Commercial3 pages
Mutual Non-Disclosure Agreement
Released under CC0 — free for anyone to use, modify, and redistribute for any purpose, without attribution. This template is provided as-is and does not constitute legal advice.
A processor‑friendly Data Processing Addendum for handling personal data within the United States, defining clear processing limits, required security measures, incident‑response obligations, and state‑privacy‑law compliance.
Released under CC0 — free for anyone to use, modify, and redistribute for any purpose, without attribution. This template is provided as-is and does not constitute legal advice.
This DPA creates a legally compliant, predictable framework for processing personal data within the United States. It supplements a main services agreement and governs how a service provider (“Provider”) may process personal data on behalf of a customer (“Customer”) when delivering contracted services. The DPA defines the parties’ roles, restricts the Provider to processing only under Customer instructions, outlines required security measures, and sets rules for incident response, subprocessors, audits, and data return or deletion. It also incorporates U.S. state privacy‑law requirements and includes modern provisions addressing AI/ML usage, automated decision‑making, and obligations for handling data subject requests. Together, these terms establish a controlled and transparent structure for vendor data processing.
You need this DPA whenever your company uses a service provider to process personal data on your behalf in the United States - especially if the data falls under state privacy laws (e.g., CCPA/CPRA, CPA, CTDPA, VCDPA). It is essential when the provider will access, store, transmit, or otherwise handle personal data as part of delivering services. The DPA ensures the provider processes data only under your instructions, maintains appropriate security, supports your compliance obligations, and allows you to meet regulatory requirements around data subject rights, incident notification, and vendor oversight. It is also required when your business must prohibit the provider from selling or sharing personal information, combining it with other datasets, or using it for AI training or unrelated commercial purposes.
This DPA template provides a comprehensive, modern, and U.S.-focused structure for governing processor‑level data handling. It includes the core elements most companies need: clear definitions; strict processing‑instruction requirements; detailed security obligations; incident‑response protocols; subprocessor controls; audit rights; and robust return‑and‑deletion procedures. It also reflects current regulatory expectations by incorporating state privacy law requirements, prohibiting unauthorized data use, and adding explicit AI/ML restrictions. The template is designed to be processor‑friendly while still giving the Customer the oversight and protections required under U.S. privacy laws. It is a strong starting point for reducing legal risk, ensuring compliant vendor relationships, and establishing predictable data‑handling practices. We recommend that it be tailored to your specific services and reviewed by a qualified attorney before adopting.