Data Processing Addendum - Comprehensive (Alabama)

DATA PROCESSING ADDENDUM -- COMPREHENSIVE (ALABAMA)

DPA Effective Date: [__/__/____]

DPA Number: [________________________________]

PARTIES

Controller / Customer ("Controller"):

Processor / Provider ("Processor"):

RECITALS

WHEREAS, Controller and Processor have entered into that certain Master Agreement dated [__/__/____] (the "Master Agreement"), pursuant to which Processor provides certain services (the "Services") to Controller;

WHEREAS, the provision of Services requires Processor to process Personal Data on behalf of Controller;

WHEREAS, the Parties acknowledge that the Alabama Data Breach Notification Act of 2018 (Ala. Code § 8-38-1 et seq.) requires covered entities to implement and maintain reasonable security measures and to provide breach notification within forty-five (45) days, with third-party agents required to notify within ten (10) days of discovery;

WHEREAS, Alabama does not currently have a comprehensive data privacy statute comparable to the CCPA/CPRA or GDPR, but the Parties desire to adopt processing standards consistent with evolving privacy best practices; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Scope of Processing
4. Processor Obligations
5. Controller Instructions
6. Sub-processor Management
7. Data Subject Rights
8. International Data Transfers
9. Data Security Measures
10. Data Breach Notification
11. Data Protection Impact Assessment Assistance
12. Audit Rights
13. Return and Deletion of Data
14. Liability and Indemnification
15. Alabama-Specific Provisions
16. General Provisions
17. Signatures
18. Annex I -- Processing Details
19. Annex II -- Technical and Organizational Security Measures
20. Annex III -- Approved Sub-processor List
21. Annex IV -- Standard Contractual Clauses Reference

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This DPA supplements the Master Agreement dated [__/__/____]. Capitalized terms not defined herein have meanings from the Master Agreement.

1.2 On data protection and privacy matters, this DPA prevails. Otherwise, the Master Agreement controls.

1.3 In effect through the Master Agreement term and while Processor retains Personal Data.

2. DEFINITIONS

2.1 "Applicable Data Protection Law" means all laws relating to data protection and privacy applicable to the processing, including the Alabama Data Breach Notification Act (Ala. Code § 8-38-1 et seq.), GDPR (where applicable), CCPA/CPRA (where applicable), and other applicable federal and state laws.

2.2 "Controller" means the Party determining the purposes and means of processing.

2.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

2.4 "Personal Data" means any information relating to an identified or identifiable natural person. For purposes of Alabama breach notification, this specifically includes "Sensitive Personally Identifying Information" as defined in Ala. Code § 8-38-2(5).

2.5 "Sensitive Personally Identifying Information" means, as defined in Ala. Code § 8-38-2(5), an Alabama resident's first name or first initial and last name in combination with one or more of the following when the data elements are not encrypted or redacted: (a) a non-truncated Social Security number or tax identification number; (b) a non-truncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document; (c) a financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN; (d) medical history, mental or physical condition, or medical treatment or diagnosis by a health care provider; (e) health insurance policy number or subscriber identification number, combined with any unique identifier used by a health insurer; or (f) a user name or email address combined with a password or security question and answer for an online account.

2.6 "Personal Data Breach" means the unauthorized access of data in electronic form containing Sensitive Personally Identifying Information, as further defined in Ala. Code § 8-38-2(1), or a breach of security under GDPR Article 4(12) where applicable.

2.7 "Processing" means any operation performed on Personal Data.

2.8 "Processor" means the Party processing Personal Data on behalf of Controller.

2.9 "Sub-processor" means any third party engaged by Processor to process Personal Data.

2.10 "Third-Party Agent" means, as defined in Ala. Code § 8-38-2(8), an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.

3. SCOPE OF PROCESSING

3.1 Processing Details Table.

3.2 Categories of Data Subjects.

☐ Employees and contractors of Controller
☐ Customers and clients of Controller
☐ End users of Controller's products or services
☐ Job applicants
☐ Business contacts
☐ Alabama residents
☐ Other: [________________________________]

3.3 Types of Personal Data.

☐ Name (first, last, middle)
☐ Contact information (email, phone, address)
☐ Government identifiers (SSN, driver's license)
☐ Date of birth / age
☐ Financial information (account numbers, payment data)
☐ Employment information
☐ Device identifiers and IP addresses
☐ Health or medical information
☐ User credentials (username, password)
☐ Other: [________________________________]

3.4 Sensitive Data Safeguards. If Sensitive Personally Identifying Information or special categories of data are processed, Processor shall implement: encryption in transit and at rest (AES-256 or equivalent), strict need-to-know access controls, enhanced logging, and prior written authorization from Controller.

