Docaro

AI Generated American Data Processing Agreement
PDF & Word - 2026 Updated

Generate a customized AI-powered Data Processing Agreement tailored for US businesses to ensure GDPR and CCPA compliance in data handling and privacy protection.
Free instant document creation.
Tailored to United States law.
No sign up or monthly subscription.
Example of a Data Processing Agreement for use in the United States</b> generated by our AI model.
Example Data Processing Agreement Produced by Docaro

Docaro Pricing

Basic
Free
Document Generation
No Sign Up
No Subscription
Download Watermarked PDF
Premium
$4.99 USD
Document Generation
No Sign Up
No Subscription
Download Clean PDF
Download Microsoft Word
Download HTML
Download Text
Email Document
Generate your document for free. Only pay if you like the result and need an un-watermarked version.

When Do You Need a Data Processing Agreement in the United States?

Sharing Data with Service Providers
You need this agreement when you hire companies to handle customer data on your behalf, ensuring they protect it properly.
Complying with Privacy Laws
It's required under laws like the California Consumer Privacy Act (CCPA) to outline how data processors manage and secure personal information.
Preventing Data Breaches
A solid agreement sets clear rules for data handling, reducing the risk of leaks or misuse.
Building Trust with Customers
Having this document shows you're serious about privacy, helping maintain customer confidence and avoiding legal issues.
Avoiding Costly Penalties
Without it, you could face fines or lawsuits for not following data protection requirements.

American Legal Rules for a Data Processing Agreement

What It Covers
A data processing agreement outlines how one party handles personal data on behalf of another, mainly guided by state privacy laws like California's Consumer Privacy Act.
Key Roles
It defines the controller, who decides on data use, and the processor, who manages the data, ensuring clear responsibilities.
Security Requirements
The processor must protect data with reasonable safeguards to prevent unauthorized access or breaches.
Data Handling Limits
Processors can only use data as instructed by the controller and must not share it without permission.
Subcontractor Rules
Any third parties involved in processing must agree to the same terms and standards.
Breach Notification
The processor must quickly inform the controller of any data incidents that could affect privacy.
Data Deletion
Upon ending the agreement, the processor must return or securely delete all data as requested.
State Variations
Rules can differ by state, so check specific laws where your business operates.
Not Federal Law
Unlike Europe's strict GDPR, the US relies on state laws and sector-specific rules rather than one nationwide standard.
Important

Using the wrong structure for a data processing agreement can lead to non-compliance with applicable data protection laws and expose parties to legal liabilities.

What a Proper Data Processing Agreement Should Include

  • Roles and Responsibilities
    Clearly defines who is the data controller (decides how data is used) and who is the data processor (handles the data on behalf of the controller).
  • Data Processing Details
    Specifies what personal data will be processed, for what purposes, and how it will be handled.
  • Security Measures
    Requires the processor to implement strong protections to keep data safe from unauthorized access or breaches.
  • Data Sharing Limits
    Prohibits the processor from sharing data with third parties without the controller's permission.
  • Breach Notification
    Mandates quick reporting to the controller if a data breach occurs.
  • Data Deletion Rules
    Instructs the processor to securely delete or return data when the agreement ends or when no longer needed.
  • Audits and Compliance Checks
    Allows the controller to review the processor's practices to ensure they follow data protection laws.
  • Sub-processor Management
    Outlines rules for the processor if they need to use another company to help with data tasks.

Generate Your Document in 4 Easy Steps

1
Answer a Few Questions
Our AI guides you through the info required.
2
Generate Your Document
Docaro builds a bespoke document tailored specifically on your requirements.
3
Review & Edit
Review your document and submit any further requested changes.
4
Download & Sign
Download your ready to sign document as a PDF, Microsoft Word, Txt or HTML.

Why Use Docaro?

