Data Processing Addendum - Comprehensive (Texas)

DATA PROCESSING ADDENDUM -- COMPREHENSIVE (TEXAS)

DPA Effective Date: [__/__/____]

DPA Number: [________________________________]

PARTIES

Controller / Customer ("Controller"):

Processor / Provider ("Processor"):

RECITALS

WHEREAS, Controller and Processor have entered into the Master Agreement dated [__/__/____];

WHEREAS, the Services require Processor to process Personal Data on behalf of Controller;

WHEREAS, the Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code Ch. 541), effective July 1, 2024, establishes controller-processor obligations and consumer data rights for Texas residents;

WHEREAS, the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code § 521.001 et seq.) requires reasonable safeguards and imposes a sixty (60) day breach notification deadline; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Scope of Processing
4. Processor Obligations
5. Controller Instructions
6. Sub-processor Management
7. Consumer Rights
8. International Data Transfers
9. Data Security Measures
10. Data Breach Notification
11. Data Protection Assessment Assistance
12. Audit Rights
13. Return and Deletion of Data
14. Liability and Indemnification
15. Texas-Specific Provisions
16. General Provisions
17. Signatures
18. Annex I -- Processing Details
19. Annex II -- Technical and Organizational Security Measures
20. Annex III -- Approved Sub-processor List
21. Annex IV -- Standard Contractual Clauses Reference

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This DPA supplements the Master Agreement dated [__/__/____].

1.2 On data protection matters, this DPA prevails. Otherwise, the Master Agreement controls.

1.3 In effect through the Master Agreement term and while Processor retains Personal Data.

2. DEFINITIONS

2.1 "Applicable Data Protection Law" means all laws relating to data protection applicable to the processing, including the TDPSA, the Texas Identity Theft Act, GDPR (where applicable), CCPA/CPRA (where applicable), and other applicable laws.

2.2 "Consumer" means, under the TDPSA, an individual who is a Texas resident acting in an individual or household capacity, excluding commercial or employment contexts.

2.3 "Controller" means, under the TDPSA, a person that, alone or jointly with others, determines the purpose and means of processing Personal Data.

2.4 "Data Subject" means a Consumer or other identifiable natural person whose Personal Data is processed.

2.5 "Personal Data" means, under the TDPSA, information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information. For breach notification purposes, this includes "Sensitive Personal Information" as defined in Tex. Bus. & Com. Code § 521.002(a)(2).

2.6 "Sensitive Data" means, under the TDPSA, Personal Data that includes: (a) racial or ethnic origin; (b) religious beliefs; (c) mental or physical health diagnosis; (d) sexual orientation; (e) citizenship or immigration status; (f) genetic or biometric data processed to identify an individual; (g) Personal Data of a known child; or (h) precise geolocation data.

2.7 "Sensitive Personal Information" means, under Tex. Bus. & Com. Code § 521.002(a)(2), an individual's name combined with: SSN, driver's license or government ID, financial account with access code, health information, or unique biometric data.

2.8 "Personal Data Breach" means unauthorized access to or acquisition of computerized data containing Sensitive Personal Information, or any breach of security of Personal Data under applicable law.

2.9 "Processing" means any operation performed on Personal Data.

2.10 "Processor" means, under the TDPSA, a person that processes Personal Data on behalf of a Controller.

2.11 "Sub-processor" means any third party engaged by Processor to process Personal Data.

3. SCOPE OF PROCESSING

3.1 Processing Details.

3.2 Categories of Data Subjects.

☐ Employees and contractors of Controller
☐ Customers and clients (including Texas Consumers)
☐ End users
☐ Job applicants
☐ Business contacts
☐ Minors (known children)
☐ Other: [________________________________]

3.3 Types of Personal Data.

☐ Name and contact information
☐ Government identifiers (SSN, driver's license)
☐ Financial information
☐ Employment information
☐ Device identifiers and IP addresses
☐ Precise geolocation data
☐ Browsing history and online activity
☐ Biometric data
☐ Health or medical information
☐ User credentials
☐ Other: [________________________________]

3.4 Sensitive Data. Processing of Sensitive Data requires Controller's consent pursuant to the TDPSA, with enhanced safeguards: AES-256 encryption, strict access controls, enhanced logging, and prior written authorization.

