Data Processing Addendum - Comprehensive (California)

DATA PROCESSING ADDENDUM -- COMPREHENSIVE (CALIFORNIA)

DPA Effective Date: [__/__/____]

DPA Number: [________________________________]

PARTIES

Business / Controller ("Business"):

Service Provider / Processor ("Service Provider"):

RECITALS

WHEREAS, Business and Service Provider have entered into the Master Agreement dated [__/__/____];

WHEREAS, the Services require Service Provider to process Personal Information on behalf of Business;

WHEREAS, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.), and the regulations adopted by the California Privacy Protection Agency (CPPA), impose specific contractual requirements for service providers and contractors processing Personal Information;

WHEREAS, Cal. Civ. Code § 1798.100(d) requires a contract between a business and a service provider or contractor that specifies the business purpose for which Personal Information is disclosed and restricts use;

WHEREAS, Cal. Civ. Code § 1798.82 (as amended by SB-446, effective January 1, 2026) imposes a thirty (30) day breach notification deadline; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Scope of Processing
4. Service Provider / Processor Obligations
5. Business Instructions
6. Sub-processor / Subcontractor Management
7. Consumer Rights
8. International Data Transfers
9. Data Security Measures
10. Data Breach Notification
11. Data Protection Assessment and Cybersecurity Audit Assistance
12. Audit Rights
13. Return and Deletion of Data
14. Liability and Indemnification
15. California-Specific Provisions
16. General Provisions
17. Signatures
18. Annex I -- Processing Details
19. Annex II -- Technical and Organizational Security Measures
20. Annex III -- Approved Sub-processor List
21. Annex IV -- Standard Contractual Clauses Reference

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This DPA supplements the Master Agreement dated [__/__/____].

1.2 On data protection matters, this DPA prevails. Otherwise, the Master Agreement controls.

1.3 In effect through the Master Agreement term and while Service Provider retains Personal Information.

2. DEFINITIONS

2.1 "Applicable Data Protection Law" means the CCPA/CPRA, CPPA regulations, Cal. Civ. Code § 1798.82, GDPR (where applicable), and other applicable laws.

2.2 "Business" means, under Cal. Civ. Code § 1798.140(d), a sole proprietorship, partnership, LLC, corporation, association, or other legal entity that collects consumers' Personal Information and determines the purposes and means of processing. In this DPA, Business refers to Customer.

2.3 "Business Purpose" means, under Cal. Civ. Code § 1798.140(e), the use of Personal Information for the business's operational purposes or other notified purposes, as specified in the Master Agreement and Annex I.

2.4 "Consumer" means, under Cal. Civ. Code § 1798.140(i), a natural person who is a California resident.

2.5 "Contractor" means, under Cal. Civ. Code § 1798.140(j), a person to whom a business makes available a consumer's Personal Information for a business purpose pursuant to a written contract that complies with Cal. Civ. Code § 1798.100(d).

2.6 "Personal Information" means, under Cal. Civ. Code § 1798.140(v), information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

2.7 "Personal Information Breach" means unauthorized access to, or acquisition of, unencrypted and unredacted Personal Information (or encrypted data where the key was also acquired), as described in Cal. Civ. Code § 1798.82(h), or any personal data breach under GDPR Article 4(12).

2.8 "Processing" means any operation performed on Personal Information.

2.9 "Sensitive Personal Information" means, under Cal. Civ. Code § 1798.140(ae), Personal Information that includes: (a) government identifiers (SSN, driver's license, passport); (b) financial account with log-in credentials; (c) precise geolocation; (d) racial or ethnic origin, religious beliefs, or union membership; (e) contents of mail, email, or text not directed to the business; (f) genetic data; (g) biometric information; (h) health information; (i) sex life or sexual orientation information; or (j) Personal Information of a known child.

2.10 "Service Provider" means, under Cal. Civ. Code § 1798.140(ag), a person that processes Personal Information on behalf of a Business and to which the Business discloses a Consumer's Personal Information for a Business Purpose pursuant to a written contract.

2.11 "Sub-processor" means any third party engaged by Service Provider to process Personal Information on its behalf. Under the CCPA/CPRA, this includes subcontractors to whom Personal Information is disclosed.

