Data Processing Addendum - Comprehensive

DATA PROCESSING ADDENDUM -- COMPREHENSIVE

DPA Effective Date: [__/__/____]

DPA Number: [________________________________]

PARTIES

Controller / Customer ("Controller"):

Processor / Provider ("Processor"):

RECITALS

WHEREAS, Controller and Processor have entered into that certain Master Agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Processor provides certain services (the "Services") to Controller;

WHEREAS, the provision of Services requires Processor to process Personal Data on behalf of Controller, and the Parties desire to establish the terms governing such processing;

WHEREAS, this Data Processing Addendum is intended to satisfy the requirements of GDPR Article 28 for processor agreements, comply with applicable US state privacy laws (including the CCPA/CPRA), and address international data transfer requirements; and

WHEREAS, this DPA supplements and is incorporated into the Master Agreement.

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Scope of Processing
4. Processor Obligations
5. Controller Instructions
6. Sub-processor Management
7. Data Subject Rights
8. International Data Transfers
9. Data Security Measures
10. Data Breach Notification
11. Data Protection Impact Assessment Assistance
12. Audit Rights
13. Return and Deletion of Data
14. Liability and Indemnification
15. US State Privacy Law Compliance
16. General Provisions
17. Signatures
18. Annex I -- Processing Details
19. Annex II -- Technical and Organizational Security Measures
20. Annex III -- Approved Sub-processor List
21. Annex IV -- Standard Contractual Clauses Reference

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This Data Processing Addendum ("DPA") supplements the Master Agreement dated [__/__/____]. Capitalized terms not defined herein have meanings from the Master Agreement.

1.2 In the event of conflict between this DPA and the Master Agreement on data protection or privacy matters, this DPA prevails. On all other matters, the Master Agreement controls.

1.3 This DPA remains in effect for the duration of the Master Agreement and for so long thereafter as Processor retains any Personal Data.

2. DEFINITIONS

2.1 "Applicable Data Protection Law" means all laws and regulations relating to data protection, data privacy, and the processing of Personal Data that apply to the processing under this DPA, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, and applicable US state privacy laws.

2.2 "Controller" means the Party that determines the purposes and means of the processing of Personal Data, as defined in GDPR Article 4(7). In the context of US state privacy laws, Controller also refers to the Party acting as "Business" (CCPA/CPRA) or "Controller" (state privacy laws).

2.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including "Consumer" as defined by applicable US state privacy laws.

2.4 "EEA" means the European Economic Area.

2.5 "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1). This includes "Personal Information" as defined by the CCPA/CPRA (Cal. Civ. Code § 1798.140(v)) and equivalent terms under other Applicable Data Protection Laws.

2.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as defined in GDPR Article 4(12).

2.7 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in GDPR Article 4(2).

2.8 "Processor" means the Party that processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8). This includes "Service Provider" or "Contractor" (CCPA/CPRA) and "Processor" (state privacy laws).

2.9 "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.

2.10 "Sub-processor" means any third party engaged by Processor to process Personal Data on Processor's behalf in connection with the Services.

2.11 "Sensitive Personal Data" or "Special Categories of Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation (GDPR Article 9), and "Sensitive Personal Information" as defined by the CCPA/CPRA and equivalent state laws.

2.12 "Supervisory Authority" means an independent public authority established by an EU/EEA Member State pursuant to GDPR Article 51, or an equivalent regulatory authority under Applicable Data Protection Law.

3. SCOPE OF PROCESSING

3.1 Processing Details Table. The details of the processing are set forth in Annex I and summarized below:

3.2 Categories of Data Subjects. Processing under this DPA may involve the following categories of Data Subjects (select all applicable):

☐ Employees and contractors of Controller
☐ Customers and clients of Controller
☐ End users of Controller's products or services
☐ Job applicants
☐ Business contacts and representatives
☐ Minors (under 18 years of age)
☐ Other: [________________________________]

3.3 Types of Personal Data. Processing may involve the following types of Personal Data (select all applicable):

☐ Name (first, last, middle)
☐ Contact information (email, phone, address)
☐ Government identifiers (SSN, national ID, driver's license)
☐ Date of birth / age
☐ Financial information (account numbers, payment data)
☐ Employment information (title, employer, compensation)
☐ Device identifiers and IP addresses
☐ Geolocation data
☐ Browsing history and online activity
☐ Biometric data
☐ Health or medical information
☐ Racial or ethnic origin
☐ Other: [________________________________]

3.4 Sensitive Data Safeguards. If Sensitive Personal Data is processed under this DPA, Processor shall implement the following additional safeguards:

• (a) Encryption in transit and at rest using AES-256 or equivalent;
• (b) Strict access controls limited to personnel with documented need-to-know;
• (c) Enhanced logging and monitoring of all access;
• (d) Data Protection Impact Assessment support (Section 11); and
• (e) Prior written authorization from Controller before processing.