4. PROCESSOR OBLIGATIONS

4.1 Process Personal Data only in accordance with documented instructions from Controller and Applicable Data Protection Law.

4.2 Ensure all personnel are bound by confidentiality obligations.

4.3 Implement security measures per Section 9 and Annex II.

4.4 Maintain records of processing activities as required by law.

4.5 Not sell, share, or use Personal Data outside the scope of the Services.

4.6 Not combine Personal Data with data from other sources except as necessary for the Services.

5. CONTROLLER INSTRUCTIONS

5.1 Processor shall process only on documented instructions. If Processor believes an instruction infringes Applicable Data Protection Law, Processor shall immediately notify Controller.

5.2 Additional instructions must be consistent with the Master Agreement and this DPA.

6. SUB-PROCESSOR MANAGEMENT

6.1 Controller provides [general / specific] authorization for Sub-processors.

6.2 Current Sub-processors listed in Annex III.

6.3 At least [____] days (30 recommended) prior written notice before engaging new Sub-processors.

6.4 Controller may object within the notice period. If unresolved within [____] days, Controller may terminate affected Services without penalty.

6.5 Sub-processor agreements must impose equivalent data protection obligations.

6.6 Processor remains fully liable for Sub-processors.

7. DATA SUBJECT RIGHTS

7.1 Processor shall assist Controller in responding to data subject requests, including:

☐ Right of Access
☐ Right to Rectification / Correction
☐ Right to Erasure / Deletion
☐ Right to Restriction of Processing
☐ Right to Data Portability
☐ Right to Object
☐ Right to Opt Out of Sale/Sharing (where applicable under other state laws)
☐ Right to Non-Discrimination
☐ Right to Appeal (where applicable)

7.2 Processor shall assist within applicable timeframes.

7.3 If Processor receives a request directly, it shall notify Controller and not respond without authorization unless required by law.

8. INTERNATIONAL DATA TRANSFERS

8.1 If Personal Data is transferred internationally and GDPR applies, appropriate safeguards must be in place.

8.2 Standard Contractual Clauses.

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor

Completed by reference to Annex IV.

8.3 UK Transfers.

☐ UK Addendum to EU SCCs
☐ UK International Data Transfer Agreement (IDTA)

8.4 Transfer Impact Assessments shall be conducted where required.

9. DATA SECURITY MEASURES

9.1 Alabama Security Obligation. Pursuant to Ala. Code § 8-38-3, each covered entity shall implement and maintain reasonable security measures to protect Sensitive Personally Identifying Information against a breach of security. Processor represents that its security measures satisfy this standard.

9.2 Minimum Security Measures. As detailed in Annex II, including:

• (a) Encryption in transit (TLS 1.2+) and at rest (AES-256);
• (b) Multi-factor authentication for administrative access;
• (c) Role-based access controls;
• (d) Network security (firewalls, IDS/IPS, segmentation);
• (e) Vulnerability management and penetration testing;
• (f) Security awareness training;
• (g) Physical security controls;
• (h) Business continuity and disaster recovery;
• (i) Logging and monitoring (SIEM); and
• (j) Incident response plan.

9.3 Security measures may be updated without materially diminishing overall security.

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller. Processor shall notify Controller of any Personal Data Breach without undue delay and no later than [____] hours (48 recommended) after becoming aware, including nature, categories and numbers affected, likely consequences, measures taken, and discovery date.

10.2 Alabama Breach Notification Requirements (Ala. Code § 8-38-1 et seq.).

(a) Investigation (Ala. Code § 8-38-4). Upon discovery or notification of a breach, Processor (as a covered entity or third-party agent) shall conduct a good faith and prompt investigation to determine: (i) whether Sensitive Personally Identifying Information has been or is reasonably believed to have been acquired by an unauthorized person; and (ii) whether the breach is reasonably likely to cause substantial harm to the individuals to whom the information relates.

