DPA Agreement Template for the United States
Generate a bespoke document
What is a DPA Agreement?
The DPA Agreement is essential when one organization (the processor) processes personal data on behalf of another organization (the controller) in the United States. This document is particularly crucial given the complex landscape of US privacy laws, including federal regulations, state-specific requirements (such as CCPA), and industry-specific compliance needs. The DPA defines processing activities, security measures, breach notification procedures, and compliance requirements, while ensuring adherence to applicable US privacy laws and regulations. It's a fundamental tool for establishing clear accountability and responsibilities in data processing relationships.
About the DPA Agreement
A Data Processing Agreement (DPA) is a crucial legal contract that governs how personal data is handled when one organization processes information on behalf of another. In the United States, where privacy laws vary significantly across federal and state levels, a well-drafted DPA ensures compliance with multiple regulatory frameworks while protecting both parties' interests and consumer privacy rights.
When do you need this document?
You need a DPA whenever your organization engages a third-party service provider to process personal data on your behalf. This includes cloud storage providers, payroll companies, marketing platforms, customer service vendors, and IT support contractors. Healthcare organizations require DPAs when working with billing companies or electronic health record providers to ensure HIPAA compliance. Financial institutions need DPAs with any vendor processing customer financial data to meet GLBA requirements. E-commerce businesses must establish DPAs with payment processors, shipping companies, and analytics providers to comply with state privacy laws like CCPA and CPRA. Even small businesses using basic services like email marketing platforms or customer relationship management systems should have DPAs in place to protect customer data and demonstrate privacy compliance.
Key legal considerations
The most critical aspect of any DPA is clearly defining the scope of data processing activities and establishing robust security measures. Your agreement must specify what types of personal data will be processed, the purposes for processing, and any restrictions on use. Security obligations should include encryption requirements, access controls, employee training, and incident response procedures. Data retention and deletion requirements must align with applicable privacy laws and your business needs. The agreement should address sub-processor arrangements, requiring your vendor to obtain approval before engaging additional parties and ensuring they meet the same security standards. Breach notification procedures must specify timeframes and communication requirements, particularly important under laws like CCPA which require consumer notification within specific periods. International data transfers require special attention, especially if your processor uses overseas sub-contractors or stores data outside the United States.
Legal requirements in United States
US privacy law compliance requires understanding both federal and state-specific requirements that may apply to your data processing activities. The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), impose strict requirements on businesses processing California residents' data, including mandatory DPA provisions and consumer rights protections. Healthcare data processing must comply with HIPAA's Privacy and Security Rules, requiring business associate agreements that function as specialized DPAs. Financial data processing falls under the Gramm-Leach-Bliley Act, mandating specific privacy safeguards and disclosure requirements. The Children's Online Privacy Protection Act (COPPA) requires enhanced protections when processing data of children under 13. Additionally, emerging state privacy laws in Virginia, Colorado, and other states are creating new compliance obligations. The Federal Trade Commission Act provides overarching authority to investigate unfair or deceptive data practices, making comprehensive DPAs essential for demonstrating good faith privacy compliance efforts.
GOVERNING LAW
Applicable law
This DPA Agreement is drafted to comply with United States law. Key legislation includes:
Data Breach Laws: State-specific data breach notification requirements and procedures
Processing Scope: Clear definition of data processing purposes, limitations, and scope of activities
Security Measures: Technical and organizational security measures required for data protection
Confidentiality Obligations: Requirements for maintaining confidentiality of processed data
Sub-processor Management: Requirements and obligations for engaging and managing sub-processors
Breach Notification: Procedures and timelines for data breach notification
Data Subject Rights: Procedures for handling data subject rights requests and requirements
Audit Rights: Rights and procedures for conducting audits of data processing activities
Data Transfer Mechanisms: Requirements and safeguards for cross-border data transfers
Liability Framework: Liability and indemnification provisions for data processing activities
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it