DPA Addendum Template for the United States

A Data Processing Addendum (DPA) is a legally binding contract that governs how personal data is handled when one party processes information on behalf of another. In the United States, this document has become increasingly vital as privacy regulations continue to evolve at both federal and state levels, creating complex compliance requirements for businesses handling personal data.

When do you need this document?

You need a DPA Addendum whenever your business relationship involves processing personal data on behalf of another entity. This is particularly crucial in vendor relationships, cloud services, marketing partnerships, and third-party data analytics arrangements. Healthcare organizations must use DPAs for HIPAA compliance when sharing protected health information with business associates. Financial institutions require them under GLBA when partnering with service providers who handle customer financial data. Technology companies processing customer data for clients need DPAs to comply with state privacy laws like CCPA and VCDPA. The addendum becomes essential when your main service agreement doesn't adequately address data processing responsibilities or when regulatory requirements mandate specific data protection terms.

Key legal considerations

Your DPA Addendum must clearly define the roles of data controller and data processor, establishing who makes decisions about data processing and who carries out the actual processing activities. The scope and purpose of processing section should specify exactly what personal data will be processed, for what purposes, and any limitations on use. Security obligations are critical and must outline technical and organizational measures to protect data, including encryption requirements, access controls, and incident response procedures. Breach notification clauses should establish timelines and responsibilities for reporting security incidents to both the data controller and relevant authorities. Sub-processor provisions must address how third parties can be engaged and what approval processes are required. Data retention and deletion terms should specify how long data can be stored and procedures for secure disposal. Audit rights provisions allow controllers to verify processor compliance through inspections or third-party certifications.

Legal requirements in United States

Under U.S. federal law, the FTC Act Section 5 prohibits unfair or deceptive practices in data handling, making clear data processing terms essential for compliance. HIPAA requires business associate agreements for healthcare data processing, with specific security safeguards and breach notification requirements. GLBA mandates safeguards for financial data processing and clear privacy disclosures. State privacy laws add additional layers of complexity, with California's CCPA and CPRA requiring detailed processing disclosures and consumer rights protections. Virginia's VCDPA, Colorado's CPA, and Utah's UCPA each establish specific controller-processor relationship requirements and consumer protection standards. Your DPA must address data subject rights including access, correction, and deletion requests where applicable. The addendum should specify which jurisdiction's laws govern the agreement and how conflicts between different state requirements will be resolved. International data transfers, while not as strictly regulated as under GDPR, still require appropriate safeguards when personal data leaves U.S. borders.