Data Processing Addendum DPA Template for the United States
Generate a bespoke document
What is a Data Processing Addendum DPA?
The Data Processing Addendum (DPA) is essential when one party processes personal data on behalf of another under U.S. jurisdiction. This document has become increasingly important due to evolving privacy regulations and the growing focus on data protection. It supplements existing service agreements by specifically addressing data processing requirements, security measures, and compliance obligations. The DPA helps organizations meet their obligations under various U.S. privacy laws and potentially international regulations when applicable.
About the Data Processing Addendum DPA
A Data Processing Addendum (DPA) is a legal agreement that defines how personal data will be processed when you engage a third-party service provider. Under United States law, this document creates binding obligations for data protection and helps ensure compliance with federal and state privacy regulations including CCPA, HIPAA, and GLBA.
When do you need this document?
You need a DPA whenever you share personal data with vendors, contractors, or service providers who will process that data on your behalf. This includes cloud storage providers, software-as-a-service platforms, marketing agencies handling customer data, payroll processors managing employee information, and healthcare third parties accessing patient records. The agreement is particularly critical when dealing with sensitive data categories such as financial information, health records, or personal identifiers that trigger specific regulatory requirements.
Key legal considerations
Your DPA must clearly define the scope and purpose of data processing, specifying exactly what data will be processed and for which business purposes. The processor's security obligations should include technical and organizational measures to protect personal data, incident response procedures, and requirements for data breach notification. You should include provisions for data subject rights fulfillment, such as access, deletion, and correction requests. Sub-processor agreements are essential when your primary processor engages additional third parties. The document should address data retention periods, deletion requirements upon contract termination, and audit rights to ensure ongoing compliance.
Legal requirements in United States
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), your DPA must address consumer rights including data deletion, access, and opt-out requirements. Healthcare organizations must ensure HIPAA compliance through business associate agreements that may be incorporated into or supplement the DPA. Financial institutions must meet Gramm-Leach-Bliley Act requirements for safeguarding customer information. Emerging state laws in Virginia, Colorado, Utah, and Connecticut impose additional obligations for data processing agreements. Federal Trade Commission guidelines require reasonable data security measures and prohibit unfair or deceptive practices. If you process data from international sources, GDPR adequacy considerations may apply, requiring additional contractual safeguards for cross-border data transfers.
GOVERNING LAW
Applicable law
This Data Processing Addendum DPA is drafted to comply with United States law. Key legislation includes:
SCCs: Standard Contractual Clauses - Legal mechanisms for international data transfers
Scope of Processing: Key element defining the boundaries and purposes of data processing activities
Security Measures: Required technical and organizational measures for ensuring data security
Data Subject Rights: Procedures for handling data subject requests and ensuring their rights
Cross-border Transfers: Mechanisms and safeguards for transferring data across international borders
Audit Rights: Provisions for conducting audits and assessments of data processing activities
Data Retention: Requirements for data retention periods and deletion procedures
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it