AI Generated American Data Processing Agreement
PDF & Word - 2026 Updated

Docaro Pricing
When Do You Need a Data Processing Agreement in the United States?
American Legal Rules for a Data Processing Agreement
Using the wrong structure for a data processing agreement can lead to non-compliance with applicable data protection laws and expose parties to legal liabilities.
What a Proper Data Processing Agreement Should Include
- Roles and ResponsibilitiesClearly defines who is the data controller (decides how data is used) and who is the data processor (handles the data on behalf of the controller).
- Data Processing DetailsSpecifies what personal data will be processed, for what purposes, and how it will be handled.
- Security MeasuresRequires the processor to implement strong protections to keep data safe from unauthorized access or breaches.
- Data Sharing LimitsProhibits the processor from sharing data with third parties without the controller's permission.
- Breach NotificationMandates quick reporting to the controller if a data breach occurs.
- Data Deletion RulesInstructs the processor to securely delete or return data when the agreement ends or when no longer needed.
- Audits and Compliance ChecksAllows the controller to review the processor's practices to ensure they follow data protection laws.
- Sub-processor ManagementOutlines rules for the processor if they need to use another company to help with data tasks.
Generate Your Document in 4 Easy Steps
Why Use Docaro?
United StatesFree Example Data Processing Agreement Template
Below is a free template example of a Data Processing Agreement for use in the United States generated by our AI model.
The clauses in your actual Data Processing Agreement will vary from this example as they will be entirely bespoke to your requirements as set out in the questionnaire you complete.
Data Processing Agreement
1RECITALS
This Data Processing Agreement (the "DPA") is entered into as of 2024-01-01 by and between the Controller and the Processor and supplements the Master Services Agreement dated January 1, 2024 (the "Underlying Agreement").
In the event of any conflict between the terms of this DPA and the Underlying Agreement with respect to data processing, this DPA shall take precedence.
The parties intend for this DPA to ensure compliance with all applicable US state privacy laws, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and any other similar US state laws that may become applicable.
The primary purpose of this DPA is to outline the terms under which the Processor will process personal information on behalf of the Controller in compliance with applicable US data privacy laws, ensuring data security, confidentiality, and proper handling throughout the service provision.
The Controller is a US-based e-commerce company that collects customer personal information for online sales, while the Processor is a third-party cloud service provider handling data storage and analytics.
This DPA is necessitated by the Controller outsourcing data processing tasks to the Processor to support efficient business operations and scale their platform.
2DEFINITIONS
For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below.
"Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It includes, but is not limited to, names, email addresses, phone numbers, IP addresses, and payment information of website users, but excludes publicly available information and deidentified or aggregate consumer information.
"Processing" (and its cognates) means any operation or set of operations performed on Personal Information, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Information.
"Controller" means the business that determines the purposes and means of Processing of Personal Information. In this Agreement, the Controller is the business.
"Processor" or "Service Provider" means the service provider that Processes Personal Information on behalf of and at the direction of the Controller and does not determine the purposes and means of such Processing. The Processor acts as a Service Provider under CCPA/CPRA and a Processor under other applicable state laws.
"Consumer" or "Data Subject" means a natural person who is a California resident or resident of another US state with applicable privacy rights, to whom the Personal Information relates, including customers, employees, and website visitors.
"Sub-processor" or "Subcontractor" means any third party engaged by the Processor to Process Personal Information on behalf of the Controller.
"Sell" or "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the business to a third party for monetary or other valuable consideration.
"Sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
"Sensitive Personal Information" means Personal Information that reveals a Consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number with any required security or access code; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information for unique identification; health information; or information about a Consumer’s sex life or sexual orientation. It also includes government-issued identifiers, financial account information, precise geolocation data, and other categories as defined under applicable state laws.
"Risk Assessment" means a privacy impact assessment or data protection impact assessment as required under laws such as the CPRA, CDPA, CPA, CTDPA, or UCPA, which identifies and evaluates risks to consumer privacy.
