Book a demo Log in / Sign up

Data Processing Addendum DPA Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Processing Addendum DPA?

The Data Processing Addendum (DPA) is essential when one party processes personal data on behalf of another under U.S. jurisdiction. This document has become increasingly important due to evolving privacy regulations and the growing focus on data protection. It supplements existing service agreements by specifically addressing data processing requirements, security measures, and compliance obligations. The DPA helps organizations meet their obligations under various U.S. privacy laws and potentially international regulations when applicable.

Frequently Asked Questions

Is a Data Processing Addendum legally binding in the United States?

Yes, a Data Processing Addendum is legally binding in the United States when properly executed as part of or supplement to an existing service agreement. It creates enforceable obligations regarding data processing activities and compliance with federal laws like HIPAA and state privacy laws like CCPA. Courts recognize DPAs as valid contractual instruments that establish legal duties between data controllers and processors.

Can I be fined if my Data Processing Addendum is missing or incomplete?

Yes, missing or inadequate Data Processing Addendums can result in significant penalties under various U.S. privacy laws. CCPA violations can lead to fines up to $7,500 per violation, while HIPAA penalties range from $100 to $50,000 per violation with annual maximums reaching $1.5 million. Incomplete DPAs may also void liability protections and create breach notification obligations.

Which U.S. privacy laws require a Data Processing Addendum?

CCPA/CPRA requires written contracts for service providers processing personal information, while HIPAA mandates Business Associate Agreements for covered entities. GLBA requires written agreements for data processing by financial institutions, and emerging state laws like Virginia's CDPA and Colorado's CPA have similar contractual requirements. Federal sector work may require additional compliance with Privacy Act requirements.

How is a Data Processing Addendum different from a Business Associate Agreement?

A Business Associate Agreement is specific to HIPAA compliance for healthcare data processing, while a Data Processing Addendum covers broader privacy law compliance including CCPA, GLBA, and state privacy laws. BAAs focus exclusively on protected health information, whereas DPAs address personal information across multiple industries and regulatory frameworks. Many organizations need both documents for comprehensive privacy compliance.

How long does it typically take to create a Data Processing Addendum?

Creating a comprehensive Data Processing Addendum typically takes 2-4 weeks, including legal review, stakeholder input, and negotiations between parties. Simple templates can be adapted in 3-5 business days, but complex arrangements involving multiple jurisdictions, sensitive data types, or extensive security requirements may require 6-8 weeks. Rush processing is possible but may compromise thoroughness.

Can I use the same DPA template for CCPA and HIPAA compliance?

No, CCPA and HIPAA have different contractual requirements that typically require separate agreements or highly specialized combined documents. HIPAA requires specific Business Associate Agreement language and provisions, while CCPA has distinct service provider contract requirements. Using inappropriate templates can create compliance gaps and regulatory exposure under both laws.

Why do businesses get audited for Data Processing Addendum violations?

Data Processing Addendum violations often trigger regulatory audits because they indicate systemic privacy compliance failures. State attorneys general and regulatory bodies view missing or inadequate DPAs as red flags for broader privacy law violations. Additionally, data breach investigations frequently uncover DPA deficiencies, leading to expanded regulatory scrutiny and potential enforcement actions.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Data Processing Addendum DPA

A Data Processing Addendum (DPA) is a legal agreement that defines how personal data will be processed when you engage a third-party service provider. Under United States law, this document creates binding obligations for data protection and helps ensure compliance with federal and state privacy regulations including CCPA, HIPAA, and GLBA.

When do you need this document?

You need a DPA whenever you share personal data with vendors, contractors, or service providers who will process that data on your behalf. This includes cloud storage providers, software-as-a-service platforms, marketing agencies handling customer data, payroll processors managing employee information, and healthcare third parties accessing patient records. The agreement is particularly critical when dealing with sensitive data categories such as financial information, health records, or personal identifiers that trigger specific regulatory requirements.

Key legal considerations

Your DPA must clearly define the scope and purpose of data processing, specifying exactly what data will be processed and for which business purposes. The processor's security obligations should include technical and organizational measures to protect personal data, incident response procedures, and requirements for data breach notification. You should include provisions for data subject rights fulfillment, such as access, deletion, and correction requests. Sub-processor agreements are essential when your primary processor engages additional third parties. The document should address data retention periods, deletion requirements upon contract termination, and audit rights to ensure ongoing compliance.

Legal requirements in United States

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), your DPA must address consumer rights including data deletion, access, and opt-out requirements. Healthcare organizations must ensure HIPAA compliance through business associate agreements that may be incorporated into or supplement the DPA. Financial institutions must meet Gramm-Leach-Bliley Act requirements for safeguarding customer information. Emerging state laws in Virginia, Colorado, Utah, and Connecticut impose additional obligations for data processing agreements. Federal Trade Commission guidelines require reasonable data security measures and prohibit unfair or deceptive practices. If you process data from international sources, GDPR adequacy considerations may apply, requiring additional contractual safeguards for cross-border data transfers.

GOVERNING LAW

Applicable law

This Data Processing Addendum DPA is drafted to comply with United States law. Key legislation includes:

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - comprehensive state-level privacy laws setting standards for data collection, processing, and consumer rights

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing protection of personal health information and medical data

GLBA: Gramm-Leach-Bliley Act - Federal law setting requirements for financial institutions handling personal information

FTC Act: Federal Trade Commission Act - Contains general consumer protection provisions regarding unfair or deceptive practices in privacy and data security

State Privacy Laws: Various state-specific privacy laws including Virginia (VCDPA), Colorado Privacy Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act

GDPR Considerations: General Data Protection Regulation considerations when dealing with EU residents' data, often used as international benchmark

SCCs: Standard Contractual Clauses - Legal mechanisms for international data transfers

Scope of Processing: Key element defining the boundaries and purposes of data processing activities

Security Measures: Required technical and organizational measures for ensuring data security

Breach Notification: Requirements and procedures for notifying relevant parties in case of data breaches

Data Subject Rights: Procedures for handling data subject requests and ensuring their rights

Cross-border Transfers: Mechanisms and safeguards for transferring data across international borders

Audit Rights: Provisions for conducting audits and assessments of data processing activities

Subprocessor Requirements: Rules and obligations regarding the use of subprocessors in data processing activities

Data Retention: Requirements for data retention periods and deletion procedures

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it