3. SCOPE OF PROCESSING

3.1 Processing Details.

3.2 Categories of Consumers / Data Subjects.

☐ Employees and contractors of Business
☐ Customers and clients (California Consumers)
☐ End users of Business's products or services
☐ Job applicants
☐ Business contacts
☐ Minors (under 16)
☐ Known children (under 13)
☐ Other: [________________________________]

3.3 Categories of Personal Information.

☐ Identifiers (name, address, email, phone, SSN, driver's license)
☐ Customer records (Cal. Civ. Code § 1798.80(e))
☐ Protected classifications (race, sex, age, disability)
☐ Commercial information (purchase history, preferences)
☐ Biometric information
☐ Internet/electronic network activity (browsing, search history)
☐ Geolocation data (including precise geolocation)
☐ Audio, electronic, visual, thermal, olfactory, or similar information
☐ Professional or employment-related information
☐ Education information
☐ Inferences drawn from the above
☐ Sensitive Personal Information (specify): [________________________________]

3.4 Sensitive Personal Information. If Sensitive Personal Information is processed, Service Provider shall limit use and disclosure to what is necessary to perform the Services as specified in this DPA. Consumers have the right to limit use of Sensitive Personal Information under Cal. Civ. Code § 1798.121. Enhanced safeguards: AES-256 encryption, strict access controls, enhanced logging.

4. SERVICE PROVIDER / PROCESSOR OBLIGATIONS

4.1 CCPA/CPRA Contract Requirements (Cal. Civ. Code § 1798.100(d)). Service Provider certifies that it understands the restrictions in the CCPA/CPRA and this DPA and will comply with them. Service Provider shall:

(a) Purpose Limitation. Process Personal Information only for the specific Business Purpose set forth in the Master Agreement and this DPA, or as otherwise permitted by Cal. Civ. Code § 1798.140(e).

(b) No Selling. Not sell Personal Information (Cal. Civ. Code § 1798.140(ad)).

(c) No Sharing. Not share Personal Information for cross-context behavioral advertising (Cal. Civ. Code § 1798.140(ah)).

(d) No Retention Beyond Purpose. Not retain, use, or disclose Personal Information for any purpose other than the Business Purpose, including any commercial purpose other than the Business Purpose.

(e) No Use Outside Direct Business Relationship. Not retain, use, or disclose Personal Information outside the direct business relationship between Service Provider and Business.

(f) No Combining. Not combine Personal Information received from Business with Personal Information received from or on behalf of another person, or collected from Service Provider's own interaction with the Consumer, except as permitted by the CCPA/CPRA (e.g., to detect data security incidents, protect against fraud, or as required by law).

(g) Compliance Certification. Service Provider certifies that it understands and will comply with the CCPA/CPRA restrictions set forth in this Section.

4.2 Ensure personnel confidentiality.

4.3 Implement security measures per Section 9 and Annex II.

4.4 Maintain processing records.

4.5 Notification of Inability to Comply. Service Provider shall notify Business if it determines it can no longer meet its obligations under the CCPA/CPRA. Upon such notification, Business may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

5. BUSINESS INSTRUCTIONS

5.1 Service Provider processes only on documented instructions. Service Provider notifies Business of instructions that may infringe Applicable Data Protection Law.

5.2 Additional instructions consistent with the Master Agreement.

6. SUB-PROCESSOR / SUBCONTRACTOR MANAGEMENT

6.1 Business provides [general / specific] authorization for Sub-processors.

6.2 Current list in Annex III.

6.3 At least [____] days (30 recommended) prior notice before engaging new Sub-processors.

6.4 Business objection rights. If unresolved in [____] days, Business may terminate affected Services.

6.5 CCPA/CPRA Flow-Down. Service Provider shall enter into written agreements with each Sub-processor that include the same or equivalent restrictions and requirements under the CCPA/CPRA as set forth in this DPA, including the prohibition on selling, sharing, retaining, using, or disclosing Personal Information outside the scope of the services (Cal. Civ. Code § 1798.100(d)(3)).

6.6 Service Provider fully liable for Sub-processors.

7. CONSUMER RIGHTS

7.1 CCPA/CPRA Consumer Rights. Service Provider shall assist Business in responding to verified Consumer requests:

☐ Right to Know / Access (Cal. Civ. Code § 1798.110)
☐ Right to Delete (Cal. Civ. Code § 1798.105)
☐ Right to Correct (Cal. Civ. Code § 1798.106)
☐ Right to Data Portability (Cal. Civ. Code § 1798.130)
☐ Right to Opt Out of Sale (Cal. Civ. Code § 1798.120)
☐ Right to Opt Out of Sharing (Cal. Civ. Code § 1798.120)
☐ Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code § 1798.121)
☐ Right to Non-Discrimination (Cal. Civ. Code § 1798.125)
☐ Right of Access (GDPR Art. 15, where applicable)
☐ Right to Erasure (GDPR Art. 17, where applicable)
☐ Right to Data Portability (GDPR Art. 20, where applicable)
☐ Right to Restriction of Processing (GDPR Art. 18, where applicable)

7.2 Response Timeline. Business must respond within forty-five (45) days, extendable once by forty-five (45) additional days with Consumer notice (Cal. Civ. Code § 1798.130(a)(2)). Service Provider shall assist within timeframes enabling Business compliance.