"Do Not Sell or Share" means the link or method by which Consumers may exercise their right to opt out of the Sale or Sharing of their Personal Information.
Any references to the GDPR or EU-specific terms are only applicable if Personal Information of EU data subjects is involved; otherwise, this DPA is governed solely by US state privacy laws.
3SCOPE AND PURPOSE
This Agreement applies to all Processing of Personal Information by the Processor on behalf of the Controller in the United States.
The Processor is authorized to Process the following categories of Personal Information: names, email addresses, phone numbers, IP addresses, and payment information. If any Sensitive Personal Information is involved, it shall be explicitly listed and subject to additional protections.
The categories of Consumers whose Personal Information will be Processed include customers, employees, and website visitors who are US residents.
The purposes of Processing are limited to order fulfillment, customer support, analytics, and marketing communications, all as documented in the Underlying Agreement and this DPA. Any other purposes require prior written consent from the Controller.
The Processor shall process Personal Information only on documented instructions from the Controller, which may be specific or general. The Processor shall inform the Controller if it believes an instruction infringes applicable law. The Processor shall not Process Personal Information for its own purposes or outside the scope of the documented instructions.
The Processor is expressly prohibited from Selling or Sharing Personal Information without the Controller’s explicit written authorization. The Processor shall not combine the Controller’s Personal Information with other data in a manner that would constitute a Sale or Sharing under applicable law.
Data Minimization. The Processor shall only collect, use, retain, and disclose the minimum amount of Personal Information necessary to achieve the documented purposes. The Processor shall not retain Personal Information longer than necessary to fulfill the purposes for which it was collected or as permitted by applicable law.
Purpose Limitation. The Processor shall Process Personal Information solely for the specific purposes set forth in this Section 3 and the Data Processing Instructions (Section 5) and shall not Process it for any other purpose without the Controller’s prior written consent.
4DURATION
This DPA shall become effective on the date it is executed by both parties and shall remain in effect for the term of the Underlying Agreement, including any renewal terms.
The data processing activities under this DPA shall commence upon the effective date of the Underlying Agreement or as otherwise specified therein.
The obligations set forth in this DPA shall survive termination or expiration of the Underlying Agreement until all Personal Information has been returned to the Controller or securely deleted in accordance with Section 13.
Either party may terminate this DPA in accordance with the termination provisions of the Underlying Agreement. Upon termination, the provisions of Section 13 (Return or Deletion of Data) shall apply.
5DATA PROCESSING INSTRUCTIONS
The Processor shall process the following categories of Personal Information: names, email addresses, phone numbers, and payment information.
Such Personal Information pertains to the following categories of Consumers: customers, employees, and website visitors.
The Processor shall process the Personal Information solely for the following purposes: order fulfillment, customer support, and marketing communications.
The Processor is authorized to perform the following processing activities: collection, storage, use, and deletion.
The Processor shall retain the Personal Information only as long as necessary to fulfill the purposes outlined herein or as required by applicable law, but in no event longer than twenty-four (24) months unless otherwise instructed by the Controller in writing.
The Processor shall process Personal Information only on documented instructions from the Controller, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6NO SALE OR SHARING OF PERSONAL INFORMATION
The Processor shall not Sell or Share any Personal Information it Processes on behalf of the Controller. The Processor acknowledges that it receives Personal Information solely as a Service Provider and not for its own commercial purposes.
The Processor shall not combine the Personal Information received from or on behalf of the Controller with Personal Information it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer, in a way that would constitute Selling or Sharing under the CCPA/CPRA or other applicable state laws.
The Processor shall implement technical and organizational measures to ensure compliance with this prohibition, including but not limited to contractual restrictions on further transfers and internal policies prohibiting unauthorized use or disclosure.
