Controller Processor Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Controller Processor Agreement?

The Controller Processor Agreement (CPA) is essential when one organization (the processor) processes personal data on behalf of another organization (the controller) in the United States. This agreement has become increasingly important with the evolution of privacy regulations across different states and sectors. It addresses key requirements under various US privacy laws, including security measures, data breach notifications, and compliance obligations. The CPA is particularly crucial for organizations handling sensitive personal information, ensuring clear allocation of responsibilities and establishing appropriate safeguards for data processing activities.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Controller Processor Agreement

A Controller Processor Agreement is a critical legal contract that governs the relationship between organizations when personal data is processed on behalf of another entity. As data protection regulations continue to evolve across the United States, this agreement ensures that both parties understand their responsibilities and maintain compliance with applicable privacy laws.

When do you need this document?

You need a Controller Processor Agreement whenever your organization engages a third-party service provider to process personal data on your behalf. This includes cloud storage providers, payroll companies, marketing agencies, IT support vendors, and software-as-a-service platforms that handle customer information. Healthcare organizations using billing services, financial institutions outsourcing data analysis, and e-commerce businesses employing shipping companies all require these agreements. The document is also essential when sub-processors are involved in the data processing chain, ensuring accountability throughout the entire data handling ecosystem.

Key legal considerations

The agreement must clearly define the roles of controller and processor, specify the categories of personal data being processed, and outline the purposes for processing. Security measures represent a crucial component, requiring both technical safeguards like encryption and organizational measures such as employee training and access controls. Data breach notification procedures must be established, typically requiring processors to notify controllers within 72 hours of discovering a breach. The contract should address data retention periods, deletion requirements, and circumstances under which data may be transferred to sub-processors. Audit rights for controllers and liability allocation between parties are essential provisions that protect both organizations from regulatory penalties and legal exposure.

Legal requirements in United States

Federal regulations like the FTC Act require organizations to implement reasonable data security measures and avoid deceptive practices in data handling. HIPAA mandates specific protections for healthcare information, including business associate agreements that function similarly to processor agreements. The Gramm-Leach-Bliley Act governs financial data processing relationships, requiring safeguards for consumer financial information. State-level legislation adds additional complexity, with California's CCPA and CPRA establishing comprehensive privacy rights and requiring specific contractual protections. Virginia's Consumer Data Protection Act and Colorado's Privacy Act impose similar requirements for organizations processing personal data of their residents. These laws often require controllers to ensure processors implement appropriate security measures, honor consumer rights requests, and maintain detailed records of processing activities. Compliance failures can result in significant financial penalties and regulatory enforcement actions.

GOVERNING LAW

Applicable law

This Controller Processor Agreement is drafted to comply with United States law. Key legislation includes:

FTC Act: Federal Trade Commission Act, particularly Section 5, which governs unfair or deceptive practices in data handling and privacy

GLBA: Gramm-Leach-Bliley Act - Federal law governing the collection, use, and protection of consumers' financial information

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing the protection of sensitive healthcare information

CCPA/CPRA: California Consumer Privacy Act/California Privacy Rights Act - California's comprehensive privacy legislation that provides California residents with various data privacy rights

VCDPA: Virginia Consumer Data Protection Act - Virginia's privacy law providing rights to Virginia residents regarding their personal data

Colorado Privacy Act: Colorado's comprehensive privacy legislation establishing requirements for data controllers and processors operating in Colorado

UCPA: Utah Consumer Privacy Act - Utah's privacy law establishing framework for data protection and consumer rights

CTDPA: Connecticut Data Privacy Act - Connecticut's comprehensive privacy law governing the collection and processing of personal data

GDPR Considerations: While not US law, General Data Protection Regulation compliance may be necessary if handling EU residents' data

Data Protection Obligations: Key contractual element defining specific responsibilities for protecting personal data

Security Measures: Technical and organizational measures required to ensure appropriate data security

Breach Notification: Requirements and timelines for notifying relevant parties in case of data breaches

Sub-processor Requirements: Rules and obligations regarding the engagement of sub-processors for data processing activities

Cross-border Transfers: Requirements and safeguards for transferring data across national borders

Data Subject Rights: Procedures for handling data subject requests and ensuring their rights are protected

Audit Rights: Provisions allowing the controller to audit the processor's compliance with privacy obligations

Liability and Indemnification: Terms defining responsibility and compensation for privacy-related incidents or violations

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it