Sub Processing Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Sub Processing Agreement?

The Sub Processing Agreement is essential when a data processor needs to engage additional parties to fulfill their processing obligations. This document is particularly relevant in the United States where various federal and state privacy laws create a complex compliance landscape. The agreement ensures that any downstream processing maintains the same level of data protection and compliance as required in the primary processing agreement. It typically includes detailed provisions on security measures, data handling procedures, audit rights, and breach notification requirements, while addressing specific requirements under US privacy laws such as CCPA, HIPAA, and state-specific regulations.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Sub Processing Agreement

A Sub Processing Agreement is a crucial legal document that governs the relationship between a primary data processor and any third-party sub-processors they engage to handle personal data. Under United States privacy laws, this agreement ensures that when you delegate processing activities to additional parties, the same level of data protection and compliance is maintained throughout the processing chain.

When do you need this document?

You need a Sub Processing Agreement whenever your organization acts as a data processor and must engage third-party vendors or service providers to fulfill your processing obligations. This commonly occurs when you use cloud storage providers, analytics services, customer support platforms, or specialized software vendors that will access personal data. The agreement is essential for compliance with various US privacy laws, including CCPA for California residents, HIPAA for healthcare data, GLBA for financial information, and emerging state laws like Virginia's VCDPA. Without proper sub-processing agreements, you risk violating your primary processing contract and exposing both yourself and the data controller to regulatory penalties and legal liability.

Key legal considerations

The agreement must clearly define the scope of authorized processing activities and establish strict limitations on how the sub-processor can use personal data. Security requirements are paramount, requiring the sub-processor to implement appropriate technical and organizational measures to protect data integrity and confidentiality. Audit rights provisions allow both you and the data controller to verify compliance through inspections or third-party certifications. Breach notification clauses must specify rapid reporting timelines, typically within 24-72 hours of discovery. The agreement should address data transfer restrictions, particularly for international sub-processors, and include provisions for data subject rights requests. Termination clauses must require secure data deletion or return upon contract end, with certification of completion.

Legal requirements in United States

US privacy law creates a complex compliance environment with overlapping federal and state requirements. Under CCPA and CPRA, sub-processors must be contractually prohibited from selling personal information or using it for purposes beyond the specified services. HIPAA-covered entities must ensure sub-processors sign Business Associate Agreements with additional healthcare-specific protections. Financial institutions must verify sub-processors meet GLBA safeguarding requirements and due diligence standards. The FTC Act requires reasonable security measures and prohibits deceptive practices in data handling. Emerging state laws like Virginia's VCDPA and Colorado's CPA create additional obligations for data minimization and purpose limitations. Cross-border data transfers may trigger additional federal requirements, particularly for government or regulated industry data.

GOVERNING LAW

Applicable law

This Sub Processing Agreement is drafted to comply with United States law. Key legislation includes:

GLBA: Gramm-Leach-Bliley Act - Federal law governing the protection and handling of financial data and consumer financial privacy

HIPAA: Health Insurance Portability and Accountability Act - Federal law regulating the protection of sensitive healthcare data and patient information

FTC Act: Federal Trade Commission Act - Federal law addressing unfair or deceptive practices in data handling and privacy

COPPA: Children's Online Privacy Protection Act - Federal law protecting children's privacy and regulating collection of data from children under 13

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - State laws providing California residents with data privacy rights and regulations

VCDPA: Virginia Consumer Data Protection Act - State law establishing data privacy framework for Virginia residents

CPA: Colorado Privacy Act - State law protecting Colorado residents' personal data and establishing privacy rights

GDPR Considerations: EU General Data Protection Regulation requirements if processing data of EU residents, including data transfer mechanisms and safeguards

PCI DSS: Payment Card Industry Data Security Standard - Security standards for organizations handling credit card information

SOC 2: Service Organization Control 2 - Compliance framework for managing customer data based on security, availability, processing integrity, confidentiality, and privacy

ISO 27001: International standard for information security management systems, providing framework for data protection and security controls

Flow-down Obligations: Contractual requirements that must be passed down from the main Data Processing Agreement to the Sub-processor

SLAs: Service Level Agreements defining performance metrics, response times, and availability requirements for data processing activities

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it