DATA PROCESSING ADDENDUM (SHORT FORM)

UNIVERSAL MULTI-STATE DATA PROCESSING ADDENDUM

DPA Effective Date: [__/__/____]

Master Agreement Reference: [________________________________] ("Master Agreement")

CONTROLLER / BUSINESS:

("Controller")

PROCESSOR / SERVICE PROVIDER:

("Processor")

Controller and Processor are each a "Party" and collectively the "Parties."

TABLE OF CONTENTS

1. Definitions
2. Scope and Purpose of Processing
3. Roles of the Parties
4. Processor Obligations
5. Processing Instructions
6. Confidentiality
7. Security Measures
8. Sub-Processor Management
9. Data Subject / Consumer Rights Assistance
10. Data Breach Notification
11. Data Protection Impact Assessments
12. Record-Keeping
13. Audit Rights
14. Cross-Border Data Transfers
15. Data Return and Deletion
16. CCPA/CPRA-Specific Provisions (California)
17. CPA-Specific Provisions (Colorado)
18. CTDPA-Specific Provisions (Connecticut)
19. VCDPA-Specific Provisions (Virginia)
20. TDPSA-Specific Provisions (Texas)
21. FDBR/FIPA-Specific Provisions (Florida)
22. Additional State Law Provisions
23. Term and Termination
24. Liability and Indemnification
25. General Provisions
26. Signatures
27. Annex A — Data Processing Description
28. Annex B — Technical and Organizational Security Measures
29. Annex C — Approved Sub-Processor List

1. DEFINITIONS

For purposes of this Data Processing Addendum ("DPA"), the following definitions apply. Where a term is defined differently under different state privacy laws, the broadest applicable definition shall apply unless context requires otherwise.

1.1 "Applicable Privacy Laws" means all federal, state, and local laws, regulations, and regulatory guidance relating to the Processing of Personal Data applicable to the Parties, including but not limited to the CCPA/CPRA, CPA, CTDPA, VCDPA, TDPSA, FDBR, UCPA, OCPA, and any other comprehensive state privacy laws enacted and in effect as of the date of Processing.

1.2 "Controller" (also referred to as "Business" under CCPA/CPRA) means the natural or legal person that, alone or jointly with others, determines the purposes and means of Processing Personal Data.

1.3 "Processor" (also referred to as "Service Provider" or "Contractor" under CCPA/CPRA) means a natural or legal person that Processes Personal Data on behalf of the Controller.

1.4 "Personal Data" (also referred to as "Personal Information" under CCPA/CPRA) means any information that is linked or reasonably linkable to an identified or identifiable natural person, or as otherwise defined under Applicable Privacy Laws.

1.5 "Processing" means any operation or set of operations performed on Personal Data, including but not limited to the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction of Personal Data.

1.6 "Data Subject" (also referred to as "Consumer" under most U.S. state privacy laws) means the identified or identifiable natural person to whom the Personal Data relates.

1.7 "Sub-Processor" (also referred to as "Sub-Contractor") means any Processor engaged by the Processor to carry out specific Processing activities on behalf of the Controller.

1.8 "Sensitive Data" (also referred to as "Sensitive Personal Information" under CCPA/CPRA) means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic data, biometric data processed for identification, precise geolocation data, data from known children, or other categories classified as sensitive under Applicable Privacy Laws.

1.9 "Data Breach" (also referred to as "Security Incident" or "Breach of the Security of the System") means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.10 "Supervisory Authority" means any government authority responsible for enforcing Applicable Privacy Laws, including but not limited to state Attorneys General, the California Privacy Protection Agency (CPPA), and other regulatory agencies.

1.11 "DPIA" means a Data Protection Impact Assessment or Data Protection Assessment as required under Applicable Privacy Laws.

2. SCOPE AND PURPOSE OF PROCESSING

2.1 This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the services provided under the Master Agreement.

2.2 The subject matter, nature, purpose, duration, and categories of Personal Data and Data Subjects are described in Annex A to this DPA.

2.3 The Processor shall Process Personal Data only for the specific business purposes set forth in Annex A and the Master Agreement, and for no other purpose.

2.4 This DPA is incorporated into and forms part of the Master Agreement. In the event of any conflict between this DPA and the Master Agreement with respect to data protection obligations, this DPA shall prevail.

3. ROLES OF THE PARTIES

3.1 The Controller determines the purposes and means of Processing Personal Data. The Processor Processes Personal Data solely on behalf of and under the documented instructions of the Controller.

3.2 Under the CCPA/CPRA, the Controller is a "Business" and the Processor is a:

☐ "Service Provider" (Cal. Civ. Code § 1798.140(ag))

☐ "Contractor" (Cal. Civ. Code § 1798.140(j))

3.3 Each Party shall comply with its respective obligations under Applicable Privacy Laws applicable to its role.

4. PROCESSOR OBLIGATIONS

The Processor shall:

4.1 Process Personal Data only in accordance with the Controller's documented instructions and this DPA, unless required to do so by Applicable Privacy Laws, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited by law from doing so).

