Commissioned Data Processing Agreement Template for the United States

A Commissioned Data Processing Agreement is a critical legal document that governs the relationship between a data controller and a data processor when personal information is shared for processing activities. Under the evolving landscape of United States privacy laws, this agreement ensures both parties understand their obligations and maintain compliance with applicable regulations while protecting individual privacy rights.

When do you need this document?

You need this agreement whenever your organization engages a third party to process personal data on your behalf. This includes situations where you hire cloud service providers, marketing agencies, payroll companies, or IT support firms that will access customer or employee information. The agreement is mandatory when operating under state privacy laws like CCPA or CPRA, and essential for any business relationship involving data sharing across state lines. You should execute this document before any personal data is transferred or processing begins, as it establishes the legal foundation for the entire data handling relationship.

Key legal considerations

The agreement must clearly define the scope and purpose of data processing, specifying what types of personal information will be processed and for what legitimate business purposes. Data security requirements are paramount, including obligations for encryption, access controls, and breach notification procedures. The processor's obligations section should address data retention periods, deletion requirements, and restrictions on further disclosure or use. Liability allocation clauses determine responsibility for regulatory fines, data breaches, and compliance failures. The agreement should include provisions for data subject rights fulfillment, such as access requests and deletion demands. Subprocessor arrangements require careful attention, as the primary processor remains liable for third-party actions. International data transfer provisions may be necessary if processing occurs across borders or involves foreign entities.

Legal requirements in United States

United States privacy law operates through a complex framework of state-level regulations, with California leading through CCPA and CPRA. These laws require explicit contractual protections when personal information is shared with service providers, including restrictions on use, retention, and further disclosure. Virginia's VCDPA, Colorado's CPA, Utah's UCPA, and Connecticut's CTDPA impose similar contractor agreement requirements with slight variations in scope and definitions. The agreement must address specific consumer rights under each applicable state law, including opt-out mechanisms and data portability requirements. Industry-specific regulations like HIPAA for healthcare data and GLBA for financial information may impose additional contractual obligations. Many state laws require that processing agreements include audit rights, allowing controllers to verify processor compliance with privacy obligations. The document should specify which state's privacy law governs the relationship and ensure compatibility with all applicable jurisdictions where either party operates.