Fast Generation
Quickly generate a comprehensive Data Processing Agreement, eliminating the hassle and time associated with traditional document drafting.
Guided Process
Our user-friendly platform guides you step by step through each section of the document, providing context and guidance to ensure you provide all the necessary information for a complete and accurate Data Processing Agreement.
Safer Than Legal Templates
We never use legal templates. All documents are generated from first principles clause by clause, ensuring that your document is bespoke and tailored specifically to the information you provide. This results in a much safer and more accurate document than any legal template could provide.
Professionally Formatted
Your Data Processing Agreement will be formatted to professional standards, including headings, clause numbers and structured layout. No further editing is required. Download your document in PDF, Microsoft Word, TXT or HTML.
Tailored to American Law
Our AI model considers the latest legal standards and regulations of the United States during the drafting process.
Cost-Effective
Generate and download a watermarked version of your document for free. Pay only if you want to remove the watermark and gain full access to your document. No monthly subscriptions or hidden fees. Pay once and use your document forever.
No Sign Up or Monthly Subscription Required
No payment or sign up is required to start generating your Data Processing Agreement.
Need to Generate a Data Processing Agreement in a Different Country?
Choose country:

Free Example Data Processing Agreement Template

Below is a free template example of a Data Processing Agreement for use in the United States generated by our AI model.

The clauses in your actual Data Processing Agreement will vary from this example as they will be entirely bespoke to your requirements as set out in the questionnaire you complete.

Data Processing Agreement

1
RECITALS

1.1

This Data Processing Agreement (the "DPA") is entered into as of 2024-01-01 by and between the Controller and the Processor and supplements the Master Services Agreement dated January 1, 2024 (the "Underlying Agreement").

1.2

In the event of any conflict between the terms of this DPA and the Underlying Agreement with respect to data processing, this DPA shall take precedence.

1.3

The parties intend for this DPA to ensure compliance with all applicable US state privacy laws, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and any other similar US state laws that may become applicable.

1.4

The primary purpose of this DPA is to outline the terms under which the Processor will process personal information on behalf of the Controller in compliance with applicable US data privacy laws, ensuring data security, confidentiality, and proper handling throughout the service provision.

1.5

The Controller is a US-based e-commerce company that collects customer personal information for online sales, while the Processor is a third-party cloud service provider handling data storage and analytics.

1.6

This DPA is necessitated by the Controller outsourcing data processing tasks to the Processor to support efficient business operations and scale their platform.

2
DEFINITIONS

2.1

For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below.

2.2

"Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It includes, but is not limited to, names, email addresses, phone numbers, IP addresses, and payment information of website users, but excludes publicly available information and deidentified or aggregate consumer information.

2.3

"Processing" (and its cognates) means any operation or set of operations performed on Personal Information, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Information.

2.4

"Controller" means the business that determines the purposes and means of Processing of Personal Information. In this Agreement, the Controller is the business.

2.5

"Processor" or "Service Provider" means the service provider that Processes Personal Information on behalf of and at the direction of the Controller and does not determine the purposes and means of such Processing. The Processor acts as a Service Provider under CCPA/CPRA and a Processor under other applicable state laws.

2.6

"Consumer" or "Data Subject" means a natural person who is a California resident or resident of another US state with applicable privacy rights, to whom the Personal Information relates, including customers, employees, and website visitors.

2.7

"Sub-processor" or "Subcontractor" means any third party engaged by the Processor to Process Personal Information on behalf of the Controller.

2.8

"Sell" or "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the business to a third party for monetary or other valuable consideration.

2.9

"Sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

2.10

"Sensitive Personal Information" means Personal Information that reveals a Consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number with any required security or access code; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information for unique identification; health information; or information about a Consumer’s sex life or sexual orientation. It also includes government-issued identifiers, financial account information, precise geolocation data, and other categories as defined under applicable state laws.

2.11

"Risk Assessment" means a privacy impact assessment or data protection impact assessment as required under laws such as the CPRA, CDPA, CPA, CTDPA, or UCPA, which identifies and evaluates risks to consumer privacy.

2.12

"Do Not Sell or Share" means the link or method by which Consumers may exercise their right to opt out of the Sale or Sharing of their Personal Information.

2.13

Any references to the GDPR or EU-specific terms are only applicable if Personal Information of EU data subjects is involved; otherwise, this DPA is governed solely by US state privacy laws.

3
SCOPE AND PURPOSE

3.1

This Agreement applies to all Processing of Personal Information by the Processor on behalf of the Controller in the United States.

3.2

The Processor is authorized to Process the following categories of Personal Information: names, email addresses, phone numbers, IP addresses, and payment information. If any Sensitive Personal Information is involved, it shall be explicitly listed and subject to additional protections.

3.3

The categories of Consumers whose Personal Information will be Processed include customers, employees, and website visitors who are US residents.

3.4

The purposes of Processing are limited to order fulfillment, customer support, analytics, and marketing communications, all as documented in the Underlying Agreement and this DPA. Any other purposes require prior written consent from the Controller.

