Data Processing Addendum - Comprehensive (New York)

DATA PROCESSING ADDENDUM -- COMPREHENSIVE (NEW YORK)

DPA Effective Date: [__/__/____]

DPA Number: [________________________________]

PARTIES

Controller / Customer ("Controller"):

Processor / Provider ("Processor"):

RECITALS

WHEREAS, Controller and Processor have entered into the Master Agreement dated [__/__/____];

WHEREAS, the Services require Processor to process Personal Data on behalf of Controller;

WHEREAS, the SHIELD Act (N.Y. Gen. Bus. Law §§ 899-aa, 899-bb) requires reasonable data security safeguards and imposes a thirty (30) day breach notification deadline (as amended December 2024);

WHEREAS, New York does not currently have a comprehensive consumer privacy statute comparable to the CCPA/CPRA, but proposed legislation (including the New York Privacy Act) is pending, and the Parties desire to adopt processing standards consistent with evolving privacy requirements;

WHEREAS, entities regulated by the New York Department of Financial Services must also comply with 23 NYCRR Part 500; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Scope of Processing
4. Processor Obligations
5. Controller Instructions
6. Sub-processor Management
7. Data Subject Rights
8. International Data Transfers
9. Data Security Measures
10. Data Breach Notification
11. Data Protection Impact Assessment Assistance
12. Audit Rights
13. Return and Deletion of Data
14. Liability and Indemnification
15. New York-Specific Provisions
16. General Provisions
17. Signatures
18. Annex I -- Processing Details
19. Annex II -- Technical and Organizational Security Measures
20. Annex III -- Approved Sub-processor List
21. Annex IV -- Standard Contractual Clauses Reference

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This DPA supplements the Master Agreement dated [__/__/____].

1.2 On data protection matters, this DPA prevails. Otherwise, the Master Agreement controls.

1.3 In effect through the Master Agreement term and while Processor retains Personal Data.

2. DEFINITIONS

2.1 "Applicable Data Protection Law" means all laws relating to data protection applicable to the processing, including the SHIELD Act, 23 NYCRR Part 500 (where applicable), GDPR (where applicable), CCPA/CPRA (where applicable), and other applicable laws.

2.2 "Controller" means the Party determining the purposes and means of processing.

2.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

2.4 "Personal Data" means any information relating to an identified or identifiable natural person. For purposes of breach notification under the SHIELD Act, this includes "Private Information" as defined in N.Y. Gen. Bus. Law § 899-aa(1)(b).

2.5 "Private Information" means, as defined in N.Y. Gen. Bus. Law § 899-aa(1)(b) (as amended), personal information consisting of any of the following combined with an individual's name, or without the name if the element alone could identify the individual: (a) Social Security number; (b) driver's license or non-driver ID number; (c) financial account number or credit/debit card number with security code, access code, or password; (d) account or credit/debit card number that alone permits account access; (e) biometric information (fingerprint, voice print, retinal image, or other unique biological characteristic); (f) username or email address with password or security question and answer; (g) medical information; or (h) health insurance information.

2.6 "Personal Data Breach" means a breach of the security of a computerized data system resulting in unauthorized access to Private Information, as defined by the SHIELD Act.

2.7 "Processing" means any operation performed on Personal Data.

2.8 "Processor" means the Party processing Personal Data on behalf of Controller.

2.9 "Sub-processor" means any third party engaged by Processor to process Personal Data.

3. SCOPE OF PROCESSING

3.1 Processing Details.

3.2 Categories of Data Subjects.

☐ Employees and contractors of Controller
☐ Customers and clients (including New York residents)
☐ End users
☐ Job applicants
☐ Business contacts
☐ Minors (under 18)
☐ Other: [________________________________]

3.3 Types of Personal Data.

☐ Name and contact information
☐ Government identifiers (SSN, driver's license)
☐ Financial information (accounts, payment data)
☐ Employment information
☐ Device identifiers and IP addresses
☐ Biometric data
☐ Health or medical information
☐ Health insurance information
☐ User credentials (username, password)
☐ Other: [________________________________]

3.4 Sensitive Data. Enhanced safeguards required: encryption (AES-256), strict access controls, enhanced logging, prior written authorization from Controller.

