Supplier Data Processing Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Supplier Data Processing Agreement?

The Supplier Data Processing Agreement is essential when a company (controller) engages a supplier (processor) to handle personal data on its behalf. This document has become increasingly important due to the growing complexity of U.S. privacy regulations at both federal and state levels. It addresses key requirements under various privacy laws, defines security standards, establishes breach notification protocols, and outlines compliance obligations. The agreement is particularly crucial for businesses operating in regulated industries or handling sensitive personal information.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Supplier Data Processing Agreement

A Supplier Data Processing Agreement is a critical legal document that governs the relationship between a company (data controller) and its supplier (data processor) when personal data is shared or processed. This agreement ensures both parties comply with applicable United States privacy laws and establishes clear responsibilities for data protection, security measures, and regulatory compliance.

When do you need this document?

You need a Supplier Data Processing Agreement whenever your business engages third-party suppliers to handle personal data on your behalf. This includes cloud service providers managing customer information, marketing agencies processing consumer data, payroll companies handling employee records, or IT vendors accessing systems containing personal information. The agreement is particularly essential when working with suppliers who process financial data under GLBA requirements, healthcare information governed by HIPAA, children's data subject to COPPA, or California residents' data under CCPA/CPRA. Any cross-border data transfers or processing activities involving sensitive personal information also require this formal agreement to establish legal compliance frameworks.

Key legal considerations

The agreement must clearly define roles and responsibilities between the data controller and processor, ensuring the supplier processes data only for specified purposes and according to documented instructions. Security obligations are paramount, requiring appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, or breach. Breach notification protocols must align with applicable federal and state requirements, including timeframes for reporting incidents to controllers and potentially to regulatory authorities. The document should address data retention periods, deletion requirements, and return of data upon contract termination. Liability allocation and indemnification clauses protect both parties from regulatory penalties and potential lawsuits arising from data protection violations. Additionally, the agreement must include provisions for regular compliance audits and the right to inspect the supplier's data processing activities.

Legal requirements in United States

United States privacy law operates through a complex framework of federal and state regulations. At the federal level, the FTC Act Section 5 provides broad enforcement authority against unfair or deceptive data practices, while sector-specific laws like HIPAA govern healthcare data, GLBA regulates financial information, and COPPA protects children's privacy. State laws add additional layers of compliance, with California's CCPA and CPRA establishing comprehensive privacy rights that often serve as the de facto national standard. Your agreement must address applicable regulatory requirements based on the types of data processed and the jurisdictions involved. For businesses handling healthcare data, HIPAA Business Associate Agreement provisions may need integration. Financial services companies must ensure GLBA compliance for customer information sharing. Companies processing children's data must incorporate COPPA requirements for parental consent and data minimization. The agreement should also address emerging state privacy laws and include flexibility for regulatory changes, ensuring ongoing compliance as the United States privacy landscape continues to evolve.

GOVERNING LAW

Applicable law

This Supplier Data Processing Agreement is drafted to comply with United States law. Key legislation includes:

FTC Act Section 5: Federal Trade Commission Act provisions regarding unfair or deceptive practices in data handling, which forms the basis for federal privacy enforcement

GLBA: Gramm-Leach-Bliley Act - Regulates the collection, use, and disclosure of financial information and requires financial institutions to explain their data-sharing practices

HIPAA: Health Insurance Portability and Accountability Act - Establishes national standards for the protection of individuals' medical records and other personal health information

COPPA: Children's Online Privacy Protection Act - Regulates the collection and use of personal information from children under 13 years of age

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - Comprehensive state privacy laws that provide California residents with rights over their personal information and often set de facto national standards

VCDPA: Virginia Consumer Data Protection Act - Comprehensive privacy law providing Virginia residents with rights over their personal data

CPA: Colorado Privacy Act - Comprehensive privacy law establishing requirements for data protection and consumer privacy rights in Colorado

State Breach Laws: Various state-specific data breach notification laws requiring notification of affected individuals in case of data breaches

GDPR: General Data Protection Regulation - EU privacy law with extraterritorial scope that sets global standards for data protection and may apply if processing data of EU residents

PCI DSS: Payment Card Industry Data Security Standard - Security standards for organizations that handle credit card information

SOC 2: Service Organization Control 2 - Compliance framework for service organizations that specifies how organizations should manage customer data

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it