3.5

The Processor shall process Personal Information only on documented instructions from the Controller, which may be specific or general. The Processor shall inform the Controller if it believes an instruction infringes applicable law. The Processor shall not Process Personal Information for its own purposes or outside the scope of the documented instructions.

3.6

The Processor is expressly prohibited from Selling or Sharing Personal Information without the Controller’s explicit written authorization. The Processor shall not combine the Controller’s Personal Information with other data in a manner that would constitute a Sale or Sharing under applicable law.

3.7

Data Minimization. The Processor shall only collect, use, retain, and disclose the minimum amount of Personal Information necessary to achieve the documented purposes. The Processor shall not retain Personal Information longer than necessary to fulfill the purposes for which it was collected or as permitted by applicable law.

3.8

Purpose Limitation. The Processor shall Process Personal Information solely for the specific purposes set forth in this Section 3 and the Data Processing Instructions (Section 5) and shall not Process it for any other purpose without the Controller’s prior written consent.

4
DURATION

4.1

This DPA shall become effective on the date it is executed by both parties and shall remain in effect for the term of the Underlying Agreement, including any renewal terms.

4.2

The data processing activities under this DPA shall commence upon the effective date of the Underlying Agreement or as otherwise specified therein.

4.3

The obligations set forth in this DPA shall survive termination or expiration of the Underlying Agreement until all Personal Information has been returned to the Controller or securely deleted in accordance with Section 13.

4.4

Either party may terminate this DPA in accordance with the termination provisions of the Underlying Agreement. Upon termination, the provisions of Section 13 (Return or Deletion of Data) shall apply.

5
DATA PROCESSING INSTRUCTIONS

5.1

The Processor shall process the following categories of Personal Information: names, email addresses, phone numbers, and payment information.

5.2

Such Personal Information pertains to the following categories of Consumers: customers, employees, and website visitors.

5.3

The Processor shall process the Personal Information solely for the following purposes: order fulfillment, customer support, and marketing communications.

5.4

The Processor is authorized to perform the following processing activities: collection, storage, use, and deletion.

5.5

The Processor shall retain the Personal Information only as long as necessary to fulfill the purposes outlined herein or as required by applicable law, but in no event longer than twenty-four (24) months unless otherwise instructed by the Controller in writing.

5.6

The Processor shall process Personal Information only on documented instructions from the Controller, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

6
NO SALE OR SHARING OF PERSONAL INFORMATION

6.1

The Processor shall not Sell or Share any Personal Information it Processes on behalf of the Controller. The Processor acknowledges that it receives Personal Information solely as a Service Provider and not for its own commercial purposes.

6.2

The Processor shall not combine the Personal Information received from or on behalf of the Controller with Personal Information it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer, in a way that would constitute Selling or Sharing under the CCPA/CPRA or other applicable state laws.

6.3

The Processor shall implement technical and organizational measures to ensure compliance with this prohibition, including but not limited to contractual restrictions on further transfers and internal policies prohibiting unauthorized use or disclosure.

6.4

If the Processor becomes aware of any actual or potential Sale or Sharing, it shall immediately notify the Controller and take all necessary steps to remediate the issue at its own expense.

7
DATA PROCESSOR OBLIGATIONS

7.1

The Processor shall comply with all applicable US state privacy laws, including the CCPA/CPRA, CDPA, CPA, CTDPA, and UCPA. The Processor shall Process Personal Information only for the documented purposes and not for the Processor’s own purposes or for any other commercial purpose.

7.2

The Processor shall adhere to the principles of data minimization and accuracy by ensuring that Personal Information is adequate, relevant, and limited to what is necessary, and that it is kept accurate and up to date where applicable.

7.3

As a Service Provider under the CCPA/CPRA, the Processor shall not Sell or Share Personal Information, shall not retain, use, or disclose Personal Information for any purpose other than those specified in the documented instructions (including retaining, using, or disclosing it for a commercial purpose other than providing the services), and shall not combine it with other data except as permitted.

7.4

The Processor shall promptly inform the Controller if it is unable to comply with any instructions or if, in its opinion, an instruction infringes applicable law.

7.5

The Processor shall maintain accurate records of all Processing activities carried out on behalf of the Controller, including the categories of Personal Information Processed, purposes of Processing, and categories of recipients. Such records shall be made available to the Controller upon reasonable request.

7.6

The Processor shall ensure that all persons authorized to Process Personal Information are subject to confidentiality obligations and have received appropriate training.