4. PROCESSOR OBLIGATIONS

4.1 Lawful Processing. Processor shall process Personal Data only in accordance with documented instructions from Controller (Section 5) and Applicable Data Protection Law.

4.2 Confidentiality. Processor shall ensure that all personnel authorized to process Personal Data are bound by contractual or statutory obligations of confidentiality.

4.3 Security. Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 9 and Annex II, in compliance with GDPR Article 32.

4.4 Records of Processing. Processor shall maintain records of all categories of processing activities carried out on behalf of Controller, as required by GDPR Article 30(2), including: (a) Processor's name and contact details; (b) categories of processing; (c) transfers to third countries; (d) description of technical and organizational security measures.

4.5 Data Protection Officer. If required by GDPR Article 37 or other Applicable Data Protection Law, Processor shall designate a Data Protection Officer and provide contact details to Controller.

4.6 No Selling or Sharing. Processor shall not sell or share (as those terms are defined in applicable law) Personal Data received from Controller. Processor shall not retain, use, or disclose Personal Data outside the scope of the Services except as permitted by Applicable Data Protection Law.

4.7 No Combining. Processor shall not combine Personal Data received from Controller with Personal Data received from other sources except as necessary to perform the Services or as permitted by Applicable Data Protection Law.

5. CONTROLLER INSTRUCTIONS

5.1 Documented Instructions. Processor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law, in which case Processor shall inform Controller of that legal requirement before processing (unless prohibited from doing so).

5.2 Instruction Conflicts. If Processor believes an instruction from Controller infringes Applicable Data Protection Law, Processor shall immediately notify Controller. Processor is not required to comply with instructions that Processor reasonably believes would violate Applicable Data Protection Law.

5.3 Additional Instructions. Controller may provide additional written instructions regarding the processing of Personal Data, provided such instructions are consistent with the Master Agreement and this DPA. If Processor determines that an additional instruction requires changes to the Services, the Parties shall negotiate in good faith regarding any additional costs or modifications.

6. SUB-PROCESSOR MANAGEMENT

6.1 General Authorization. Controller provides [general / specific] written authorization for Processor to engage Sub-processors to process Personal Data in connection with the Services.

6.2 Current Sub-processors. The list of currently authorized Sub-processors is set forth in Annex III.

6.3 New Sub-processor Notification. Processor shall provide Controller with at least [____] days (30 days recommended) prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor, including the Sub-processor's name, location, services, and types of Personal Data to be processed.

6.4 Objection Right. Controller may object to the engagement of a new Sub-processor within the notice period by providing written notice of reasonable, documented grounds for the objection. If Controller objects, the Parties shall discuss the objection in good faith. If the Parties cannot resolve the objection within [____] days, Controller may terminate the affected portion of the Services without penalty.

6.5 Sub-processor Agreements. Processor shall enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA, including equivalent confidentiality, security, and processing limitation requirements.

6.6 Liability. Processor remains fully liable to Controller for the performance of each Sub-processor's obligations.

7. DATA SUBJECT RIGHTS

7.1 Assistance with Requests. Processor shall promptly assist Controller in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including but not limited to the following rights (select all applicable):

☐ Right of Access (GDPR Art. 15; CCPA § 1798.110)
☐ Right to Rectification / Correction (GDPR Art. 16; CCPA § 1798.106)
☐ Right to Erasure / Deletion (GDPR Art. 17; CCPA § 1798.105)
☐ Right to Restriction of Processing (GDPR Art. 18)
☐ Right to Data Portability (GDPR Art. 20; CCPA § 1798.130)
☐ Right to Object (GDPR Art. 21)
☐ Right Not to be Subject to Automated Decision-Making (GDPR Art. 22)
☐ Right to Opt Out of Sale/Sharing (CCPA § 1798.120)
☐ Right to Limit Use of Sensitive Personal Information (CCPA § 1798.121)
☐ Right to Non-Discrimination (CCPA § 1798.125)
☐ Right to Appeal (applicable state privacy laws)

7.2 Response Timeline. Processor shall assist Controller in responding to Data Subject requests within the timeframes required by Applicable Data Protection Law (e.g., one month under GDPR, 45 days under CCPA/CPRA).