(b) Third-Party Agent Notification (Ala. Code § 8-38-7). When Processor acts as a "third-party agent" under Alabama law, Processor shall notify Controller (the covered entity) of a breach as expeditiously as possible and without unreasonable delay, but no later than ten (10) days following discovery of the breach or reason to believe a breach has occurred.

(c) Individual Notification (Ala. Code § 8-38-5). Individual notification must be provided as expeditiously as possible and without unreasonable delay, but in no event later than forty-five (45) days from either: (i) receipt of notice from a third-party agent; or (ii) the covered entity's determination that a breach has occurred and is reasonably likely to cause substantial harm. Provider shall cooperate with Controller's notification.

(d) Attorney General Notification (Ala. Code § 8-38-6). If the number of affected individuals exceeds one thousand (1,000), written notice must be provided to the Alabama Attorney General within forty-five (45) days, including: (i) synopsis of events; (ii) approximate number of individuals affected; (iii) services offered (e.g., credit monitoring); (iv) copy of the notice sent to individuals; and (v) contact information.

(e) Consumer Reporting Agencies. If more than one thousand (1,000) Alabama residents are notified, the covered entity must also notify major consumer reporting agencies without unreasonable delay.

(f) Notification Content (Ala. Code § 8-38-5(b)). Notice must include: (i) the date or estimated date range of the breach; (ii) a description of the Sensitive Personally Identifying Information acquired; (iii) a general description of actions taken to restore security; (iv) steps the individual can take to protect themselves; and (v) contact information for the notifying entity.

(g) Documentation Requirement. If the covered entity determines that notice is not required (i.e., the breach is not reasonably likely to cause substantial harm), the entity shall document the determination in writing and maintain those records for no less than five (5) years.

(h) Law Enforcement Delay (Ala. Code § 8-38-9). Notice may be delayed if a law enforcement agency determines notification will impede a criminal investigation and requests delay.

10.3 Post-Incident Report. Written report within [____] business days (15 recommended) of closure.

11. DATA PROTECTION IMPACT ASSESSMENT ASSISTANCE

11.1 Processor shall assist Controller in conducting DPIAs and equivalent assessments under applicable law.

12. AUDIT RIGHTS

12.1 Processor shall make information available to demonstrate compliance and allow audits.

12.2 Audits up to [____] time(s) per year with [____] business days' notice, during business hours, subject to confidentiality.

12.3 Third-party reports (SOC 2, ISO 27001) may be accepted in lieu of on-site audits.

12.4 Costs per Party unless audit reveals material non-compliance by Processor.

12.5 Cooperation with regulatory audits (including Alabama Attorney General).

13. RETURN AND DELETION OF DATA

13.1 At Controller's election upon termination: return in machine-readable format within [____] days (30 recommended) or secure deletion.

13.2 Deletion per NIST SP 800-88; backups within [____] days (90 recommended).

13.3 Written certification of deletion.

13.4 Legal retention exception with notice and continued protection.

14. LIABILITY AND INDEMNIFICATION

14.1 Liability subject to Master Agreement limitations.

14.2 Processor shall indemnify Controller against claims arising from Processor's breach of this DPA, violation of Applicable Data Protection Law, or Personal Data Breach caused by Processor.

14.3 Carve-outs from liability cap may include breach of confidentiality/security, breach of processing restrictions, and regulatory fines.

15. ALABAMA-SPECIFIC PROVISIONS

15.1 Alabama Data Breach Notification Act Compliance. Processor represents that it complies with all applicable provisions of the Alabama Data Breach Notification Act of 2018 (Ala. Code § 8-38-1 et seq.), including the duty to implement reasonable security measures (Ala. Code § 8-38-3) and the ten (10) day third-party agent notification requirement (Ala. Code § 8-38-7).

15.2 Substantial Harm Standard. Under Alabama law, breach notification is required only if the breach is "reasonably likely to cause substantial harm" to affected individuals. Processor acknowledges that the determination of substantial harm shall be made by Controller (or jointly where appropriate) and agrees to cooperate in making such determination by providing all relevant information promptly.

15.3 Five-Year Documentation Retention. Processor shall cooperate with Controller in documenting any determination that breach notification is not required, and shall maintain such documentation for no less than five (5) years as required by Ala. Code § 8-38-4(d).