7.3 Deletion Cascade. Upon receiving a verified deletion request forwarded by Business, Service Provider shall: (a) delete the Consumer's Personal Information from its records (subject to exemptions under Cal. Civ. Code § 1798.105(d)); and (b) direct its Sub-processors to delete the Consumer's Personal Information.

7.4 If Service Provider receives a request directly from a Consumer, it shall direct the Consumer to submit the request to Business, notify Business of the request, and cooperate with Business's response.

8. INTERNATIONAL DATA TRANSFERS

8.1 If GDPR applies, transfers outside the EEA/UK require appropriate safeguards.

8.2 Standard Contractual Clauses.

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor

Per Annex IV.

8.3 UK Transfers.

☐ UK Addendum to EU SCCs
☐ UK IDTA

8.4 Transfer Impact Assessments where required.

9. DATA SECURITY MEASURES

9.1 Reasonable Security (Cal. Civ. Code § 1798.81.5). Service Provider shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information to protect it from unauthorized access, destruction, use, modification, or disclosure. The California Attorney General has identified the CIS Controls as a baseline for "reasonable security."

9.2 Private Right of Action Awareness (Cal. Civ. Code § 1798.150). The Parties acknowledge that a Consumer whose nonencrypted and nonredacted Personal Information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business's violation of the duty to implement reasonable security may bring a civil action for statutory damages of $100 to $750 per Consumer per incident (or actual damages if greater), injunctive relief, and other relief the court deems proper.

9.3 Minimum Measures. As detailed in Annex II:

• (a) Encryption in transit (TLS 1.2+) and at rest (AES-256);
• (b) Multi-factor authentication;
• (c) Role-based access controls and least privilege;
• (d) Network security (firewalls, IDS/IPS, segmentation);
• (e) Vulnerability management and penetration testing;
• (f) Security awareness training;
• (g) Physical security controls;
• (h) Business continuity and disaster recovery;
• (i) Logging and monitoring (SIEM); and
• (j) Documented incident response plan.

9.4 Updates permitted without materially diminishing security.

10. DATA BREACH NOTIFICATION

10.1 Notification to Business. No later than [____] hours (48 recommended) after becoming aware.

10.2 California Breach Notification (Cal. Civ. Code § 1798.82, as amended by SB-446, effective Jan. 1, 2026).

(a) Individual Notification. Disclosure to affected California residents within thirty (30) calendar days of discovery or notification of the breach.

(b) Attorney General Notification. If more than five hundred (500) California residents affected, notice to the California Attorney General within fifteen (15) calendar days of notifying affected residents.

(c) Notification Content. The notice must be titled "Notice of Data Breach," written in plain language (no smaller than 10-point type), with the following sections: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information."

(d) Covered Information (Cal. Civ. Code § 1798.82(h)). Notification triggered by unauthorized acquisition of unencrypted Personal Information (or encrypted data where key also acquired): SSN, driver's license or CA ID, financial account with access code, medical information, health insurance information, unique biometric data, tax identification number, or username/email with password or security question.

(e) Encryption Safe Harbor. Notification not required for encrypted data if the encryption key or security credential was not acquired.

(f) Law Enforcement Delay. At law enforcement request.

10.3 CCPA Private Right of Action (Cal. Civ. Code § 1798.150). Service Provider acknowledges that unauthorized access resulting from a business's failure to maintain reasonable security may result in: statutory damages of $100-$750 per Consumer per incident; actual damages; injunctive relief; and attorney's fees. Service Provider's compliance with this DPA is intended to satisfy the reasonable security standard.

10.4 AG Enforcement (Cal. Civ. Code § 1798.199.90). The California Attorney General and the California Privacy Protection Agency have enforcement authority under the CCPA/CPRA. The AG may seek civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors.

