DPA Data Privacy Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a DPA Data Privacy Agreement?

The Data Processing Agreement (DPA) is essential when one organization processes personal data on behalf of another within the United States legal framework. This contract type is particularly crucial given the complex landscape of U.S. privacy laws, including federal regulations and state-specific requirements like CCPA. The DPA explicitly defines processing activities, security measures, and compliance obligations, while addressing data breach protocols and cross-border transfer requirements. It serves as a fundamental document for ensuring privacy compliance and establishing clear accountability in data processing relationships.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the DPA Data Privacy Agreement

A Dpa Data Privacy Agreement is a legally binding contract that governs how personal data is processed when one organization handles data on behalf of another. In the United States, this agreement is crucial for compliance with the complex web of federal and state privacy regulations that protect consumer information across different sectors and jurisdictions.

When do you need this document?

You need a Dpa Data Privacy Agreement whenever your business engages a third-party service provider to process personal data on your behalf. This includes cloud storage providers, marketing agencies handling customer data, payroll companies processing employee information, or healthcare vendors managing patient records. Financial institutions must have these agreements when working with fintech partners under GLBA requirements, while healthcare organizations need them for any vendor handling protected health information under HIPAA. If you operate in California, the CCPA requires these agreements when sharing personal information with service providers, and similar requirements apply under Virginia's VCDPA and other emerging state privacy laws.

Key legal considerations

Your Dpa Data Privacy Agreement must clearly define the scope of data processing activities and specify the categories of personal data involved. The contract should establish robust security measures, including encryption requirements, access controls, and incident response procedures. Data breach notification timelines are critical - you need provisions for immediate notification to comply with various state laws that require consumer notification within 72 hours or less. The agreement must address data subject rights, including how individuals can access, correct, or delete their information. Cross-border data transfer restrictions are increasingly important, especially for international service providers. Include detailed audit rights and compliance monitoring provisions to ensure ongoing adherence to your data protection standards.

Legal requirements in United States

United States privacy law operates through a sectoral approach with multiple overlapping regulations. Under HIPAA, any business associate handling protected health information must sign a compliant agreement with specific safeguards and breach notification requirements. The GLBA requires financial institutions to have written agreements with service providers that include privacy and security provisions. For businesses serving children under 13, COPPA mandates strict data collection and sharing limitations. The FTC Act Section 5 provides broad authority to enforce privacy promises, making contract compliance essential to avoid deceptive practice claims. State laws add additional complexity - California's CCPA requires service provider agreements that limit data use to specified business purposes, while Virginia's VCDPA has similar but distinct requirements. Many states are enacting comprehensive privacy laws with their own contracting requirements, making it essential to structure agreements that meet the highest applicable standards across all relevant jurisdictions.

GOVERNING LAW

Applicable law

This DPA Data Privacy Agreement is drafted to comply with United States law. Key legislation includes:

GLBA: Gramm-Leach-Bliley Act - Federal legislation governing data privacy requirements for financial institutions

HIPAA: Health Insurance Portability and Accountability Act - Federal legislation protecting sensitive patient health information from being disclosed without consent

COPPA: Children's Online Privacy Protection Act - Federal legislation imposing requirements on operators of websites or online services directed to children under 13 years of age

FTC Act Section 5: Federal Trade Commission Act Section 5 - Prohibits unfair or deceptive practices in privacy and data security matters

CCPA/CPRA: California Consumer Privacy Act/California Privacy Rights Act - State legislation providing California residents with rights over their personal information

VCDPA: Virginia Consumer Data Protection Act - State legislation providing Virginia residents with data privacy rights and imposing obligations on businesses

CPA: Colorado Privacy Act - State legislation establishing privacy rights for Colorado residents and requirements for businesses processing their personal data

CTDPA: Connecticut Data Privacy Act - State legislation providing Connecticut residents with various privacy rights and establishing business obligations

UCPA: Utah Consumer Privacy Act - State legislation establishing privacy rights for Utah residents and obligations for businesses processing personal data

GDPR Compliance: General Data Protection Regulation considerations when handling EU residents' data, even if primarily operating in the US

PIPEDA Compliance: Personal Information Protection and Electronic Documents Act considerations when handling Canadian residents' data

Data Processing Scope: Clear definition of what personal data will be processed, how it will be processed, and for what purposes

Security Measures: Technical and organizational measures required to ensure appropriate level of data security

Breach Notification: Requirements and timeframes for reporting data breaches to relevant parties

Data Subject Rights: Procedures for handling data subject requests including access, deletion, and portability

Cross-border Transfers: Requirements and safeguards for transferring personal data across international borders

Audit Rights: Provisions allowing data controller to audit data processor's compliance with privacy obligations

Subprocessor Management: Requirements for engaging and managing subprocessors, including notification and approval processes

Data Retention: Specifications for how long data can be retained and procedures for secure deletion

Confidentiality: Obligations to maintain confidentiality of processed personal data and training requirements for staff

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it