8
SUBPROCESSING

8.1

The Processor shall not engage any Sub-processor without the Controller’s prior written consent, which may be given on a general or specific basis.

8.2

The Processor shall maintain an up-to-date list of all Sub-processors and shall provide such list to the Controller upon request.

8.3

The Processor shall notify the Controller in writing at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor.

8.4

The Controller shall have the right to object to the use of a new Sub-processor within fifteen (15) business days of receiving notice. If the Controller objects, the Processor shall not engage the Sub-processor or shall provide an alternative.

8.5

The Processor shall enter into a written agreement with each Sub-processor that imposes obligations on the Sub-processor that are substantially similar to those imposed on the Processor under this DPA, including obligations regarding data minimization, purpose limitation, prohibitions on Sale and Sharing, and compliance with US state privacy laws.

8.6

The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

9
DATA SUBJECT RIGHTS

9.1

The Processor shall provide reasonable assistance to the Controller, at the Controller’s expense, in responding to verifiable Consumer requests to exercise rights under applicable US state privacy laws, including the rights to know/access, delete, correct inaccurate Personal Information, opt-out of the Sale or Sharing of Personal Information, limit the use and disclosure of Sensitive Personal Information, and non-discrimination for exercising these rights.

9.2

The Processor shall notify the Controller without undue delay if it receives a request from a Consumer and shall not respond to such request except on the documented instructions of the Controller or as required by applicable law.

9.3

The Processor shall assist the Controller in verifying the identity of the Consumer making a request using reasonable and appropriate methods consistent with the sensitivity of the Personal Information.

9.4

The Processor shall fulfill its obligations under this Section within the timelines required by applicable law (typically forty-five (45) days, extendable by another forty-five (45) days where reasonably necessary).

9.5

Any Consumer requests that the Processor cannot fulfill directly shall be forwarded to the Controller. Notifications shall be sent to privacy@controllercompany.com.

9.6

The Processor shall maintain records of all Consumer requests and its responses for at least twenty-four (24) months or as required by law.

10
DATA SECURITY

10.1

The Processor shall implement and maintain a comprehensive written information security program that includes appropriate administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Personal Information. Such measures shall be consistent with industry standards and shall meet or exceed the requirements of the CCPA/CPRA and other applicable US state privacy and data breach notification laws.

10.2

The Processor shall implement appropriate technical and organizational measures, including but not limited to encryption of Personal Information at rest and in transit, role-based access controls, secure data disposal methods, and network security controls.

10.3

The Processor shall regularly test and evaluate the effectiveness of its safeguards, including conducting vulnerability scans and penetration testing at least annually or as appropriate to the risk.

10.4

The Processor shall provide appropriate data security and privacy training to its employees and contractors who have access to Personal Information at least annually.

10.5

The Processor shall maintain an up-to-date incident response plan for Personal Information breaches and shall review and update it at least annually.

11
DATA BREACH NOTIFICATION

11.1

The Processor shall notify the Controller without undue delay and in no event later than thirty (30) days after becoming aware of a Security Incident or Data Breach involving Personal Information (or such shorter period as may be required to enable the Controller to comply with its own notification obligations under applicable law).

11.2

The notification shall include, at a minimum: (i) the nature of the incident, including where possible the categories and approximate number of Consumers and records concerned; (ii) a description of the likely consequences of the incident; (iii) the measures taken or proposed to be taken to address the incident, including measures to mitigate its possible adverse effects; (iv) the categories of Personal Information involved; (v) the name and contact information of the Processor’s representative; and (vi) any other information required by applicable state breach notification laws.

11.3

The Processor shall cooperate with the Controller in investigating the breach, implementing reasonable remediation measures, and, at the Controller’s direction and expense, assisting with any required notifications to affected Consumers, regulators, or other parties.

11.4

The Processor shall conduct a root cause analysis of the breach, implement measures to prevent recurrence, and provide a report of such analysis and remediation to the Controller upon request.

12
RISK ASSESSMENTS

12.1

Where required by applicable law (such as under the CPRA, CDPA, CPA, CTDPA, or UCPA), the Controller is responsible for conducting Risk Assessments or Privacy Impact Assessments for Processing activities that present a significant risk to Consumers’ privacy.

12.2

The Processor shall provide the Controller with all reasonably requested information and assistance to facilitate the Controller’s completion of any such Risk Assessment, including details regarding the Processor’s security measures, data flows, and Sub-processors.