7.3 Direct Requests. If Processor receives a Data Subject request directly, Processor shall: (a) promptly notify Controller; (b) not respond to the request without Controller's prior authorization unless required by applicable law; and (c) if required by law to respond, provide only the minimum information required and notify Controller of the response.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Restrictions. Processor shall not transfer Personal Data to a country outside the EEA, UK, or Switzerland unless: (a) the transfer is to a country recognized by the European Commission as providing an adequate level of data protection; (b) the transfer is subject to appropriate safeguards under GDPR Article 46; or (c) a derogation under GDPR Article 49 applies.

8.2 Standard Contractual Clauses (EU). Where SCCs are required for transfers from the EEA, the Parties shall incorporate the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) as follows:

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor
☐ Module 4: Processor to Controller (if applicable)

The SCCs are completed by reference to Annex IV.

8.3 UK Transfers. For transfers from the United Kingdom, the Parties shall use one of the following mechanisms:

☐ UK International Data Transfer Agreement (IDTA)
☐ UK Addendum to the EU SCCs (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force March 21, 2022)

8.4 Swiss Transfers. For transfers from Switzerland, the EU SCCs shall apply with the modifications required by the Swiss Federal Act on Data Protection (FADP) and guidance from the Swiss Federal Data Protection and Information Commissioner (FDPIC).

8.5 Transfer Impact Assessment. Before or promptly after any transfer of Personal Data to a country that has not received an adequacy determination, Processor shall cooperate with Controller to conduct a Transfer Impact Assessment (TIA) evaluating whether the legal framework of the receiving country provides adequate protection. If the TIA identifies supplementary measures are needed, Processor shall implement them before the transfer proceeds.

8.6 Supplementary Measures. Where indicated by a TIA, Processor shall implement supplementary technical, contractual, and/or organizational measures, including but not limited to:

• (a) Encryption of Personal Data in transit and at rest with keys held in the EEA/UK;
• (b) Pseudonymization of Personal Data;
• (c) Access controls limiting access to transferred data; and
• (d) Contractual commitments regarding government access requests.

9. DATA SECURITY MEASURES

9.1 General Obligation. Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to the rights and freedoms of Data Subjects, in accordance with GDPR Article 32.

9.2 Minimum Security Measures. The security measures shall include, at a minimum, those set forth in Annex II and the following:

• (a) Pseudonymization and encryption of Personal Data where appropriate;
• (b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
• (c) The ability to restore access to Personal Data in a timely manner following a physical or technical incident;
• (d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures;
• (e) Access controls including multi-factor authentication, role-based access, and least privilege;
• (f) Network security including firewalls, IDS/IPS, and segmentation;
• (g) Vulnerability management and penetration testing;
• (h) Security awareness training for personnel;
• (i) Physical security controls for data processing facilities; and
• (j) Business continuity and disaster recovery capabilities.

9.3 Security Updates. Processor may update its security measures from time to time, provided that such updates do not materially diminish the overall level of security.

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller. Processor shall notify Controller of any Personal Data Breach without undue delay and in no event later than [____] hours (48 hours recommended) after becoming aware of the breach. The notification shall include, to the extent then known:

• (a) The nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
• (b) The name and contact details of Processor's data protection officer or other contact;
• (c) The likely consequences of the breach;
• (d) The measures taken or proposed to be taken to address the breach, including measures to mitigate potential adverse effects; and
• (e) The date and time of discovery.

10.2 GDPR Regulatory Notification. Controller acknowledges its obligation under GDPR Article 33 to notify the competent Supervisory Authority within seventy-two (72) hours of becoming aware of a Personal Data Breach that is likely to result in a risk to the rights and freedoms of natural persons. Processor shall cooperate with Controller to provide all information necessary for such notification.

10.3 Data Subject Notification. Controller acknowledges its obligation under GDPR Article 34 to notify Data Subjects without undue delay when a breach is likely to result in a high risk to their rights and freedoms. Processor shall cooperate with such notification.

10.4 US State Breach Notification. Processor acknowledges that Controller may be subject to breach notification requirements under various US state laws, each with specific timelines, content requirements, and reporting obligations. Processor shall cooperate fully with Controller's compliance with all applicable state breach notification statutes.

10.5 Ongoing Updates. Processor shall provide Controller with regular updates regarding the investigation and remediation of any Personal Data Breach.

10.6 Post-Incident Report. For material breaches, Processor shall deliver a written post-incident report within [____] business days (15 recommended) of incident closure, including root cause analysis, timeline, impact assessment, remediation actions, and prevention measures.

11. DATA PROTECTION IMPACT ASSESSMENT ASSISTANCE

11.1 Processor shall provide reasonable assistance to Controller in conducting Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 and prior consultations with Supervisory Authorities under GDPR Article 36, taking into account the nature of the processing and the information available to Processor.