15.4 Compliance with Other Applicable Laws. To the extent that Personal Data processed under this DPA is subject to data protection laws of other jurisdictions (e.g., CCPA/CPRA, GDPR), Processor shall comply with those laws in addition to Alabama law.

15.5 Governing Law. This DPA is governed by Alabama law without conflict-of-laws principles.

15.6 Forum. Disputes shall be brought in the state or federal courts in [________________________________] County, Alabama.

15.7 Jury Waiver. TO THE FULLEST EXTENT PERMITTED BY ALABAMA LAW, THE PARTIES WAIVE TRIAL BY JURY.

16. GENERAL PROVISIONS

16.1 Entire agreement with Master Agreement on data processing matters.

16.2 Amendments by written instrument signed by both Parties.

16.3 Severability.

16.4 Survival of Sections 2, 10, 12, 13, 14, and 15.

17. SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this DPA.

CONTROLLER / CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROCESSOR / PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

ANNEX I -- PROCESSING DETAILS

ANNEX II -- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. Access Control

• Multi-factor authentication: ☐ Yes ☐ No
• Role-based access control: ☐ Yes ☐ No
• Least-privilege principle: ☐ Yes ☐ No
• Regular access reviews: ☐ Yes ☐ No (Frequency: [________________________________])
• Automated deprovisioning: ☐ Yes ☐ No

B. Encryption

• Encryption in transit (TLS version): [________________________________]
• Encryption at rest (algorithm): [________________________________]
• Key management: ☐ KMS ☐ HSM ☐ Other: [________________________________]

C. Network Security

• Firewall protection: ☐ Yes ☐ No
• IDS/IPS: ☐ Yes ☐ No
• Network segmentation: ☐ Yes ☐ No
• DDoS protection: ☐ Yes ☐ No

D. Vulnerability Management

• Scanning frequency: [________________________________]
• Penetration testing frequency: [________________________________]
• Patch management: ☐ Yes ☐ No

E. Logging and Monitoring

• SIEM: ☐ Yes ☐ No
• Log retention: [________________________________]
• 24/7 monitoring: ☐ Yes ☐ No

F. Physical Security

• Access controls: ☐ Badge ☐ Biometric ☐ Both
• Video surveillance: ☐ Yes ☐ No
• Environmental controls: ☐ Yes ☐ No

G. Business Continuity

• RPO: [________________________________]
• RTO: [________________________________]
• Backup encryption: ☐ Yes ☐ No
• DR testing frequency: [________________________________]

H. Personnel Security

• Background checks: ☐ Yes ☐ No
• Confidentiality agreements: ☐ Yes ☐ No
• Training frequency: [________________________________]

ANNEX III -- APPROVED SUB-PROCESSOR LIST

ANNEX IV -- STANDARD CONTRACTUAL CLAUSES REFERENCE

(Applicable where GDPR-covered data is transferred internationally)

SCC Module: ☐ Module 2 ☐ Module 3

UK Transfer Mechanism: ☐ UK Addendum ☐ UK IDTA

Completed SCCs attached as separate schedule.

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced
☐ Party roles confirmed
☐ Processing details completed (Annex I)
☐ Data Subjects and data types selected
☐ Sub-processor list completed (Annex III)
☐ Security measures documented (Annex II)
☐ Breach notification timelines agreed (Section 10)
☐ Alabama 10-day third-party agent deadline reviewed (Section 10.2(b))
☐ Alabama 45-day individual notice deadline reviewed (Section 10.2(c))
☐ Substantial harm standard reviewed (Section 15.2)
☐ 5-year documentation retention noted (Section 15.3)
☐ Data return/deletion timelines agreed (Section 13)
☐ All bracketed fields completed
☐ Reviewed by attorney licensed in Alabama
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• Alabama Data Breach Notification Act of 2018, Ala. Code § 8-38-1 et seq. -- https://law.justia.com/codes/alabama/title-8/chapter-38/
• Alabama Attorney General Data Breach Notification -- https://www.alabamaag.gov/data-breach-notification/
• GDPR Article 28 -- https://gdpr-info.eu/art-28-gdpr/
• NIST SP 800-88 Rev. 1 -- https://csrc.nist.gov/pubs/sp/800/88/r1/final