Data Protection Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Data Protection Agreement?

The Data Protection Agreement is essential for organizations handling personal data in the United States, whether as controllers or processors. This document becomes necessary when one party processes personal data on behalf of another, ensuring compliance with various U.S. privacy regulations including CCPA, HIPAA, and state-specific laws. It establishes clear responsibilities, security requirements, and liability arrangements between parties, while addressing specific compliance obligations and risk management considerations.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Data Protection Agreement

A Data Protection Agreement is a legally binding contract that governs how personal data is handled between organizations in the United States. This document establishes clear roles and responsibilities when one party processes personal information on behalf of another, ensuring compliance with complex federal and state privacy regulations including CCPA, HIPAA, GLBA, and COPPA.

When do you need this document?

You need a Data Protection Agreement whenever your organization shares personal data with third-party service providers, vendors, or business partners. This includes cloud storage providers handling customer information, marketing agencies processing consumer data, payroll companies managing employee records, or healthcare providers sharing patient information with billing services. The agreement is particularly crucial for California businesses subject to CCPA requirements, healthcare entities under HIPAA obligations, and financial institutions governed by GLBA. Any situation where personal data crosses organizational boundaries requires this protective framework to ensure legal compliance and minimize liability risks.

Key legal considerations

Several critical elements must be addressed in your Data Protection Agreement to ensure effective legal protection. Data security measures should specify encryption standards, access controls, and incident response procedures that meet or exceed industry standards. Breach notification clauses must outline specific timelines and procedures that comply with applicable state and federal requirements. The agreement should clearly define each party's liability limitations and indemnification obligations in case of data breaches or regulatory violations. Audit rights provisions allow data controllers to verify processor compliance with agreed-upon security standards. Termination and data return clauses ensure personal information is properly deleted or returned when the relationship ends. Additionally, the agreement must address data subject rights procedures, ensuring individuals can exercise their privacy rights under applicable laws.

Legal requirements in United States

United States data protection requirements vary significantly by industry and jurisdiction, making compliance complex for multi-state operations. Under CCPA and CPRA, California businesses must ensure service providers commit to using personal information only for specified business purposes and implement reasonable security measures. HIPAA-covered entities must execute Business Associate Agreements with specific privacy and security safeguards for protected health information. Financial institutions under GLBA must ensure service providers maintain appropriate safeguards for customer information. The FTC Act Section 5 prohibits unfair or deceptive practices regarding data handling, applying broadly across industries. State-specific laws like Illinois BIPA require additional protections for biometric data. Your Data Protection Agreement must incorporate relevant federal and state requirements based on your industry sector, data types processed, and operational jurisdictions to ensure comprehensive legal compliance.

GOVERNING LAW

Applicable law

This Data Protection Agreement is drafted to comply with United States law. Key legislation includes:

CCPA: California Consumer Privacy Act - Primary privacy legislation for California residents, providing rights regarding personal data collection, use, and sharing

CPRA: California Privacy Rights Act - Enhanced version of CCPA providing additional privacy protections and establishing a dedicated privacy protection agency

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing protection of sensitive patient health information

GLBA: Gramm-Leach-Bliley Act - Federal law requiring financial institutions to explain their information-sharing practices and protect sensitive data

COPPA: Children's Online Privacy Protection Act - Federal law imposing requirements on operators of websites/online services regarding children under 13

FTC Act Section 5: Federal Trade Commission Act Section 5 - Prohibits unfair or deceptive practices in privacy and data security matters

State Privacy Laws: Various state-specific privacy laws including Virginia Consumer Data Protection Act and Colorado Privacy Act

State Breach Laws: State-specific requirements for notification and handling of data breaches

GDPR Considerations: General Data Protection Regulation requirements if handling data of EU residents, including cross-border transfer requirements

PCI DSS: Payment Card Industry Data Security Standard - Security standards for organizations handling credit card information

SOC 2: System and Organization Controls 2 - Audit framework specifying how organizations should manage customer data

ISO 27001: International standard for information security management systems, providing framework for data protection policies and procedures

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it