12.3

The designated contact for assistance with Risk Assessments is the Processor’s Privacy Officer, reachable at privacy@processorcompany.com. The Processor shall respond to such requests within ten (10) business days or as otherwise agreed.

12.4

The Processor shall conduct its own internal risk assessments as necessary to ensure compliance with its obligations under this DPA and applicable law.

13
AUDIT AND INSPECTION

13.1

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

13.2

The Controller may audit the Processor’s compliance with this DPA no more than once per calendar year, unless the Controller has reasonable grounds to suspect non-compliance, in which case additional audits may be conducted.

13.3

The Controller shall provide at least thirty (30) days’ prior written notice of any audit. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor’s business operations.

13.4

The Processor may satisfy an audit request by providing a copy of a current SOC 2 Type II report, ISO 27001 certification, or other relevant third-party audit report, provided it covers the relevant Processing activities. If such a report is insufficient, the parties shall agree on the scope of an on-site audit.

13.5

The Controller shall bear all costs associated with any audit unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall reimburse the Controller for its reasonable audit costs.

13.6

All information obtained during an audit shall be treated as confidential and used solely for the purpose of verifying compliance with this DPA. Audit findings shall not be disclosed to third parties without the Processor’s prior written consent, except as required by law.

14
RETURN OR DELETION OF DATA

14.1

Upon termination or expiration of this DPA or the Underlying Agreement, or at any time upon the Controller’s written request, the Processor shall, at the Controller’s choice, either return to the Controller or securely delete all Personal Information in its possession or control.

14.2

The Processor shall delete all copies of Personal Information, including backups and archival copies, within thirty (30) days of the Controller’s request or termination, unless retention is required by applicable law.

14.3

If retention is required by law, the Processor shall inform the Controller of the retention requirement, securely isolate the data, and continue to protect it in accordance with this DPA until deletion is permitted. The Processor shall provide written certification of deletion to the Controller upon completion.

14.4

The Processor shall immediately cease all Processing of Personal Information upon termination of this DPA, except as necessary to return or delete the data.

This example shows approximately 70% of a typical document and is provided for illustrative purposes only. The remaining content has been omitted.

Every document generated by Docaro is tailored to your specific circumstances, jurisdiction and the information you provide. The completed document includes all applicable clauses and provisions required for your situation.

To generate the full, personalised document, answer a short series of questions and your document will be created instantly.

Useful Resources When Considering a Data Processing Agreement in the United States

Security Rule Guidance Material
Privacy Framework | NIST
Fact Sheet 42 CFR Part 2 Final Rule
BOD 26-04: Prioritizing Security Updates Based on Risk
Show All Resources

United States Reference Legislation

The following legislation is relevant to the generation of a Data Processing Agreement in the United States:
The CCPA regulates the collection, use, and disclosure of personal information by businesses, requiring data processing agreements with service providers to ensure compliance with consumer privacy rights.
While not US law, GDPR applies extraterritorially to US companies processing EU residents' data and mandates data processing agreements outlining processor obligations for data protection.

Data Processing Agreement FAQs

A Data Processing Agreement (DPA) is a legal contract between a data controller and a data processor that outlines how personal data will be handled, protected, and processed in compliance with applicable US privacy laws, such as the California Consumer Privacy Act (CCPA) or state-specific regulations. It ensures data security and accountability in business relationships.
Show All FAQs

Document Generation FAQs

Docaro is an AI-powered legal and corporate document generator that helps you create fully formatted, legal contracts and agreements in minutes. Just answer a few guided questions and download your document instantly.
Show All FAQs
You Might Also Be Interested In
A Legal Document Outlining How An Organization Collects, Uses, And Protects Personal Information.
A Legal Agreement Outlining The Rules, Rights, And Obligations For Users Of A Website.
A Legal Document Explaining How A Website Uses Cookies To Track And Manage User Data For Privacy Compliance.
A Legal Contract Outlining The Terms For Subscribing To Cloud-based Software Services, Including Usage Rights, Fees, And Responsibilities.
A Legal Contract Between The Software Developer And The User Outlining Terms For Software Usage, Restrictions, And Rights.
A Corporate Policy Document Outlining Rules, Expectations, And Standards For User Behavior Within A Community Or Platform.
A Corporate Document Outlining Guidelines For Monitoring, Reviewing, And Managing User-generated Content To Ensure Compliance With Platform Rules And Legal Standards.
 
COID:185CID:81