4. PROCESSOR OBLIGATIONS

4.1 Process only on documented instructions from Controller.

4.2 Ensure personnel confidentiality.

4.3 Implement security measures per Section 9 and Annex II.

4.4 Maintain processing records.

4.5 Not sell, share, or use Personal Data outside the Services scope.

4.6 Not combine Personal Data with other sources except as necessary.

4.7 SHIELD Act Service Provider Obligation. Under N.Y. Gen. Bus. Law § 899-bb(2)(b)(i)(E), Processor, as a service provider selected by Controller, shall maintain appropriate safeguards for Private Information. This DPA satisfies the requirement to contractually require such safeguards.

5. CONTROLLER INSTRUCTIONS

5.1 Processing only on documented instructions. Processor shall notify Controller of instructions that infringe Applicable Data Protection Law.

5.2 Additional instructions consistent with the Master Agreement.

6. SUB-PROCESSOR MANAGEMENT

6.1 Controller provides [general / specific] authorization.

6.2 Current list in Annex III.

6.3 At least [____] days (30 recommended) prior notice for new Sub-processors.

6.4 Objection rights. If unresolved in [____] days, Controller may terminate affected Services.

6.5 Written Sub-processor agreements with equivalent obligations.

6.6 Processor fully liable.

7. DATA SUBJECT RIGHTS

7.1 Processor shall assist Controller in responding to data subject requests, including:

☐ Right of Access (GDPR Art. 15, where applicable)
☐ Right to Rectification / Correction (GDPR Art. 16, where applicable)
☐ Right to Erasure / Deletion (GDPR Art. 17, where applicable)
☐ Right to Restriction of Processing (GDPR Art. 18, where applicable)
☐ Right to Data Portability (GDPR Art. 20, where applicable)
☐ Right to Object (GDPR Art. 21, where applicable)
☐ Right to Opt Out of Sale/Sharing (CCPA § 1798.120, where applicable)
☐ Right to Deletion (CCPA § 1798.105, where applicable)
☐ Right to Access (CCPA § 1798.110, where applicable)
☐ Rights under future New York comprehensive privacy law (as enacted)

7.2 Assistance within applicable timeframes.

7.3 Direct requests: notify Controller; do not respond without authorization unless required by law.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfers outside the EEA/UK require appropriate safeguards where GDPR applies.

8.2 Standard Contractual Clauses.

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor

Per Annex IV.

8.3 UK Transfers.

☐ UK Addendum to EU SCCs
☐ UK IDTA

8.4 Transfer Impact Assessments where required.

9. DATA SECURITY MEASURES

9.1 SHIELD Act Reasonable Safeguards. Processor shall implement and maintain a data security program with reasonable administrative, technical, and physical safeguards as required by N.Y. Gen. Bus. Law § 899-bb(2), as detailed in Section 3 of the Security Addendum (if executed) and Annex II of this DPA.

9.2 Administrative Safeguards (N.Y. Gen. Bus. Law § 899-bb(2)(b)(i)).

• (a) Designation of security program coordinator(s);
• (b) Identification of internal and external risks;
• (c) Assessment of safeguard sufficiency;
• (d) Employee training;
• (e) Selection of capable service providers with contractual safeguards; and
• (f) Program adjustment for business changes.

9.3 Technical Safeguards (N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)).

• (a) Network and software risk assessment;
• (b) Information processing, transmission, and storage risk assessment;
• (c) Attack and failure detection, prevention, and response; and
• (d) Regular testing and monitoring of controls.

9.4 Physical Safeguards (N.Y. Gen. Bus. Law § 899-bb(2)(b)(iii)).

• (a) Storage and disposal risk assessment;
• (b) Intrusion detection, prevention, and response;
• (c) Protection during collection, transportation, and disposal; and
• (d) Timely disposal of unneeded information.

9.5 Minimum Technical Measures. As detailed in Annex II: encryption in transit (TLS 1.2+) and at rest (AES-256), MFA, RBAC, network security, vulnerability management, penetration testing, SIEM, physical security, and BC/DR.

9.6 Updates permitted without materially diminishing security.

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller. No later than [____] hours (48 recommended) after becoming aware.