4. PROCESSOR OBLIGATIONS

4.1 Process only on documented instructions from Controller.

4.2 TDPSA Processor Obligations. Processor shall:

• (a) Adhere to Controller's instructions regarding processing;
• (b) Ensure each person processing data is subject to a duty of confidentiality;
• (c) At Controller's direction, delete or return all Personal Data upon termination;
• (d) Make available to Controller all information in its possession necessary to demonstrate compliance;
• (e) Allow for and cooperate with reasonable assessments by Controller or Controller's designated assessor;
• (f) Engage Sub-processors only with Controller's consent and with written agreements imposing equivalent obligations; and
• (g) After providing an opportunity for Controller to object, engage Sub-processors under written contract requiring them to meet the Processor's obligations.

4.3 Maintain records of processing.

4.4 Not sell Personal Data. Not retain, use, or disclose Personal Data outside the Services scope.

4.5 Not combine Personal Data with other sources except as necessary.

5. CONTROLLER INSTRUCTIONS

5.1 Processing only on documented instructions. Processor notifies Controller of instructions infringing Applicable Data Protection Law.

5.2 Additional instructions consistent with the Master Agreement.

6. SUB-PROCESSOR MANAGEMENT

6.1 Controller provides [general / specific] authorization.

6.2 Current list in Annex III.

6.3 At least [____] days (30 recommended) prior notice for new Sub-processors, with details of name, location, services, and data types.

6.4 Controller objection rights. If unresolved in [____] days, Controller may terminate affected Services.

6.5 Written Sub-processor agreements with equivalent obligations per TDPSA requirements.

6.6 Processor fully liable for Sub-processors.

7. CONSUMER RIGHTS

7.1 TDPSA Consumer Rights. Processor shall assist Controller in responding to authenticated Consumer requests:

☐ Right to Confirm Processing (TDPSA § 541.101(1))
☐ Right to Access Personal Data (TDPSA § 541.101(1))
☐ Right to Correct Inaccuracies (TDPSA § 541.101(2))
☐ Right to Delete Personal Data (TDPSA § 541.101(3))
☐ Right to Data Portability (TDPSA § 541.101(4))
☐ Right to Opt Out of Targeted Advertising (TDPSA § 541.101(5)(A))
☐ Right to Opt Out of Sale of Personal Data (TDPSA § 541.101(5)(B))
☐ Right to Opt Out of Profiling (TDPSA § 541.101(5)(C))
☐ Right to Appeal (TDPSA § 541.104)
☐ Right to Non-Discrimination (TDPSA § 541.105)
☐ Right of Access (GDPR Art. 15, where applicable)
☐ Right to Erasure (GDPR Art. 17, where applicable)
☐ Right to Data Portability (GDPR Art. 20, where applicable)

7.2 Response Timeline. Controller must respond to Consumer requests without undue delay but no later than forty-five (45) days. One forty-five (45) day extension available when reasonably necessary, with notice to the Consumer. Processor shall assist within timeframes enabling Controller's compliance.

7.3 Free of charge up to twice annually per Consumer.

7.4 Direct requests: notify Controller; do not respond without authorization unless required by law.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfers outside the EEA/UK require appropriate safeguards where GDPR applies.

8.2 Standard Contractual Clauses.

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor

Per Annex IV.

8.3 UK Transfers.

☐ UK Addendum to EU SCCs
☐ UK IDTA

8.4 Transfer Impact Assessments where required.

9. DATA SECURITY MEASURES

9.1 Texas Security Obligation. Pursuant to Tex. Bus. & Com. Code § 521.052(a), Processor shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any Sensitive Personal Information collected or maintained in the regular course of business.

9.2 Minimum Measures. As detailed in Annex II:

• (a) Encryption in transit (TLS 1.2+) and at rest (AES-256);
• (b) Multi-factor authentication for administrative access;
• (c) Role-based access controls and least privilege;
• (d) Network security (firewalls, IDS/IPS, segmentation);
• (e) Vulnerability management and penetration testing;
• (f) Security awareness training;
• (g) Physical security controls;
• (h) Business continuity and disaster recovery;
• (i) Logging and monitoring (SIEM); and
• (j) Documented incident response plan.

9.3 Updates permitted without materially diminishing security.

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller. No later than [____] hours (48 recommended) after becoming aware.

10.2 Texas Breach Notification (Tex. Bus. & Com. Code § 521.053).

(a) Individual Notification. Disclosure to affected Texas residents as quickly as possible, but no later than sixty (60) days after determining the breach occurred.