10.5 Post-Incident Report. Written report within [____] business days (15 recommended).

11. DATA PROTECTION ASSESSMENT AND CYBERSECURITY AUDIT ASSISTANCE

11.1 Risk Assessments. Service Provider shall assist Business in conducting risk assessments of processing that presents significant risk to Consumer privacy, as may be required by CPPA regulations under Cal. Civ. Code § 1798.185(a)(15).

11.2 Cybersecurity Audits. The CPPA is authorized to issue regulations requiring businesses whose processing presents significant risk to Consumer privacy or security to perform annual cybersecurity audits (Cal. Civ. Code § 1798.185(a)(15)(B)). Service Provider shall cooperate with any such audits and provide information reasonably requested.

11.3 DPIA Assistance. Where GDPR applies, Service Provider shall assist with Data Protection Impact Assessments under GDPR Article 35.

12. AUDIT RIGHTS

12.1 Service Provider shall make information available and allow audits.

12.2 Up to [____] time(s) per year with [____] business days' notice.

12.3 Third-party reports (SOC 2, ISO 27001) may be accepted.

12.4 Costs per Party unless material non-compliance.

12.5 Cooperation with California Attorney General, CPPA, and other regulatory audits.

13. RETURN AND DELETION OF DATA

13.1 At Business's election: return within [____] days (30 recommended) or deletion.

13.2 Deletion per NIST SP 800-88; backups within [____] days (90 recommended).

13.3 Written certification.

13.4 Legal retention exception with notice. Retention only for purposes permitted by Cal. Civ. Code § 1798.105(d).

14. LIABILITY AND INDEMNIFICATION

14.1 Subject to Master Agreement limitations.

14.2 Service Provider indemnifies Business against claims from: Service Provider's breach of this DPA; violation of Applicable Data Protection Law; data breaches caused by Service Provider's failure to maintain reasonable security.

14.3 Potential carve-outs: security/confidentiality breach, processing restrictions, regulatory penalties, CCPA private right of action claims.

14.4 § 1798.150 Indemnity. Service Provider shall indemnify Business for any claims under Cal. Civ. Code § 1798.150 (private right of action for data breaches) to the extent such claims arise from Service Provider's failure to implement and maintain reasonable security procedures as required by this DPA.

15. CALIFORNIA-SPECIFIC PROVISIONS

15.1 Service Provider / Contractor Status. Service Provider's role under the CCPA/CPRA:

☐ Service Provider (Cal. Civ. Code § 1798.140(ag))
☐ Contractor (Cal. Civ. Code § 1798.140(j))

15.2 CCPA/CPRA Contract Compliance. This DPA satisfies the written contract requirements of Cal. Civ. Code § 1798.100(d) by specifying: (a) the Business Purpose for which Personal Information is disclosed; (b) prohibitions on selling, sharing, retaining, using, or disclosing beyond the Business Purpose; (c) compliance certification; (d) remediation rights; and (e) Sub-processor flow-down.

15.3 CPPA Regulatory Authority. The California Privacy Protection Agency (CPPA) has authority to: (a) adopt regulations implementing the CCPA/CPRA; (b) conduct investigations; (c) bring enforcement actions; and (d) impose administrative fines. Service Provider shall comply with all applicable CPPA regulations and cooperate with CPPA proceedings.

15.4 Opt-Out Preference Signals. Service Provider shall honor opt-out preference signals (e.g., Global Privacy Control) transmitted by Consumers, to the extent applicable to Service Provider's processing activities and consistent with CPPA regulations.

15.5 Minors' Data. If processing Personal Information of Consumers under 16:

• (a) For Consumers under 13: opt-in consent from parent or guardian required before sale or sharing;
• (b) For Consumers 13-15: affirmative authorization from the Consumer required before sale or sharing;
• (c) Violations involving minors subject to $7,500 per violation penalty.

15.6 Financial Incentives. Service Provider shall not use Personal Information to discriminate against Consumers who exercise their CCPA/CPRA rights, including through denial of goods or services, different prices, or different quality (Cal. Civ. Code § 1798.125).

15.7 De-identification. If Service Provider de-identifies Personal Information, it shall: (a) take reasonable measures to prevent re-identification; (b) make a public commitment not to re-identify; (c) contractually prohibit downstream recipients from re-identifying; and (d) implement technical safeguards to prevent re-identification (Cal. Civ. Code § 1798.140(m)).