11.2 Processor shall provide such assistance as may be necessary for Controller to comply with equivalent assessment obligations under US state privacy laws (e.g., CCPA/CPRA cybersecurity audit requirements, state data protection assessment requirements).

12. AUDIT RIGHTS

12.1 Information and Audit. Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller, in accordance with GDPR Article 28(3)(h).

12.2 Audit Procedures. Audits shall be conducted:

• (a) Up to [____] time(s) per year (once per year minimum);
• (b) With [____] business days' prior written notice;
• (c) During normal business hours;
• (d) Subject to reasonable confidentiality obligations;
• (e) Limited to the scope of this DPA; and
• (f) With cooperation from Processor's relevant personnel.

12.3 Third-Party Reports. Controller may accept relevant third-party certifications or audit reports (e.g., SOC 2 Type II, ISO 27001) in lieu of conducting its own audit, at Controller's discretion.

12.4 Audit Costs. Each Party bears its own audit costs, unless an audit reveals material non-compliance by Processor, in which case Processor shall bear all reasonable audit costs.

12.5 Regulatory Audits. Processor shall cooperate with any audit or investigation by a Supervisory Authority or other governmental authority relating to the processing of Personal Data under this DPA.

13. RETURN AND DELETION OF DATA

13.1 Controller Choice. Upon expiration or termination of the Master Agreement, or upon Controller's written request, Processor shall, at Controller's election:

• (a) Return all Personal Data to Controller in a commonly used, structured, machine-readable format within [____] days (30 days recommended); or
• (b) Securely delete all Personal Data in accordance with Section 13.2.

13.2 Deletion Standards. Deletion shall be conducted using methods consistent with NIST SP 800-88 Guidelines for Media Sanitization and shall render Personal Data unrecoverable. Processor shall delete Personal Data from all systems, including backups, within [____] days (90 days recommended for backup rotation) of Controller's instruction.

13.3 Certification. Processor shall provide written certification of deletion within [____] business days of completion.

13.4 Legal Retention. Processor may retain Personal Data to the extent required by Applicable Data Protection Law, provided: (a) Processor notifies Controller of such retention and the legal basis; (b) Processor processes retained data only for the purpose required by law; and (c) Processor continues to protect retained data in accordance with this DPA.

14. LIABILITY AND INDEMNIFICATION

14.1 Liability. Each Party's liability under this DPA shall be subject to the limitations of liability set forth in the Master Agreement, except as specified in this Section.

14.2 Indemnification. Processor shall indemnify, defend, and hold harmless Controller and its officers, directors, employees, and agents from and against any claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from: (a) Processor's breach of this DPA; (b) Processor's violation of Applicable Data Protection Law; or (c) any Personal Data Breach caused by Processor's failure to comply with this DPA.

14.3 Limitation Carve-Outs. The following may be carved out from the Master Agreement's liability cap where negotiated:

• (a) Processor's breach of confidentiality or security obligations;
• (b) Processor's breach of restrictions on processing;
• (c) Regulatory fines or penalties resulting from Processor's non-compliance; and
• (d) Indemnification obligations under this Section.

15. US STATE PRIVACY LAW COMPLIANCE

15.1 Service Provider / Processor Status. Under the CCPA/CPRA and applicable US state privacy laws, Processor acts as a "Service Provider," "Contractor," or "Processor" (as applicable) and shall:

• (a) Process Personal Information solely for the Business Purpose described in the Master Agreement and this DPA;
• (b) Not sell or share Personal Information;
• (c) Not retain, use, or disclose Personal Information outside the scope of the Business Purpose;
• (d) Not combine Personal Information received from Controller with data from other sources except as permitted; and
• (e) Comply with all applicable requirements of the CCPA/CPRA and other state privacy laws.

15.2 Consumer Request Assistance. Processor shall assist Controller in responding to verified consumer requests (access, deletion, correction, opt-out) within applicable timeframes (45 days under CCPA/CPRA).

15.3 Sensitive Personal Information. If processing Sensitive Personal Information under US state privacy laws, Processor shall limit use and disclosure to what is necessary to perform the Services unless Controller provides documented instructions otherwise.

15.4 Flow-Down. Processor shall ensure that its Sub-processors are bound by equivalent US state privacy law obligations.

16. GENERAL PROVISIONS

16.1 Entire Agreement. This DPA, together with the Master Agreement and its Annexes, constitutes the entire agreement regarding Personal Data processing.

16.2 Amendments. Amendments only by written instrument signed by both Parties. Processor shall notify Controller of any changes to Applicable Data Protection Law that may require amendments.

