Book a demo Log in / Sign up

DPA Contract Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a DPA Contract?

The DPA Contract serves as a critical compliance document in the United States, required whenever an organization (controller) engages another party (processor) to process personal data on its behalf. This agreement is essential for compliance with various state privacy laws and may need to address GDPR requirements if EU resident data is involved. The DPA establishes clear responsibilities, security requirements, and data handling procedures, protecting both parties and ensuring regulatory compliance in data processing operations.

Frequently Asked Questions

Is a DPA contract legally binding in the United States?

Yes, a Data Processing Agreement (DPA) is legally binding in the United States when properly executed between parties. Under state privacy laws like CCPA, CPRA, and VCDPA, businesses are required to have written contracts with service providers that process personal data. These agreements create enforceable legal obligations for data protection and can result in regulatory penalties and civil liability if breached.

Can I be fined if my DPA contract is missing or incomplete under US privacy laws?

Yes, missing or incomplete DPA contracts can result in significant penalties under state privacy laws. Under CCPA, violations can result in fines up to $7,500 per violation, while VCDPA allows penalties up to $7,500 per violation. Additionally, incomplete contracts may not provide adequate legal protection during data breaches or regulatory investigations, potentially increasing liability exposure.

Which US privacy laws require DPA contracts between businesses?

Multiple state privacy laws mandate DPA contracts, including California's CCPA and CPRA, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and Utah's UCPA. Each law requires written agreements when businesses share personal data with service providers or contractors. The specific requirements vary by state, but all generally mandate data security provisions, purpose limitations, and deletion requirements in the contract.

How is a DPA contract different from a Business Associate Agreement in the US?

A DPA contract covers general state privacy law compliance (CCPA, VCDPA, etc.) for any personal data processing, while a Business Associate Agreement (BAA) specifically addresses HIPAA requirements for protected health information. DPAs apply to broader commercial relationships and consumer data, whereas BAAs are required only when handling medical records or health data. Many healthcare organizations need both agreements to ensure comprehensive compliance.

How long does it take to draft a compliant DPA contract in the United States?

A basic DPA contract can be drafted in 1-3 business days using a template, but comprehensive legal review typically takes 1-2 weeks. The timeline depends on the complexity of data processing activities, number of applicable state laws, and negotiation requirements between parties. Custom agreements for complex data sharing arrangements may require 3-4 weeks for proper legal review and stakeholder approval.

Most common mistakes businesses make with US DPA contracts?

The most frequent mistakes include using generic templates that don't address specific state law requirements, failing to update contracts when new privacy laws take effect, and not including required data deletion and breach notification provisions. Many businesses also neglect to specify data processing purposes clearly or fail to include necessary subprocessor approval mechanisms required under state privacy laws.

Can a DPA contract protect my business from data breach lawsuits in the US?

A properly drafted DPA contract provides significant legal protection by clearly defining each party's responsibilities and limiting liability exposure during data breaches. However, it cannot completely eliminate lawsuit risk if gross negligence or willful misconduct occurs. The contract should include indemnification clauses, insurance requirements, and breach notification procedures to maximize protection under state privacy laws and reduce potential damages.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the DPA Contract

A Data Processing Agreement (DPA) Contract is a legally binding document that governs the relationship between organizations when one processes personal data on behalf of another. Under United States privacy laws, this agreement serves as your primary compliance tool, ensuring both parties understand their obligations and responsibilities when handling personal information. The contract establishes clear boundaries for data use, security measures, and regulatory compliance requirements.

When do you need this document?

You need a DPA Contract whenever your organization engages a third-party service provider to process personal data on your behalf, or when you provide data processing services to other companies. This includes relationships with cloud storage providers, email marketing services, customer support platforms, payroll processors, and analytics companies. The agreement is mandatory under California's CCPA and CPRA, as well as privacy laws in Virginia, Colorado, Utah, and Connecticut. You'll also need this document if you process data from EU residents to maintain GDPR compliance. Any situation where personal information crosses organizational boundaries requires this foundational agreement.

Key legal considerations

Your DPA Contract must clearly define the scope and purpose of data processing, ensuring the processor only uses personal information for specified, authorized purposes. The agreement should include robust security requirements, data breach notification procedures, and provisions for data subject rights fulfillment. You need detailed clauses covering data retention periods, deletion requirements, and restrictions on sub-processor arrangements. The contract must address cross-border data transfers, audit rights, and termination procedures. Include liability allocation provisions and ensure the agreement covers both parties' obligations under applicable state privacy laws. Consider adding specific technical and organizational security measures requirements and establishing clear protocols for handling data subject access requests.

Legal requirements in United States

Under United States privacy legislation, your DPA Contract must comply with varying state requirements while maintaining consistency across jurisdictions. The CCPA and CPRA require specific contractual provisions including processing purpose limitations, data minimization requirements, and consumer rights protection. Virginia's VCDPA mandates clear instructions for processing and prohibits the sale of personal data without explicit consent. Colorado's CPA requires detailed security measures and breach notification procedures within the agreement. Utah's UCPA and Connecticut's CTDPA establish similar framework requirements with jurisdiction-specific variations. If you process EU resident data, you must also incorporate GDPR Article 28 requirements including detailed processing instructions, security measures, and data transfer safeguards. Each state law includes specific penalty structures for non-compliance, making proper contract drafting essential for legal protection.

GOVERNING LAW

Applicable law

This DPA Contract is drafted to comply with United States law. Key legislation includes:

CCPA: California Consumer Privacy Act - Primary privacy law for California residents providing rights and obligations regarding personal data processing

CPRA: California Privacy Rights Act - Updates and expands CCPA with additional privacy protections and obligations

VCDPA: Virginia Consumer Data Protection Act - Comprehensive privacy law protecting Virginia residents' personal data

CPA: Colorado Privacy Act - Comprehensive privacy legislation protecting Colorado residents' personal information

UCPA: Utah Consumer Privacy Act - Privacy legislation establishing framework for processing Utah residents' personal data

CTDPA: Connecticut Data Privacy Act - Comprehensive privacy law protecting Connecticut residents' personal information

GDPR Compliance: Consider GDPR requirements if processing data of EU residents, including data transfer mechanisms and privacy rights

HIPAA: Health Insurance Portability and Accountability Act - Federal law protecting medical information and healthcare data

GLBA: Gramm-Leach-Bliley Act - Federal law governing collection, disclosure, and protection of consumers' financial information

COPPA: Children's Online Privacy Protection Act - Federal law protecting children's personal information online

PCI DSS: Payment Card Industry Data Security Standard - Security standards for organizations handling credit card information

FERPA: Family Educational Rights and Privacy Act - Federal law protecting privacy of student education records

Privacy Shield Framework: Principles governing data transfers between US and EU/Swiss organizations

Standard Contractual Clauses: Legal mechanism for compliant transfer of personal data from EU to non-EU countries

State Data Breach Laws: Various state-specific requirements for notification and handling of data breaches

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it