(b) Attorney General Notification. If the breach involves at least 250 Texas residents, notice to the Texas Attorney General within sixty (60) days. Content: (i) detailed description; (ii) number affected; (iii) procedures taken and planned; (iv) services offered; and (v) contact information.

(c) Consumer Reporting Agencies. If more than ten thousand (10,000) individuals notified, notice to consumer reporting agencies of timing, distribution, and content.

(d) Form of Notice. Written, electronic (E-SIGN compliant), or substitute notice (if cost exceeds $250,000, class exceeds 500,000, or insufficient contact info).

(e) Law Enforcement Delay. At law enforcement request if notification would impede investigation.

(f) Penalties (Tex. Bus. & Com. Code § 521.151). AG enforcement. Civil penalties: $2,000 to $50,000 per violation. Failure to protect: up to $100/individual/day, capped at $250,000.

(g) Records Disposal (Tex. Bus. & Com. Code § 521.052(b)). Destroy records by shredding, erasing, or modifying to render unreadable.

10.3 Post-Incident Report. Written report within [____] business days (15 recommended).

11. DATA PROTECTION ASSESSMENT ASSISTANCE

11.1 Processor shall assist Controller with data protection assessments required under the TDPSA (Tex. Bus. & Com. Code § 541.160).

11.2 TDPSA Assessment Requirements. Controller must conduct assessments for processing that presents a heightened risk of harm, including: (a) targeted advertising; (b) sale of Personal Data; (c) profiling presenting reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, intrusion on solitude, or other substantial injury; (d) processing Sensitive Data; and (e) processing Personal Data of known children. Processor shall cooperate.

12. AUDIT RIGHTS

12.1 Processor shall make information available and allow assessments (TDPSA § 541.057(2)(e)).

12.2 Up to [____] time(s) per year with [____] business days' notice.

12.3 Third-party reports (SOC 2, ISO 27001) may be accepted.

12.4 Costs per Party unless material non-compliance.

12.5 Cooperation with Texas Attorney General investigations.

13. RETURN AND DELETION OF DATA

13.1 At Controller's direction upon termination: return within [____] days (30 recommended) or deletion (TDPSA § 541.057(2)(c)).

13.2 Deletion per NIST SP 800-88 and Tex. Bus. & Com. Code § 521.052(b); backups within [____] days (90 recommended).

13.3 Written certification.

13.4 Legal retention exception with notice.

14. LIABILITY AND INDEMNIFICATION

14.1 Subject to Master Agreement limitations.

14.2 Processor indemnifies Controller against claims from Processor's breach, law violations, or data breaches caused by Processor.

14.3 Potential carve-outs: security/confidentiality breach, processing restrictions, regulatory penalties.

15. TEXAS-SPECIFIC PROVISIONS

15.1 TDPSA Compliance. Processor represents and warrants compliance with all applicable TDPSA requirements. This DPA satisfies the written contract requirement between Controller and Processor under the TDPSA by establishing processing instructions, confidentiality, deletion/return obligations, compliance demonstration, assessment cooperation, and Sub-processor flow-down.

15.2 TDPSA Applicability. The TDPSA applies to persons that: (a) conduct business in Texas or produce products/services consumed by Texas residents; (b) process or engage in the sale of Personal Data; and (c) are not a "small business" as defined by the U.S. Small Business Administration (except for sale of Sensitive Data without consent). The Parties shall indicate:

☐ Controller is subject to the TDPSA
☐ Controller is a "small business" (TDPSA obligations limited to Sensitive Data sale restrictions)

15.3 TDPSA Exemptions. The TDPSA does not apply to: (a) state agencies or political subdivisions; (b) financial institutions subject to Gramm-Leach-Bliley Act; (c) covered entities/business associates under HIPAA; (d) nonprofit organizations; (e) institutions of higher education; or (f) electric utilities. The Parties shall confirm no exemption applies or identify applicable exemptions: [________________________________].

15.4 Consent for Sensitive Data. Under the TDPSA, Controller shall not process Sensitive Data without the Consumer's consent. Processor shall process Sensitive Data only upon Controller's documented instruction that appropriate consent has been obtained.

15.5 Universal Opt-Out Mechanism. Under the TDPSA, Controllers must recognize a universal opt-out mechanism by January 1, 2025. If Controller utilizes such a mechanism, Processor shall cooperate in implementing opt-out signals.