16.3 Severability. Invalid provisions severed; remainder continues.

16.4 Governing Law. This DPA shall be governed by the law specified in the Master Agreement, subject to mandatory provisions of Applicable Data Protection Law that cannot be varied by contract.

16.5 Survival. Sections 2, 10, 12, 13, 14, and any obligations that by their nature should survive shall survive expiration or termination.

17. SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Data Processing Addendum as of the DPA Effective Date.

CONTROLLER / CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROCESSOR / PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

ANNEX I -- PROCESSING DETAILS

A. List of Parties

Data Exporter (Controller):

Data Importer (Processor):

B. Description of Processing

ANNEX II -- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Processor implements the following measures (complete all applicable sections):

A. Access Control

• Multi-factor authentication: ☐ Yes ☐ No
• Role-based access control: ☐ Yes ☐ No
• Least-privilege principle: ☐ Yes ☐ No
• Regular access reviews: ☐ Yes ☐ No (Frequency: [________________________________])
• Automated deprovisioning: ☐ Yes ☐ No

B. Encryption

• Encryption in transit (TLS version): [________________________________]
• Encryption at rest (algorithm): [________________________________]
• Key management system: ☐ KMS ☐ HSM ☐ Other: [________________________________]

C. Network Security

• Firewall protection: ☐ Yes ☐ No
• IDS/IPS: ☐ Yes ☐ No
• Network segmentation: ☐ Yes ☐ No
• DDoS protection: ☐ Yes ☐ No

D. Vulnerability Management

• Vulnerability scanning frequency: [________________________________]
• Penetration testing frequency: [________________________________]
• Patch management process: ☐ Yes ☐ No

E. Logging and Monitoring

• Centralized logging (SIEM): ☐ Yes ☐ No
• Log retention period: [________________________________]
• 24/7 security monitoring: ☐ Yes ☐ No

F. Physical Security

• Data center access controls: ☐ Badge ☐ Biometric ☐ Both
• Video surveillance: ☐ Yes ☐ No
• Environmental controls: ☐ Yes ☐ No

G. Business Continuity

• RPO: [________________________________]
• RTO: [________________________________]
• Backup encryption: ☐ Yes ☐ No
• DR testing frequency: [________________________________]

H. Personnel Security

• Background checks: ☐ Yes ☐ No
• Confidentiality agreements: ☐ Yes ☐ No
• Security training frequency: [________________________________]

ANNEX III -- APPROVED SUB-PROCESSOR LIST

ANNEX IV -- STANDARD CONTRACTUAL CLAUSES REFERENCE

SCC Module Selected:

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor

Optional Clauses:

☐ Clause 7 (Docking Clause): Included / Not Included
☐ Clause 9(a) (General Written Authorization): Option 1 (Prior specific authorization) / Option 2 (General written authorization with [____] day notice)
☐ Clause 11 (Redress): Optional arbitration clause included / not included
☐ Clause 17 (Governing Law): [________________________________]
☐ Clause 18 (Choice of Forum): [________________________________]

UK Transfer Mechanism:

☐ UK Addendum to EU SCCs (Version B1.0)
☐ UK International Data Transfer Agreement (IDTA)

The completed SCCs, UK Addendum, and/or IDTA are attached as a separate schedule to this DPA.

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced
☐ Party roles (Controller/Processor) confirmed
☐ Processing details completed in Annex I
☐ Categories of Data Subjects selected (Section 3.2)
☐ Types of Personal Data selected (Section 3.3)
☐ Data Subject rights identified (Section 7.1)
☐ Sub-processor authorization type selected (Section 6.1)
☐ Sub-processor list completed (Annex III)
☐ International transfer mechanism selected (Section 8.2, 8.3)
☐ Security measures documented (Annex II)
☐ Breach notification timeline agreed (Section 10.1)
☐ Data return/deletion timeline agreed (Section 13)
☐ SCC module and options selected (Annex IV)
☐ US state privacy law compliance reviewed (Section 15)
☐ All bracketed fields completed
☐ Reviewed by qualified data protection counsel
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• GDPR (Regulation (EU) 2016/679) -- https://gdpr-info.eu/
• EU Standard Contractual Clauses (Decision 2021/914) -- https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• UK International Data Transfer Agreement -- https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
• CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq. -- https://leginfo.legislature.ca.gov/
• NIST SP 800-88 Rev. 1 -- https://csrc.nist.gov/pubs/sp/800/88/r1/final
• IAPP US State Privacy Legislation Tracker -- https://iapp.org/resources/article/us-state-privacy-legislation-tracker