Templates Contracts Agreements Data Processing Addendum (Comprehensive)
Universal
Contracts Agreements
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Data Processing Addendum (Comprehensive)
Ready to Edit
Data Processing Addendum (Comprehensive) - Free Editor

DATA PROCESSING ADDENDUM (COMPREHENSIVE)

[// GUIDANCE: Includes GDPR/UK GDPR/CCPA/CPRA hooks and SCC/UK IDTA options.]

TABLE OF CONTENTS

  1. Roles and Scope
  2. Duration and Instructions
  3. Nature, Purpose, Types of Data, and Categories of Data Subjects
  4. Provider Obligations (Processor)
  5. Anonymization and Aggregation (if applicable)
  6. Subprocessing
  7. Security Measures
  8. Data Residency/Localization
  9. Personal Data Breach
  10. Data Subject Requests
  11. Return and Deletion
  12. Audits and Certifications
  13. Cross-Border Transfers
  14. US State Privacy (CCPA/CPRA and others)
  15. Liability and Indemnities
  16. Conflict; Order of Precedence
  17. Annexes (Security Controls; SCC/UK Addendum; Completion Guidance)
  18. Signatures

1. ROLES AND SCOPE

  • Parties: [CONTROLLER/PROCESSOR] roles for each party.
  • Default: Provider acts as Processor (or Subprocessor) on behalf of Customer for Personal Data described herein.
  • Optional: For Controller-to-Controller or joint-controller arrangements, select SCC Module 1 or Module 4 and document responsibilities/allocation in Annex I.
  • Subject matter and purpose: provision of [SERVICES] under the [MASTER AGREEMENT NAME/DATE].
  • DPO/Privacy Contact (if applicable): [NAME/EMAIL] for each party.

2. DURATION AND INSTRUCTIONS

  • Processing duration: through the term of the underlying agreement plus wind-down.
  • Provider will process Personal Data only on documented instructions from Customer, including regarding transfers; notice if instructions conflict with Applicable Law.

3. NATURE, PURPOSE, TYPES OF DATA, AND CATEGORIES OF DATA SUBJECTS

  • Nature/purpose: [e.g., hosting, support, analytics].
  • Types of Personal Data: [contact info, device IDs, usage data, HR data, etc.].
  • Data Subjects: [customers, employees, contractors, end users].
  • Sensitive/Special Categories (if any): [health, biometric, racial/ethnic, political, etc.] — require prior written approval and enhanced safeguards (encryption in transit/at rest, access restriction, need-to-know, DPIA/TIA if applicable). If none, state “Not processed.”

4. PROVIDER OBLIGATIONS (PROCESSOR)

  • Confidentiality for personnel; background checks where appropriate.
  • Process only per instructions; assist with impact assessments and consultations with authorities.
  • Maintain records of processing as required by law.

5. ANONYMIZATION AND AGGREGATION (IF APPLICABLE)

  • Provider may [choose: (a) not use / (b) use] Customer Personal Data to create de-identified/aggregated data for [benchmarking/product improvement/security analytics] provided it: (i) is irreversibly de-identified, (ii) contains no Personal Data, (iii) is not used to re-identify any individual or Customer, and (iv) complies with Applicable Law. If prohibited, state “No de-identified/aggregated use permitted.”

5. SUBPROCESSING

  • Authorized subprocessors listed in Annex; advance notice of new subprocessors; Customer objection rights within [X] days for reasonable, documented grounds.
  • Provider remains liable for subprocessors; flow-down of equivalent obligations.

6. SECURITY MEASURES

  • Implement technical and organizational measures appropriate to risk (see Annex 1).
  • Access controls, encryption, logging/monitoring, vulnerability management, backup/DR, secure development, segregation of environments, personnel training.

7. DATA RESIDENCY/LOCALIZATION

  • Primary storage/processing locations: [LIST REGIONS/COUNTRIES].
  • Customer options (if offered): [EEA-only/US-only/regional ringfencing]; any change requires prior written notice and, if applicable, updated transfer mechanism and TIA.

7. PERSONAL DATA BREACH

  • Notify Customer without undue delay and within [X] hours of confirmation.
  • Include details: nature of breach, data types, data subjects affected, measures taken/proposed.
  • Cooperate on notifications and remediation.

8. DATA SUBJECT REQUESTS

  • Assist Customer in responding to DSRs (access, deletion, correction, portability, restriction) within applicable timelines.
  • No responses directly to Data Subjects unless authorized or required by law (with notice to Customer).

9. RETURN AND DELETION

  • Upon termination/expiration, delete or return Personal Data per Customer’s choice, subject to legal retention obligations; certify completion on request.

10. AUDITS AND CERTIFICATIONS

  • Provide SOC/ISO or equivalent reports where available; otherwise allow audits once annually with reasonable notice, subject to confidentiality and time/materials fees if on-site.
  • Promptly address material findings.

11. CROSS-BORDER TRANSFERS

  • If transferring from EEA/UK/Switzerland, incorporate SCCs: [Select Module 2 (Controller-Processor) or 3 (Processor-Processor)], with Annexes completed.
  • UK transfers: attach UK Addendum or IDTA with selected options.
  • Conduct Transfer Impact Assessments (TIAs) as required; implement additional measures (encryption, pseudonymization, access controls) if indicated by TIA outcomes.

12. US STATE PRIVACY (CCPA/CPRA AND OTHERS)

  • Provider acts as “Service Provider”/“Processor”; no selling/sharing of Personal Information, no secondary use outside scope, no combining data except as permitted.
  • Covers CCPA/CPRA and other applicable US state privacy laws (e.g., VA, CO, CT, TX, OR, etc.).
  • Assist with verifiable consumer requests; flow-down to subprocessors.

13. LIABILITY AND INDEMNITIES

  • Liability and caps align with the master agreement; no cap circumvention unless specifically carved out.
  • Breach of DPA confidentiality/security obligations may be a carve-out where negotiated.

14. CONFLICT; ORDER OF PRECEDENCE

  • This DPA prevails over conflicting terms in the master agreement regarding data protection/security; otherwise, the master agreement controls.

15. ANNEXES

  • Annex 1: Technical and Organizational Measures (TOMs). [Guidance: list access controls, encryption standards, network security, logging/monitoring, vulnerability management, backup/DR, secure SDLC, HR security, physical security.]
  • Annex 2: Subprocessor list. [Guidance: name, service, location, data types, role.]
  • Annex 3: SCCs details (Modules, Clauses, Annex I/II/III) and UK Addendum selections. [Guidance: complete data exporter/importer details, description of transfers, TOMs, and jurisdiction-specific options.]

16. SIGNATURES

[// GUIDANCE: Add execution blocks for both parties.]

Customer:
By: _________________________
Name: _______________________
Title: ________________________
Date: ________________________

Provider:
By: _________________________
Name: _______________________
Title: ________________________
Date: ________________________

AI Legal Assistant

Welcome to Data Processing Addendum (Comprehensive)

You're viewing a professional legal template that you can edit directly in your browser.

What's included:

  • Professional legal document formatting
  • Universal jurisdiction-specific content
  • Editable text with legal guidance
  • Free DOCX download

Upgrade to AI Editor for:

  • 🤖 Real-time AI legal assistance
  • 🔍 Intelligent document review
  • ⏰ Unlimited editing time
  • 📄 PDF exports
  • 💾 Auto-save & cloud sync