15.8 Governing Law. This DPA is governed by California law without conflict-of-laws principles.

15.9 Forum. Disputes in state or federal courts in [________________________________] County, California.

15.10 Jury Waiver. THE PARTIES WAIVE TRIAL BY JURY TO THE FULLEST EXTENT PERMITTED BY CALIFORNIA LAW.

16. GENERAL PROVISIONS

16.1 Entire agreement with Master Agreement on data processing.

16.2 Amendments by written instrument. Service Provider shall notify Business of CCPA/CPRA regulatory changes requiring amendment.

16.3 Severability.

16.4 Survival of Sections 2, 10, 12, 13, 14, and 15.

17. SIGNATURES

BUSINESS / CONTROLLER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SERVICE PROVIDER / PROCESSOR:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

ANNEX I -- PROCESSING DETAILS

ANNEX II -- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. Access Control

• Multi-factor authentication: ☐ Yes ☐ No
• Role-based access control: ☐ Yes ☐ No
• Least-privilege: ☐ Yes ☐ No
• Access reviews: ☐ Yes ☐ No (Frequency: [________________________________])

B. Encryption

• In transit: [________________________________]
• At rest: [________________________________]
• Key management: ☐ KMS ☐ HSM ☐ Other: [________________________________]

C. Network Security

• Firewall: ☐ Yes ☐ No
• IDS/IPS: ☐ Yes ☐ No
• Segmentation: ☐ Yes ☐ No
• DDoS protection: ☐ Yes ☐ No

D. Vulnerability Management

• Scanning frequency: [________________________________]
• Penetration testing: [________________________________]
• Patch management: ☐ Yes ☐ No

E. Logging and Monitoring

• SIEM: ☐ Yes ☐ No
• Retention: [________________________________]
• 24/7 monitoring: ☐ Yes ☐ No

F. Physical Security

• Access: ☐ Badge ☐ Biometric ☐ Both
• Video: ☐ Yes ☐ No
• Environmental controls: ☐ Yes ☐ No

G. Business Continuity

• RPO: [________________________________] | RTO: [________________________________]
• Backup encryption: ☐ Yes ☐ No
• DR testing: [________________________________]

H. Personnel

• Background checks: ☐ Yes ☐ No
• Confidentiality: ☐ Yes ☐ No
• Training: [________________________________]

ANNEX III -- APPROVED SUB-PROCESSOR LIST

ANNEX IV -- STANDARD CONTRACTUAL CLAUSES REFERENCE

SCC Module: ☐ Module 2 ☐ Module 3

UK Transfer: ☐ UK Addendum ☐ UK IDTA

Completed SCCs attached separately.

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced
☐ Service Provider / Contractor status selected (Section 15.1)
☐ Processing details and Business Purpose completed (Annex I)
☐ Categories of Personal Information selected (Section 3.3)
☐ Sensitive Personal Information identified if applicable (Section 3.4)
☐ Consumer rights identified (Section 7.1)
☐ Sub-processor list completed (Annex III)
☐ Security measures documented (Annex II)
☐ Breach notification timelines reviewed: 30-day individual, 15-day AG (Section 10.2)
☐ Private right of action risk reviewed (Section 10.3)
☐ CCPA/CPRA contract requirements verified (Section 4.1)
☐ No selling/sharing confirmed (Section 4.1(b)(c))
☐ Combining restrictions confirmed (Section 4.1(f))
☐ Deletion cascade procedures confirmed (Section 7.3)
☐ CPPA cybersecurity audit obligations reviewed (Section 11.2)
☐ Minors' data provisions reviewed if applicable (Section 15.5)
☐ Opt-out preference signal compliance confirmed (Section 15.4)
☐ De-identification standards reviewed (Section 15.7)
☐ Data return/deletion timelines agreed (Section 13)
☐ All bracketed fields completed
☐ Reviewed by attorney licensed in California
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq. -- https://leginfo.legislature.ca.gov/
• Cal. Civ. Code § 1798.82 (Breach Notification, as amended by SB-446) -- https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82
• Cal. Civ. Code § 1798.150 (Private Right of Action) -- https://leginfo.legislature.ca.gov/
• Cal. Civ. Code § 1798.81.5 (Reasonable Security) -- https://leginfo.legislature.ca.gov/
• California Privacy Protection Agency -- https://cppa.ca.gov/
• California AG Data Breach Reporting -- https://oag.ca.gov/privacy/databreach/reporting
• GDPR Article 28 -- https://gdpr-info.eu/art-28-gdpr/
• EU SCCs (Decision 2021/914) -- https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• NIST SP 800-88 -- https://csrc.nist.gov/pubs/sp/800/88/r1/final
• CIS Controls v8 -- https://www.cisecurity.org/controls