DPA”) reflects the parties’ agreement with respect

to the Processing of Personal Data by _______________ (the “Processor”) on behalf of __________ (the “Controller”) in connection with Processor’s services (the “Services”) under the Service Agreement (the “Agreement”) governing Customer’s use of the Services. The DPA amends the Agreement and will become effective upon execution by both parties. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

1. DEFINITIONS

a. “Business” means an entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which includes, as applicable, a “Business” as defined under Section 1798.140 of the CCPA, and any analogous variation of such term under U.S. Data Protection Laws.

b. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations. 

c. “Customer Personal Information” means any data processed by Processor on Controller’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under applicable U.S. Data Protection Laws. 

d. “Instructions” means the written, documented instructions issued by a Business to a

Service Provider, and directing the same to perform a specific or general action with regard to

Customer Personal Information (including, but not limited to, depersonalizing, blocking, deletion, and making available).

d. “Processing” means any operation or set of operations which is performed on Customer Personal Information, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Customer Personal Information. The terms “Process,” “Processes” and “Processed” will be construed accordingly.

e. “Sell,” “Selling,” and “Sale” have the meaning set forth in Section 1798.140 of the CCPA.

f. “Service Provider” means an entity that processes Customer Personal Information on behalf of Customer, which includes, as applicable, a “Service Provider” as defined in Section 1798.140 of the CCPA, and any analogous variation of such term under U.S. Data Protection Laws.

e. “Share” “Shared” and “Sharing” have the meaning set forth in Section 1798.140 of the CCPA.

f. “U.S. Data Protection Laws” means all laws and regulations of the United States of America, including but not limited to the CCPA, applicable to the processing of personal information (or an analogous variation of such term).

2. ROLES OF THE PARTIES

The parties acknowledge and agree that with regard to the Processing of Customer Personal Information performed on behalf of Customer, Processor is a Service Provider and Customer is a Business. Processor receives Customer Personal Information pursuant to the business purpose of providing the Services to Customer in accordance with the Agreement. 

3. CUSTOMER’S INSTRUCTIONS

The parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete and final Instructions to Processor in relation to the Processing of Customer Personal Information, and additional instructions outside the scope of the Instructions shall require prior written

agreement between the parties.

4. PROCESSOR’S OBLIGATIONS

With respect to the Processing of Customer Personal Information by Processor on behalf of Customer, Processor agrees to the following.

  1. Processor shall adhere to Customer’s Instructions at all times regarding the Processing of Customer Personal Information.
  2. Processor shall assist Customer in meeting its obligations under U.S. Data Protection Laws. Such assistance shall include:
    1. Taking into account the nature of processing and the information available to  Processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill Customer's obligation to respond to consumer privacy requests pursuant to U.S. Data Protection Laws.
    2. Taking into account the nature of processing and the information available to Processor, by assisting Customer in meeting its obligations in relation to the security of processing the Customer Personal Information and in relation to the notification of breach of security of the Processor’s system in order to meet Customer’s obligations under this DPA.
    3. Providing necessary information to enable Customer to conduct and document data protection assessments pursuant to U.S. Data Protection Laws.
  3. Processor will ensure that each person processing Customer Personal Information is subject to a duty of confidentiality with respect to the data.
  4. At Customer's direction, Processor will delete or return all Customer Personal Information to Customer as requested at the end of the provision of services, unless retention of the Customer Personal Information is required by law.
  5. Upon Customer’s reasonable request, Processor will make available to the Customer all information in its possession necessary to demonstrate Processor's compliance with U.S. Data Protection Laws.
  6. Processor will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor; alternatively, Processor may arrange for a qualified and independent assessor to conduct an assessment of Processor's policies and technical and organizational measures in support of Processor’s obligations under U.S. Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The Processor shall provide a report of such assessment to Customer upon request.
  7. If Processor engages any other person or entity to assist it in Processing Customer Personal Information on behalf of Customer, or if any other person engaged by Processor engages another person or entity to assist in Processing Customer Personal Information for that business purpose, Processor shall notify Customer of that engagement and give Customer the opportunity to object. The engagement shall be pursuant to a written contract binding the other person or entity to observe all the requirements set forth in this DPA.
  8. Processor shall not Sell or Share Customer Personal Information.
  9. Processor shall not retain, use, or disclose Customer Personal Information for any purpose other than business purposes specified in the Agreement.
  10. Processor shall not retain, use, or disclose the Customer Personal Information outside of the direct business relationship between Processor and Customer.
  11. Processor shall not combine the Customer Personal Information that Processor receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.

5. NATURE AND PURPOSE OF PROCESSING



6. CATEGORIES OF PERSONAL INFORMATION PROCESSED




Related Articles