If the Processor becomes aware of any actual or potential Sale or Sharing, it shall immediately notify the Controller and take all necessary steps to remediate the issue at its own expense.
7DATA PROCESSOR OBLIGATIONS
The Processor shall comply with all applicable US state privacy laws, including the CCPA/CPRA, CDPA, CPA, CTDPA, and UCPA. The Processor shall Process Personal Information only for the documented purposes and not for the Processor’s own purposes or for any other commercial purpose.
The Processor shall adhere to the principles of data minimization and accuracy by ensuring that Personal Information is adequate, relevant, and limited to what is necessary, and that it is kept accurate and up to date where applicable.
As a Service Provider under the CCPA/CPRA, the Processor shall not Sell or Share Personal Information, shall not retain, use, or disclose Personal Information for any purpose other than those specified in the documented instructions (including retaining, using, or disclosing it for a commercial purpose other than providing the services), and shall not combine it with other data except as permitted.
The Processor shall promptly inform the Controller if it is unable to comply with any instructions or if, in its opinion, an instruction infringes applicable law.
The Processor shall maintain accurate records of all Processing activities carried out on behalf of the Controller, including the categories of Personal Information Processed, purposes of Processing, and categories of recipients. Such records shall be made available to the Controller upon reasonable request.
The Processor shall ensure that all persons authorized to Process Personal Information are subject to confidentiality obligations and have received appropriate training.
8SUBPROCESSING
The Processor shall not engage any Sub-processor without the Controller’s prior written consent, which may be given on a general or specific basis.
The Processor shall maintain an up-to-date list of all Sub-processors and shall provide such list to the Controller upon request.
The Processor shall notify the Controller in writing at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor.
The Controller shall have the right to object to the use of a new Sub-processor within fifteen (15) business days of receiving notice. If the Controller objects, the Processor shall not engage the Sub-processor or shall provide an alternative.
The Processor shall enter into a written agreement with each Sub-processor that imposes obligations on the Sub-processor that are substantially similar to those imposed on the Processor under this DPA, including obligations regarding data minimization, purpose limitation, prohibitions on Sale and Sharing, and compliance with US state privacy laws.
The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.
9DATA SUBJECT RIGHTS
The Processor shall provide reasonable assistance to the Controller, at the Controller’s expense, in responding to verifiable Consumer requests to exercise rights under applicable US state privacy laws, including the rights to know/access, delete, correct inaccurate Personal Information, opt-out of the Sale or Sharing of Personal Information, limit the use and disclosure of Sensitive Personal Information, and non-discrimination for exercising these rights.
The Processor shall notify the Controller without undue delay if it receives a request from a Consumer and shall not respond to such request except on the documented instructions of the Controller or as required by applicable law.
The Processor shall assist the Controller in verifying the identity of the Consumer making a request using reasonable and appropriate methods consistent with the sensitivity of the Personal Information.
The Processor shall fulfill its obligations under this Section within the timelines required by applicable law (typically forty-five (45) days, extendable by another forty-five (45) days where reasonably necessary).
Any Consumer requests that the Processor cannot fulfill directly shall be forwarded to the Controller. Notifications shall be sent to privacy@controllercompany.com.
The Processor shall maintain records of all Consumer requests and its responses for at least twenty-four (24) months or as required by law.
10DATA SECURITY
The Processor shall implement and maintain a comprehensive written information security program that includes appropriate administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Personal Information. Such measures shall be consistent with industry standards and shall meet or exceed the requirements of the CCPA/CPRA and other applicable US state privacy and data breach notification laws.
The Processor shall implement appropriate technical and organizational measures, including but not limited to encryption of Personal Information at rest and in transit, role-based access controls, secure data disposal methods, and network security controls.
The Processor shall regularly test and evaluate the effectiveness of its safeguards, including conducting vulnerability scans and penetration testing at least annually or as appropriate to the risk.
The Processor shall provide appropriate data security and privacy training to its employees and contractors who have access to Personal Information at least annually.
