Data Protection Addendum Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Data Protection Addendum?

This Data Protection Addendum (DPA) is designed to be incorporated into existing service agreements where one party processes personal data on behalf of another. It addresses the growing complexity of US privacy regulations, including federal requirements and state-specific laws such as CCPA and CPRA. The DPA defines data processing terms, security requirements, breach notification procedures, and compliance obligations. It's particularly crucial in today's digital economy where data protection regulations continue to evolve and enforcement actions increase. This document helps organizations maintain compliance while establishing clear accountability and responsibilities in data processing relationships.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Data Protection Addendum

A Data Protection Addendum (DPA) is a crucial legal document that governs how personal data is handled when one organization processes data on behalf of another. In the United States, where privacy regulations span multiple federal and state jurisdictions, having a comprehensive DPA ensures compliance with complex data protection requirements while clearly defining responsibilities between parties.

When do you need this document?

You need a Data Protection Addendum whenever your business engages a third-party vendor to process personal data on your behalf, or when you're providing data processing services to another organization. This includes cloud storage providers handling customer databases, marketing agencies processing consumer information, payroll companies managing employee data, or healthcare vendors accessing patient records. The document becomes essential when working with financial institutions under GLBA requirements, healthcare organizations subject to HIPAA, or any business processing California residents' data under CCPA. If your organization collects children's information and works with third parties, COPPA compliance also requires clear data processing agreements.

Key legal considerations

The most critical aspect of your DPA is defining clear roles and responsibilities between the data controller and processor. You must establish comprehensive security measures that meet industry standards and regulatory requirements, including encryption, access controls, and regular security assessments. Breach notification procedures should specify timelines for reporting incidents, typically within 72 hours for many regulations. Your addendum should address data retention periods, deletion procedures, and international data transfers if applicable. Include provisions for subprocessor agreements, ensuring that any third parties maintain the same level of protection. The document must also establish audit rights, allowing the controller to verify compliance, and termination procedures that ensure secure data return or destruction.

Legal requirements in United States

United States data protection operates under a complex framework of federal and state laws. The FTC Act Section 5 prohibits unfair or deceptive data practices, requiring reasonable security measures and truthful privacy policies. HIPAA mandates specific safeguards for protected health information, including Business Associate Agreements for covered entities. Financial institutions must comply with GLBA's privacy and safeguarding rules when sharing customer information with service providers. State laws add additional layers: California's CCPA and CPRA grant consumers rights to know, delete, and opt-out of data sales, requiring processors to honor these requests. Virginia's VCDPA and Colorado's CPA establish similar frameworks with specific processor obligations. If you process children's data, COPPA requires parental consent and limits data collection practices. Your DPA must address these varying requirements based on your industry, the types of data processed, and the jurisdictions where data subjects reside.

GOVERNING LAW

Applicable law

This Data Protection Addendum is drafted to comply with United States law. Key legislation includes:

FTC Act: Federal Trade Commission Act Section 5 governs unfair or deceptive practices in data handling and privacy

GLBA: Gramm-Leach-Bliley Act regulates the collection, use, and disclosure of personal information by financial institutions

HIPAA: Health Insurance Portability and Accountability Act sets standards for protecting sensitive patient health information

COPPA: Children's Online Privacy Protection Act provides specific requirements for collecting and processing data from children under 13

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act provide comprehensive privacy rights for California residents

VCDPA: Virginia Consumer Data Protection Act establishes framework for controlling and processing personal data of Virginia residents

CPA: Colorado Privacy Act provides privacy protections and rights for Colorado residents regarding their personal data

UCPA: Utah Consumer Privacy Act establishes privacy rights and obligations for businesses handling Utah residents' data

CTDPA: Connecticut Data Privacy Act provides privacy protections and rights for Connecticut residents

GDPR Considerations: General Data Protection Regulation requirements if handling EU residents' data, including data transfer mechanisms

UK GDPR Considerations: UK version of GDPR requirements if handling UK residents' data, including specific UK data transfer mechanisms

NIST Framework: National Institute of Standards and Technology Cybersecurity Framework providing security standards and best practices

ISO 27001: International standard for information security management systems and best practices

SOC 2: Service Organization Control 2 compliance requirements for security, availability, processing integrity, confidentiality, and privacy

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it