Commissioned Data Processing Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Commissioned Data Processing Agreement?

The Commissioned Data Processing Agreement is essential when an organization (controller) engages another party (processor) to process personal data on its behalf. This agreement has become increasingly critical with the evolution of U.S. privacy laws and regulations at both federal and state levels. It addresses key requirements for data protection, defines responsibilities and liabilities, and ensures compliance with applicable privacy regulations. The agreement is particularly important in light of stringent state laws like CCPA and industry-specific regulations such as HIPAA and GLBA.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Commissioned Data Processing Agreement

A Commissioned Data Processing Agreement is a critical legal document that governs the relationship between a data controller and a data processor when personal information is shared for processing activities. Under the evolving landscape of United States privacy laws, this agreement ensures both parties understand their obligations and maintain compliance with applicable regulations while protecting individual privacy rights.

When do you need this document?

You need this agreement whenever your organization engages a third party to process personal data on your behalf. This includes situations where you hire cloud service providers, marketing agencies, payroll companies, or IT support firms that will access customer or employee information. The agreement is mandatory when operating under state privacy laws like CCPA or CPRA, and essential for any business relationship involving data sharing across state lines. You should execute this document before any personal data is transferred or processing begins, as it establishes the legal foundation for the entire data handling relationship.

Key legal considerations

The agreement must clearly define the scope and purpose of data processing, specifying what types of personal information will be processed and for what legitimate business purposes. Data security requirements are paramount, including obligations for encryption, access controls, and breach notification procedures. The processor's obligations section should address data retention periods, deletion requirements, and restrictions on further disclosure or use. Liability allocation clauses determine responsibility for regulatory fines, data breaches, and compliance failures. The agreement should include provisions for data subject rights fulfillment, such as access requests and deletion demands. Subprocessor arrangements require careful attention, as the primary processor remains liable for third-party actions. International data transfer provisions may be necessary if processing occurs across borders or involves foreign entities.

Legal requirements in United States

United States privacy law operates through a complex framework of state-level regulations, with California leading through CCPA and CPRA. These laws require explicit contractual protections when personal information is shared with service providers, including restrictions on use, retention, and further disclosure. Virginia's VCDPA, Colorado's CPA, Utah's UCPA, and Connecticut's CTDPA impose similar contractor agreement requirements with slight variations in scope and definitions. The agreement must address specific consumer rights under each applicable state law, including opt-out mechanisms and data portability requirements. Industry-specific regulations like HIPAA for healthcare data and GLBA for financial information may impose additional contractual obligations. Many state laws require that processing agreements include audit rights, allowing controllers to verify processor compliance with privacy obligations. The document should specify which state's privacy law governs the relationship and ensure compatibility with all applicable jurisdictions where either party operates.

GOVERNING LAW

Applicable law

This Commissioned Data Processing Agreement is drafted to comply with United States law. Key legislation includes:

CCPA: California Consumer Privacy Act - Sets a de facto national standard for data privacy protection in the United States, even for businesses operating outside California

CPRA: California Privacy Rights Act - The successor to CCPA, introducing additional privacy protections and creating a dedicated privacy protection agency

VCDPA: Virginia Consumer Data Protection Act - Virginia's comprehensive data privacy law establishing consumer rights and business obligations

CPA: Colorado Privacy Act - Colorado's privacy legislation establishing requirements for data protection and consumer privacy rights

UCPA: Utah Consumer Privacy Act - Utah's privacy law framework for protecting consumer data and establishing business compliance requirements

CTDPA: Connecticut Data Privacy Act - Connecticut's comprehensive privacy legislation protecting consumer data rights

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing the protection of sensitive healthcare data and medical information

GLBA: Gramm-Leach-Bliley Act - Federal law requiring financial institutions to explain their data-sharing practices and protect sensitive financial data

FERPA: Family Educational Rights and Privacy Act - Federal law protecting the privacy of student education records

COPPA: Children's Online Privacy Protection Act - Federal law imposing requirements on operators of websites or online services directed to children under 13

GDPR Compliance: General Data Protection Regulation considerations for US companies processing EU residents' data, including cross-border transfer mechanisms

Data Security Requirements: Specific technical and organizational measures required to ensure appropriate security of personal data processing

Breach Notification: Legal obligations for notifying authorities and affected individuals in case of data breaches

Subprocessor Management: Requirements for managing and overseeing third-party data processors, including approval processes and contractual obligations

Data Subject Rights: Framework for handling individual rights such as access, deletion, correction, and portability of personal data

Data Retention: Requirements for data retention periods and secure deletion procedures

Audit Rights: Provisions for conducting audits and assessments of data processing activities and compliance

Liability Framework: Structure for determining liability and indemnification obligations between parties in case of data protection violations

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it