DATA PROCESSING ADDENDUM (SHORT FORM)

1. ROLES AND SCOPE

Controller: [CUSTOMER]; Processor: [PROVIDER]. Purpose: [PURPOSE]. Categories of data/subjects: see Annex A.

2. PROCESSING INSTRUCTIONS

Processor will process personal data only per Controller’s documented instructions and this DPA.

3. CONFIDENTIALITY

Processor ensures personnel are bound by confidentiality regarding personal data.

4. SECURITY

Processor implements appropriate technical and organizational measures (Annex B). Breach notice to Controller without undue delay (target: [X] hours).

5. SUBPROCESSORS

Processor may engage subprocessors listed in Annex C; new subprocessors require [PRIOR APPROVAL / NOTICE + OBJECTION WINDOW].

6. DATA SUBJECT REQUESTS

Processor will assist Controller in responding to access, deletion, correction, and opt-out requests under applicable privacy laws.

7. RETURN/DELETION

On termination or Controller’s request, Processor will delete or return personal data (unless retention required by law).

8. AUDITS

Controller may review Processor’s compliance via reports, questionnaires, or on-site audits (on reasonable notice, during business hours).

9. CROSS-BORDER TRANSFERS

If data is transferred outside its origin jurisdiction, parties will implement required safeguards (e.g., SCCs/IDTA/Data Privacy Framework).

10. LIABILITY

Cap and exclusions follow the master agreement unless expressly modified here. Consider separate cap for data incidents: $[AMOUNT] or [X]x fees.

11. TERM

Effective as of [DATE]; coterminous with master agreement.

ANNEX A – Data/Processing Description
ANNEX B – Security Measures (encryption, access controls, logging, DR/BCP, vendor oversight)
ANNEX C – Subprocessor List (name, purpose, region)

[// GUIDANCE: Map to CPRA “service provider/contractor” terms and CO/CT/VA sensitive data requirements; add HIPAA/GLBA overlays if applicable.]