15.6 Cure Period. Before the Texas Attorney General may bring an enforcement action under the TDPSA, the AG must provide notice and allow a thirty (30) day cure period (Tex. Bus. & Com. Code § 541.154). Provider shall cooperate with any cure efforts.

15.7 No Private Right of Action. The TDPSA does not create a private right of action. Enforcement authority rests exclusively with the Texas Attorney General.

15.8 Governing Law. This DPA is governed by Texas law without conflict-of-laws principles.

15.9 Forum. Disputes in state or federal courts in [________________________________] County, Texas.

15.10 Jury Waiver. THE PARTIES WAIVE TRIAL BY JURY TO THE FULLEST EXTENT PERMITTED BY TEXAS LAW.

16. GENERAL PROVISIONS

16.1 Entire agreement with Master Agreement on data processing.

16.2 Amendments by written instrument.

16.3 Severability.

16.4 Survival of Sections 2, 10, 12, 13, 14, and 15.

17. SIGNATURES

CONTROLLER / CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROCESSOR / PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

ANNEX I -- PROCESSING DETAILS

ANNEX II -- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. Access Control

• Multi-factor authentication: ☐ Yes ☐ No
• Role-based access control: ☐ Yes ☐ No
• Least-privilege: ☐ Yes ☐ No
• Access reviews: ☐ Yes ☐ No (Frequency: [________________________________])

B. Encryption

• In transit: [________________________________]
• At rest: [________________________________]
• Key management: ☐ KMS ☐ HSM ☐ Other: [________________________________]

C. Network Security

• Firewall: ☐ Yes ☐ No
• IDS/IPS: ☐ Yes ☐ No
• Segmentation: ☐ Yes ☐ No
• DDoS protection: ☐ Yes ☐ No

D. Vulnerability Management

• Scanning frequency: [________________________________]
• Penetration testing: [________________________________]
• Patch management: ☐ Yes ☐ No

E. Logging and Monitoring

• SIEM: ☐ Yes ☐ No
• Retention: [________________________________]
• 24/7 monitoring: ☐ Yes ☐ No

F. Physical Security

• Access: ☐ Badge ☐ Biometric ☐ Both
• Video: ☐ Yes ☐ No
• Environmental controls: ☐ Yes ☐ No

G. Business Continuity

• RPO: [________________________________] | RTO: [________________________________]
• Backup encryption: ☐ Yes ☐ No
• DR testing: [________________________________]

H. Personnel

• Background checks: ☐ Yes ☐ No
• Confidentiality: ☐ Yes ☐ No
• Training: [________________________________]

ANNEX III -- APPROVED SUB-PROCESSOR LIST

ANNEX IV -- STANDARD CONTRACTUAL CLAUSES REFERENCE

SCC Module: ☐ Module 2 ☐ Module 3

UK Transfer: ☐ UK Addendum ☐ UK IDTA

Completed SCCs attached separately.

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced
☐ TDPSA applicability confirmed (Section 15.2)
☐ TDPSA exemptions reviewed (Section 15.3)
☐ Processing details completed (Annex I)
☐ Data types and categories selected
☐ Consumer rights identified (Section 7.1)
☐ Sub-processor list completed (Annex III)
☐ Security measures documented (Annex II)
☐ Texas 60-day breach notification deadline reviewed (Section 10.2(a))
☐ Texas AG notification reviewed (Section 10.2(b))
☐ Civil penalties reviewed (Section 10.2(f))
☐ TDPSA processor obligations confirmed (Section 4.2)
☐ Sensitive Data consent confirmed (Section 15.4)
☐ Universal opt-out reviewed (Section 15.5)
☐ Data return/deletion timelines agreed (Section 13)
☐ All bracketed fields completed
☐ Reviewed by attorney licensed in Texas
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code Ch. 541 -- https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act
• Texas Identity Theft Act, Tex. Bus. & Com. Code § 521.001 et seq. -- https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm
• Texas Attorney General Consumer Privacy -- https://www.texasattorneygeneral.gov/consumer-protection
• GDPR Article 28 -- https://gdpr-info.eu/art-28-gdpr/
• EU SCCs (Decision 2021/914) -- https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• NIST SP 800-88 -- https://csrc.nist.gov/pubs/sp/800/88/r1/final