10.2 SHIELD Act Breach Notification (N.Y. Gen. Bus. Law § 899-aa, as amended Dec. 2024).

(a) 30-Day Deadline. Businesses must disclose breaches affecting New York residents within thirty (30) days from discovery. Processor shall notify Controller promptly to enable compliance.

(b) State Regulators. Controller must notify: (i) New York Attorney General; (ii) Department of State, Division of Consumer Protection; (iii) New York State Police; and (iv) New York Department of Financial Services (NYDFS, per 2024 amendment). Processor shall cooperate.

(c) Consumer Reporting Agencies. If more than five thousand (5,000) residents affected, notice to consumer reporting agencies required.

(d) Notification Content. Must include: contact information, type of Private Information exposed, toll-free numbers for consumer reporting agencies, FTC and AG contact information, and description of the breach.

(e) Substitute Notice. Available if cost exceeds $250,000, over 500,000 individuals affected, or insufficient contact information. Requires: email (if available), conspicuous website posting, and notification to major statewide media.

(f) Inadvertent Exposure Exception. If exposure was inadvertent by an authorized person and the entity reasonably determines no likely misuse or harm: notification not required. Written determination must be provided to the AG within ten (10) days if more than 500 New York residents affected.

(g) Penalties (N.Y. Gen. Bus. Law § 899-aa(6)). AG may bring actions: negligent violations -- actual damages and consequential losses; knowing/reckless violations -- greater of $5,000 per violation or $20 per failed notification, capped at $250,000; plus court costs and attorney's fees.

10.3 23 NYCRR Part 500 (if applicable). For DFS-regulated entities, cybersecurity events must be reported to NYDFS within seventy-two (72) hours (23 NYCRR § 500.17). Processor shall cooperate with this requirement.

10.4 Post-Incident Report. Written report within [____] business days (15 recommended).

11. DATA PROTECTION IMPACT ASSESSMENT ASSISTANCE

11.1 Processor shall assist Controller with DPIAs and equivalent assessments, including any requirements that may be imposed by future New York privacy legislation.

12. AUDIT RIGHTS

12.1 Processor shall make information available and allow audits.

12.2 Up to [____] time(s) per year with [____] business days' notice.

12.3 Third-party reports (SOC 2, ISO 27001) may be accepted.

12.4 Costs per Party unless material non-compliance found.

12.5 Cooperation with NY Attorney General, NYDFS, and other regulatory audits.

13. RETURN AND DELETION OF DATA

13.1 At Controller's election: return within [____] days (30 recommended) or deletion.

13.2 Deletion per NIST SP 800-88 and N.Y. Gen. Bus. Law § 399-ddd; backups within [____] days (90 recommended).

13.3 Written certification.

13.4 Legal retention exception with notice.

14. LIABILITY AND INDEMNIFICATION

14.1 Subject to Master Agreement limitations.

14.2 Processor indemnifies Controller against claims from Processor's breach, law violations, or data breaches caused by Processor.

14.3 Potential carve-outs: security/confidentiality breach, processing restrictions, regulatory fines.

15. NEW YORK-SPECIFIC PROVISIONS

15.1 SHIELD Act Compliance. Processor represents that its data security program satisfies the "reasonable safeguards" standard of N.Y. Gen. Bus. Law § 899-bb. This DPA constitutes the contractual arrangement required by § 899-bb(2)(b)(i)(E) for service provider selection.

15.2 DFS Cybersecurity Regulation (23 NYCRR Part 500). If either Party is a "Covered Entity" under 23 NYCRR Part 500:

• (a) Processor shall cooperate with annual compliance certification;
• (b) Data processing shall comply with 23 NYCRR § 500.11 (third-party service provider security policy);
• (c) Processor shall support MFA requirements (23 NYCRR § 500.12);
• (d) Processor shall cooperate with the 72-hour cybersecurity event notification (23 NYCRR § 500.17);
• (e) Processor shall support penetration testing and vulnerability assessments (23 NYCRR § 500.05); and
• (f) Processor shall maintain data encryption consistent with 23 NYCRR § 500.15.

15.3 Records Disposal. Per N.Y. Gen. Bus. Law § 399-ddd, Processor shall dispose of records containing personal identifying information by shredding, destroying, or modifying to render unreadable.

