Supplier Data Processing Agreement Template for the United States
Generate a bespoke document
What is a Supplier Data Processing Agreement?
The Supplier Data Processing Agreement is essential when a company (controller) engages a supplier (processor) to handle personal data on its behalf. This document has become increasingly important due to the growing complexity of U.S. privacy regulations at both federal and state levels. It addresses key requirements under various privacy laws, defines security standards, establishes breach notification protocols, and outlines compliance obligations. The agreement is particularly crucial for businesses operating in regulated industries or handling sensitive personal information.
About the Supplier Data Processing Agreement
A Supplier Data Processing Agreement is a critical legal document that governs the relationship between a company (data controller) and its supplier (data processor) when personal data is shared or processed. This agreement ensures both parties comply with applicable United States privacy laws and establishes clear responsibilities for data protection, security measures, and regulatory compliance.
When do you need this document?
You need a Supplier Data Processing Agreement whenever your business engages third-party suppliers to handle personal data on your behalf. This includes cloud service providers managing customer information, marketing agencies processing consumer data, payroll companies handling employee records, or IT vendors accessing systems containing personal information. The agreement is particularly essential when working with suppliers who process financial data under GLBA requirements, healthcare information governed by HIPAA, children's data subject to COPPA, or California residents' data under CCPA/CPRA. Any cross-border data transfers or processing activities involving sensitive personal information also require this formal agreement to establish legal compliance frameworks.
Key legal considerations
The agreement must clearly define roles and responsibilities between the data controller and processor, ensuring the supplier processes data only for specified purposes and according to documented instructions. Security obligations are paramount, requiring appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, or breach. Breach notification protocols must align with applicable federal and state requirements, including timeframes for reporting incidents to controllers and potentially to regulatory authorities. The document should address data retention periods, deletion requirements, and return of data upon contract termination. Liability allocation and indemnification clauses protect both parties from regulatory penalties and potential lawsuits arising from data protection violations. Additionally, the agreement must include provisions for regular compliance audits and the right to inspect the supplier's data processing activities.
Legal requirements in United States
United States privacy law operates through a complex framework of federal and state regulations. At the federal level, the FTC Act Section 5 provides broad enforcement authority against unfair or deceptive data practices, while sector-specific laws like HIPAA govern healthcare data, GLBA regulates financial information, and COPPA protects children's privacy. State laws add additional layers of compliance, with California's CCPA and CPRA establishing comprehensive privacy rights that often serve as the de facto national standard. Your agreement must address applicable regulatory requirements based on the types of data processed and the jurisdictions involved. For businesses handling healthcare data, HIPAA Business Associate Agreement provisions may need integration. Financial services companies must ensure GLBA compliance for customer information sharing. Companies processing children's data must incorporate COPPA requirements for parental consent and data minimization. The agreement should also address emerging state privacy laws and include flexibility for regulatory changes, ensuring ongoing compliance as the United States privacy landscape continues to evolve.
GOVERNING LAW
Applicable law
This Supplier Data Processing Agreement is drafted to comply with United States law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it