Controller Processor Agreement Template for the United States
Generate a bespoke document
What is a Controller Processor Agreement?
The Controller Processor Agreement (CPA) is essential when one organization (the processor) processes personal data on behalf of another organization (the controller) in the United States. This agreement has become increasingly important with the evolution of privacy regulations across different states and sectors. It addresses key requirements under various US privacy laws, including security measures, data breach notifications, and compliance obligations. The CPA is particularly crucial for organizations handling sensitive personal information, ensuring clear allocation of responsibilities and establishing appropriate safeguards for data processing activities.
About the Controller Processor Agreement
A Controller Processor Agreement is a critical legal contract that governs the relationship between organizations when personal data is processed on behalf of another entity. As data protection regulations continue to evolve across the United States, this agreement ensures that both parties understand their responsibilities and maintain compliance with applicable privacy laws.
When do you need this document?
You need a Controller Processor Agreement whenever your organization engages a third-party service provider to process personal data on your behalf. This includes cloud storage providers, payroll companies, marketing agencies, IT support vendors, and software-as-a-service platforms that handle customer information. Healthcare organizations using billing services, financial institutions outsourcing data analysis, and e-commerce businesses employing shipping companies all require these agreements. The document is also essential when sub-processors are involved in the data processing chain, ensuring accountability throughout the entire data handling ecosystem.
Key legal considerations
The agreement must clearly define the roles of controller and processor, specify the categories of personal data being processed, and outline the purposes for processing. Security measures represent a crucial component, requiring both technical safeguards like encryption and organizational measures such as employee training and access controls. Data breach notification procedures must be established, typically requiring processors to notify controllers within 72 hours of discovering a breach. The contract should address data retention periods, deletion requirements, and circumstances under which data may be transferred to sub-processors. Audit rights for controllers and liability allocation between parties are essential provisions that protect both organizations from regulatory penalties and legal exposure.
Legal requirements in United States
Federal regulations like the FTC Act require organizations to implement reasonable data security measures and avoid deceptive practices in data handling. HIPAA mandates specific protections for healthcare information, including business associate agreements that function similarly to processor agreements. The Gramm-Leach-Bliley Act governs financial data processing relationships, requiring safeguards for consumer financial information. State-level legislation adds additional complexity, with California's CCPA and CPRA establishing comprehensive privacy rights and requiring specific contractual protections. Virginia's Consumer Data Protection Act and Colorado's Privacy Act impose similar requirements for organizations processing personal data of their residents. These laws often require controllers to ensure processors implement appropriate security measures, honor consumer rights requests, and maintain detailed records of processing activities. Compliance failures can result in significant financial penalties and regulatory enforcement actions.
GOVERNING LAW
Applicable law
This Controller Processor Agreement is drafted to comply with United States law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it