15.4 New York Child Data Protection Act. If processing data of individuals under 18, Processor shall implement safeguards consistent with the New York Child Data Protection Act (signed June 2025, effective June 2026) restrictions on data collection and use by online platforms.

15.5 Future Privacy Legislation. The Parties acknowledge that comprehensive consumer privacy legislation (including the New York Privacy Act) is under consideration. If enacted, the Parties shall negotiate in good faith to amend this DPA to comply with new requirements.

15.6 Governing Law. This DPA is governed by New York law without conflict-of-laws principles.

15.7 Forum. Disputes in state or federal courts in [________________________________] County, New York.

15.8 Jury Waiver. THE PARTIES WAIVE TRIAL BY JURY TO THE FULLEST EXTENT PERMITTED BY NEW YORK LAW.

16. GENERAL PROVISIONS

16.1 Entire agreement with Master Agreement on data processing.

16.2 Amendments by written instrument.

16.3 Severability.

16.4 Survival of Sections 2, 10, 12, 13, 14, and 15.

17. SIGNATURES

CONTROLLER / CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROCESSOR / PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

ANNEX I -- PROCESSING DETAILS

ANNEX II -- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. Access Control

• Multi-factor authentication: ☐ Yes ☐ No
• Role-based access control: ☐ Yes ☐ No
• Least-privilege: ☐ Yes ☐ No
• Access reviews: ☐ Yes ☐ No (Frequency: [________________________________])

B. Encryption

• In transit: [________________________________]
• At rest: [________________________________]
• Key management: ☐ KMS ☐ HSM ☐ Other: [________________________________]

C. Network Security

• Firewall: ☐ Yes ☐ No
• IDS/IPS: ☐ Yes ☐ No
• Segmentation: ☐ Yes ☐ No
• DDoS protection: ☐ Yes ☐ No

D. Vulnerability Management

• Scanning frequency: [________________________________]
• Penetration testing: [________________________________]
• Patch management: ☐ Yes ☐ No

E. Logging and Monitoring

• SIEM: ☐ Yes ☐ No
• Retention: [________________________________]
• 24/7 monitoring: ☐ Yes ☐ No

F. Physical Security

• Access: ☐ Badge ☐ Biometric ☐ Both
• Video: ☐ Yes ☐ No
• Environmental controls: ☐ Yes ☐ No

G. Business Continuity

• RPO: [________________________________] | RTO: [________________________________]
• Backup encryption: ☐ Yes ☐ No
• DR testing: [________________________________]

H. Personnel

• Background checks: ☐ Yes ☐ No
• Confidentiality: ☐ Yes ☐ No
• Training: [________________________________]

ANNEX III -- APPROVED SUB-PROCESSOR LIST

ANNEX IV -- STANDARD CONTRACTUAL CLAUSES REFERENCE

SCC Module: ☐ Module 2 ☐ Module 3

UK Transfer: ☐ UK Addendum ☐ UK IDTA

Completed SCCs attached separately.

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced
☐ Processing details completed (Annex I)
☐ Data types and data subjects selected
☐ Sub-processor list completed (Annex III)
☐ Security measures documented (Annex II)
☐ SHIELD Act 30-day notification deadline reviewed (Section 10.2(a))
☐ SHIELD Act penalties reviewed (Section 10.2(g))
☐ SHIELD Act reasonable safeguards confirmed (Section 15.1)
☐ DFS 23 NYCRR Part 500 applicability assessed (Section 15.2)
☐ Records disposal requirements confirmed (Section 15.3)
☐ Data return/deletion timelines agreed (Section 13)
☐ Future privacy legislation clause noted (Section 15.5)
☐ All bracketed fields completed
☐ Reviewed by attorney licensed in New York
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• SHIELD Act, N.Y. Gen. Bus. Law §§ 899-aa, 899-bb -- https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act
• 23 NYCRR Part 500 -- https://www.dfs.ny.gov/industry_guidance/cybersecurity
• N.Y. Gen. Bus. Law § 399-ddd -- https://www.nysenate.gov/legislation/laws/GBS/399-DDD
• GDPR Article 28 -- https://gdpr-info.eu/art-28-gdpr/
• EU SCCs (Decision 2021/914) -- https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• NIST SP 800-88 -- https://csrc.nist.gov/pubs/sp/800/88/r1/final