What is a U.S. Data Processing Addendum (DPA)?
This DPA creates a legally compliant, predictable framework for processing personal data within the United States. It supplements a main services agreement and governs how a service provider (“Provider”) may process personal data on behalf of a customer (“Customer”) when delivering contracted services. The DPA defines the parties’ roles, restricts the Provider to processing only under Customer instructions, outlines required security measures, and sets rules for incident response, subprocessors, audits, and data return or deletion. It also incorporates U.S. state privacy‑law requirements and includes modern provisions addressing AI/ML usage, automated decision‑making, and obligations for handling data subject requests. Together, these terms establish a controlled and transparent structure for vendor data processing.
When Do You Need This DPA?
You need this DPA whenever your company uses a service provider to process personal data on your behalf in the United States - especially if the data falls under state privacy laws (e.g., CCPA/CPRA, CPA, CTDPA, VCDPA). It is essential when the provider will access, store, transmit, or otherwise handle personal data as part of delivering services. The DPA ensures the provider processes data only under your instructions, maintains appropriate security, supports your compliance obligations, and allows you to meet regulatory requirements around data subject rights, incident notification, and vendor oversight. It is also required when your business must prohibit the provider from selling or sharing personal information, combining it with other datasets, or using it for AI training or unrelated commercial purposes.
Why Use This Template?
This DPA template provides a comprehensive, modern, and U.S.-focused structure for governing processor‑level data handling. It includes the core elements most companies need: clear definitions; strict processing‑instruction requirements; detailed security obligations; incident‑response protocols; subprocessor controls; audit rights; and robust return‑and‑deletion procedures. It also reflects current regulatory expectations by incorporating state privacy law requirements, prohibiting unauthorized data use, and adding explicit AI/ML restrictions. The template is designed to be processor‑friendly while still giving the Customer the oversight and protections required under U.S. privacy laws. It is a strong starting point for reducing legal risk, ensuring compliant vendor relationships, and establishing predictable data‑handling practices. We recommend that it be tailored to your specific services and reviewed by a qualified attorney before adopting.
Key Provisions Included
- Processing limited to Customer’s documented instructions
- Defined security measures and incident‑response obligations
- Customer responsibilities, including restrictions on submitting sensitive data
- Support for data‑subject requests (with paid extended assistance)
- Subprocessor controls, notice, and objection rights
- Audit rights with acceptance of SOC 2/ISO reports
- Data return and deletion requirements at end of service
- State privacy‑law compliance and service‑provider restrictions
- AI/ML usage limits and automated‑decision‑making transparency
- Liability aligned with the main agreement
