Book a demo Log in / Sign up

Sub Processing Agreement Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Sub Processing Agreement?

The Sub Processing Agreement is essential when a data processor needs to engage additional parties to fulfill their processing obligations. This document is particularly relevant in the United States where various federal and state privacy laws create a complex compliance landscape. The agreement ensures that any downstream processing maintains the same level of data protection and compliance as required in the primary processing agreement. It typically includes detailed provisions on security measures, data handling procedures, audit rights, and breach notification requirements, while addressing specific requirements under US privacy laws such as CCPA, HIPAA, and state-specific regulations.

Frequently Asked Questions

Is a Sub Processing Agreement legally binding under United States privacy laws?

Yes, a Sub Processing Agreement is legally binding in the United States when properly executed between parties. Under federal laws like HIPAA and GLBA, as well as state privacy laws like CCPA and VCDPA, these agreements create enforceable obligations for data protection and security measures. The agreement establishes legal liability for both the primary processor and sub-processor in handling personal data.

Can I face penalties if my Sub Processing Agreement is missing or incomplete under US privacy laws?

Yes, missing or incomplete Sub Processing Agreements can result in significant penalties under United States privacy regulations. HIPAA violations can result in fines up to $1.5 million per incident, while CCPA penalties can reach $7,500 per violation. State attorneys general and federal regulators may impose additional sanctions for inadequate data processing safeguards and contractual protections.

How does CCPA affect Sub Processing Agreements in California?

Under the California Consumer Privacy Act (CCPA), Sub Processing Agreements must include specific provisions for consumer rights, data deletion requirements, and disclosure limitations. The agreement must ensure sub-processors can facilitate consumer requests for data access, deletion, and opt-out rights. CCPA also requires clear contractual prohibitions against selling personal information and using data beyond the specified business purpose.

How is a Sub Processing Agreement different from a Data Processing Agreement in the United States?

A Data Processing Agreement establishes the relationship between a data controller and primary processor, while a Sub Processing Agreement governs the relationship between a processor and sub-processor. The Sub Processing Agreement creates additional downstream obligations and typically includes more restrictive terms since it involves a third-party entity. Both must comply with applicable US privacy laws, but sub-processing agreements often require additional security and audit provisions.

How long does it typically take to create a compliant Sub Processing Agreement for United States operations?

Creating a comprehensive Sub Processing Agreement for US compliance typically takes 2-4 weeks with legal review. The timeline includes drafting jurisdiction-specific clauses for applicable federal and state laws, negotiating terms between parties, and conducting legal review for HIPAA, GLBA, CCPA, or other relevant regulations. Complex multi-state operations or specialized industries may require additional time for compliance verification.

Which common mistakes should I avoid when drafting a Sub Processing Agreement for United States compliance?

Common mistakes include failing to specify which US privacy laws apply, inadequate security requirement definitions, and missing breach notification procedures. Many agreements also lack proper indemnification clauses, fail to address cross-border data transfers, or don't include audit rights for compliance verification. Additionally, not specifying data retention periods and deletion procedures can create regulatory compliance issues.

Does HIPAA require specific language in Sub Processing Agreements for healthcare data?

Yes, HIPAA requires Sub Processing Agreements (Business Associate Agreements) to include specific mandatory language for protected health information (PHI). The agreement must contain provisions for permitted uses and disclosures, safeguard requirements, breach reporting procedures, and return or destruction of PHI upon termination. The sub-processor must also agree to comply with applicable HIPAA Security Rule requirements and allow for compliance audits.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Sub Processing Agreement

A Sub Processing Agreement is a crucial legal document that governs the relationship between a primary data processor and any third-party sub-processors they engage to handle personal data. Under United States privacy laws, this agreement ensures that when you delegate processing activities to additional parties, the same level of data protection and compliance is maintained throughout the processing chain.

When do you need this document?

You need a Sub Processing Agreement whenever your organization acts as a data processor and must engage third-party vendors or service providers to fulfill your processing obligations. This commonly occurs when you use cloud storage providers, analytics services, customer support platforms, or specialized software vendors that will access personal data. The agreement is essential for compliance with various US privacy laws, including CCPA for California residents, HIPAA for healthcare data, GLBA for financial information, and emerging state laws like Virginia's VCDPA. Without proper sub-processing agreements, you risk violating your primary processing contract and exposing both yourself and the data controller to regulatory penalties and legal liability.

Key legal considerations

The agreement must clearly define the scope of authorized processing activities and establish strict limitations on how the sub-processor can use personal data. Security requirements are paramount, requiring the sub-processor to implement appropriate technical and organizational measures to protect data integrity and confidentiality. Audit rights provisions allow both you and the data controller to verify compliance through inspections or third-party certifications. Breach notification clauses must specify rapid reporting timelines, typically within 24-72 hours of discovery. The agreement should address data transfer restrictions, particularly for international sub-processors, and include provisions for data subject rights requests. Termination clauses must require secure data deletion or return upon contract end, with certification of completion.

Legal requirements in United States

US privacy law creates a complex compliance environment with overlapping federal and state requirements. Under CCPA and CPRA, sub-processors must be contractually prohibited from selling personal information or using it for purposes beyond the specified services. HIPAA-covered entities must ensure sub-processors sign Business Associate Agreements with additional healthcare-specific protections. Financial institutions must verify sub-processors meet GLBA safeguarding requirements and due diligence standards. The FTC Act requires reasonable security measures and prohibits deceptive practices in data handling. Emerging state laws like Virginia's VCDPA and Colorado's CPA create additional obligations for data minimization and purpose limitations. Cross-border data transfers may trigger additional federal requirements, particularly for government or regulated industry data.

GOVERNING LAW

Applicable law

This Sub Processing Agreement is drafted to comply with United States law. Key legislation includes:

GLBA: Gramm-Leach-Bliley Act - Federal law governing the protection and handling of financial data and consumer financial privacy

HIPAA: Health Insurance Portability and Accountability Act - Federal law regulating the protection of sensitive healthcare data and patient information

FTC Act: Federal Trade Commission Act - Federal law addressing unfair or deceptive practices in data handling and privacy

COPPA: Children's Online Privacy Protection Act - Federal law protecting children's privacy and regulating collection of data from children under 13

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - State laws providing California residents with data privacy rights and regulations

VCDPA: Virginia Consumer Data Protection Act - State law establishing data privacy framework for Virginia residents

CPA: Colorado Privacy Act - State law protecting Colorado residents' personal data and establishing privacy rights

GDPR Considerations: EU General Data Protection Regulation requirements if processing data of EU residents, including data transfer mechanisms and safeguards

PCI DSS: Payment Card Industry Data Security Standard - Security standards for organizations handling credit card information

SOC 2: Service Organization Control 2 - Compliance framework for managing customer data based on security, availability, processing integrity, confidentiality, and privacy

ISO 27001: International standard for information security management systems, providing framework for data protection and security controls

Flow-down Obligations: Contractual requirements that must be passed down from the main Data Processing Agreement to the Sub-processor

SLAs: Service Level Agreements defining performance metrics, response times, and availability requirements for data processing activities

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it