Controller Processor Contract Template for the United States

A Controller Processor Contract is a legal agreement that governs the relationship between a data controller and data processor under United States privacy regulations. This contract establishes clear boundaries and responsibilities when one organization processes personal data on behalf of another, ensuring compliance with the complex web of federal and state privacy laws that govern data handling in the US.

When do you need this document?

You need this contract whenever your business engages a third-party service provider to process personal data on your behalf. This includes cloud storage providers, marketing agencies handling customer data, payroll processors managing employee information, or any vendor that accesses, stores, or manipulates personal data for your organization. Healthcare organizations must use this contract when working with business associates under HIPAA, while financial institutions need it for vendors handling consumer financial data under GLBA. E-commerce businesses processing California residents' data require this contract to comply with CCPA/CPRA requirements, and any organization collecting children's data must ensure processors meet COPPA standards.

Key legal considerations

The contract must clearly define the scope of processing activities, specifying what data will be processed, for what purposes, and the duration of processing. Security obligations are crucial, requiring processors to implement appropriate technical and organizational measures to protect personal data. The agreement should include data breach notification procedures, outlining timelines and responsibilities for reporting incidents. Confidentiality clauses must restrict the processor's use of data beyond the specified purposes. The contract should address data subject rights, ensuring processors can assist controllers in responding to individual requests for access, deletion, or correction. Subprocessor provisions are essential, requiring controller approval for any third parties the processor engages. The agreement must include audit rights, allowing controllers to verify processor compliance with contractual obligations.

Legal requirements in United States

United States privacy law operates through a sectoral approach, with different requirements depending on the type of data and industry involved. The FTC Act Section 5 requires that data handling practices not be unfair or deceptive, making clear contractual obligations essential. HIPAA mandates specific Business Associate Agreement provisions when processing protected health information, including breach notification and safeguard requirements. GLBA requires financial institutions to ensure their service providers maintain appropriate data security measures. COPPA imposes strict requirements for processors handling children's data, including parental consent mechanisms. State laws add additional complexity, with CCPA/CPRA requiring specific contractual language about data selling restrictions, consumer rights, and retention limits. The Virginia Consumer Data Protection Act (VCDPA) and similar state laws require contracts to specify processing purposes and restrict data use. Your contract must incorporate relevant provisions from all applicable laws based on your industry, data types, and customer locations.