The Processor shall maintain an up-to-date incident response plan for Personal Information breaches and shall review and update it at least annually.
11DATA BREACH NOTIFICATION
The Processor shall notify the Controller without undue delay and in no event later than thirty (30) days after becoming aware of a Security Incident or Data Breach involving Personal Information (or such shorter period as may be required to enable the Controller to comply with its own notification obligations under applicable law).
The notification shall include, at a minimum: (i) the nature of the incident, including where possible the categories and approximate number of Consumers and records concerned; (ii) a description of the likely consequences of the incident; (iii) the measures taken or proposed to be taken to address the incident, including measures to mitigate its possible adverse effects; (iv) the categories of Personal Information involved; (v) the name and contact information of the Processor’s representative; and (vi) any other information required by applicable state breach notification laws.
The Processor shall cooperate with the Controller in investigating the breach, implementing reasonable remediation measures, and, at the Controller’s direction and expense, assisting with any required notifications to affected Consumers, regulators, or other parties.
The Processor shall conduct a root cause analysis of the breach, implement measures to prevent recurrence, and provide a report of such analysis and remediation to the Controller upon request.
12RISK ASSESSMENTS
Where required by applicable law (such as under the CPRA, CDPA, CPA, CTDPA, or UCPA), the Controller is responsible for conducting Risk Assessments or Privacy Impact Assessments for Processing activities that present a significant risk to Consumers’ privacy.
The Processor shall provide the Controller with all reasonably requested information and assistance to facilitate the Controller’s completion of any such Risk Assessment, including details regarding the Processor’s security measures, data flows, and Sub-processors.
The designated contact for assistance with Risk Assessments is the Processor’s Privacy Officer, reachable at privacy@processorcompany.com. The Processor shall respond to such requests within ten (10) business days or as otherwise agreed.
The Processor shall conduct its own internal risk assessments as necessary to ensure compliance with its obligations under this DPA and applicable law.
13AUDIT AND INSPECTION
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
The Controller may audit the Processor’s compliance with this DPA no more than once per calendar year, unless the Controller has reasonable grounds to suspect non-compliance, in which case additional audits may be conducted.
The Controller shall provide at least thirty (30) days’ prior written notice of any audit. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor’s business operations.
The Processor may satisfy an audit request by providing a copy of a current SOC 2 Type II report, ISO 27001 certification, or other relevant third-party audit report, provided it covers the relevant Processing activities. If such a report is insufficient, the parties shall agree on the scope of an on-site audit.
The Controller shall bear all costs associated with any audit unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall reimburse the Controller for its reasonable audit costs.
All information obtained during an audit shall be treated as confidential and used solely for the purpose of verifying compliance with this DPA. Audit findings shall not be disclosed to third parties without the Processor’s prior written consent, except as required by law.
14RETURN OR DELETION OF DATA
Upon termination or expiration of this DPA or the Underlying Agreement, or at any time upon the Controller’s written request, the Processor shall, at the Controller’s choice, either return to the Controller or securely delete all Personal Information in its possession or control.
The Processor shall delete all copies of Personal Information, including backups and archival copies, within thirty (30) days of the Controller’s request or termination, unless retention is required by applicable law.
If retention is required by law, the Processor shall inform the Controller of the retention requirement, securely isolate the data, and continue to protect it in accordance with this DPA until deletion is permitted. The Processor shall provide written certification of deletion to the Controller upon completion.
The Processor shall immediately cease all Processing of Personal Information upon termination of this DPA, except as necessary to return or delete the data.
This example shows approximately 70% of a typical document and is provided for illustrative purposes only. The remaining content has been omitted.
Every document generated by Docaro is tailored to your specific circumstances, jurisdiction and the information you provide. The completed document includes all applicable clauses and provisions required for your situation.
To generate the full, personalised document, answer a short series of questions and your document will be created instantly.