4.2 Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Privacy Laws.

4.3 Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4 Implement and maintain appropriate technical and organizational security measures as described in Annex B and Section 7 of this DPA.

4.5 Comply with the conditions for engaging Sub-Processors as set forth in Section 8.

4.6 Assist the Controller, taking into account the nature of the Processing, in responding to requests from Data Subjects exercising their rights under Applicable Privacy Laws, as set forth in Section 9.

4.7 Assist the Controller in ensuring compliance with its obligations regarding security of Processing, notification of Data Breaches, DPIAs, and prior consultation with Supervisory Authorities, taking into account the nature of Processing and the information available to the Processor.

4.8 At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless retention is required by Applicable Privacy Laws.

4.9 Make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Privacy Laws, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, as set forth in Section 13.

4.10 Notify the Controller without undue delay if the Processor determines that it can no longer meet its obligations under Applicable Privacy Laws.

5. PROCESSING INSTRUCTIONS

5.1 The Processor shall Process Personal Data only in accordance with the Controller's documented instructions, which are set forth in:

☐ This DPA (including Annex A)

☐ The Master Agreement

☐ Written instructions provided by the Controller from time to time

5.2 The Processor shall not:

(a) Sell or share Personal Data (as defined under the CCPA/CPRA or any other Applicable Privacy Law);

(b) Retain, use, or disclose Personal Data for any purpose other than the specific business purposes set forth in this DPA and the Master Agreement;

(c) Retain, use, or disclose Personal Data outside of the direct business relationship between the Processor and the Controller;

(d) Combine Personal Data received from or on behalf of the Controller with Personal Data received from another person or collected from the Processor's own interaction with the Data Subject, except as expressly permitted by Applicable Privacy Laws;

(e) Process Personal Data for the purpose of targeted advertising, profiling, or any commercial purpose other than the business purposes specified herein.

6. CONFIDENTIALITY

6.1 The Processor shall ensure that all personnel who have access to or Process Personal Data:

(a) Are informed of the confidential nature of the Personal Data;

(b) Have undertaken written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) Have received appropriate training on data protection and privacy requirements;

(d) Process Personal Data only as required to perform their duties.

6.2 The Processor shall limit access to Personal Data to those personnel who require access to perform the services under the Master Agreement.

7. SECURITY MEASURES

7.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

(a) Encryption — Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)

(b) Access Controls — Role-based access control; principle of least privilege; multi-factor authentication for access to systems containing Personal Data

(c) Network Security — Firewalls, intrusion detection and prevention systems, network segmentation, VPN for remote access

(d) Vulnerability Management — Regular vulnerability scanning; annual (or more frequent) penetration testing; timely application of security patches

(e) Logging and Monitoring — Security event logging; real-time monitoring and alerting; log retention for a minimum of [____] months

(f) Data Loss Prevention — Tools and processes to prevent unauthorized exfiltration of Personal Data

(g) Business Continuity and Disaster Recovery — Documented BCP/DR plans; regular testing; backup procedures with encryption

(h) Physical Security — Physical access controls to data centers and processing facilities; visitor management; environmental controls

(i) Employee Security — Background checks for personnel with access to Personal Data; regular security awareness training; disciplinary procedures for security violations

(j) Incident Response — Documented incident response plan; designated incident response team; regular tabletop exercises

(k) Secure Development — Secure software development lifecycle (SDLC) practices; code reviews; security testing

(l) Data Minimization — Collection and retention of only Personal Data necessary for the specified purposes

(m) Deidentification and Pseudonymization — Where feasible, use of pseudonymization and anonymization techniques

7.2 The detailed security measures are set forth in Annex B to this DPA.

7.3 The Processor shall regularly test, assess, and evaluate the effectiveness of its security measures and shall update them as necessary to address new threats and vulnerabilities.

8. SUB-PROCESSOR MANAGEMENT

8.1 Prior Authorization. The Processor shall not engage any Sub-Processor to carry out Processing activities on behalf of the Controller without:

☐ Option A — Prior Specific Written Authorization: The Controller's prior specific written consent for each Sub-Processor

☐ Option B — General Authorization with Objection Right: The Controller's general written authorization, subject to the following objection process:

(a) The Processor shall maintain a current list of Sub-Processors (see Annex C) and shall provide the Controller with prior written notice of at least [____] days (minimum thirty (30) days recommended) before engaging a new Sub-Processor or replacing an existing Sub-Processor;

(b) The Controller may object to the engagement of a new Sub-Processor by providing written notice to the Processor within [____] days of receiving the Processor's notice;

(c) If the Controller objects, the Parties shall discuss the objection in good faith. If the Parties cannot resolve the objection within [____] days, the Controller may terminate this DPA and the affected portion of the Master Agreement without penalty.

8.2 Flow-Down Obligations. The Processor shall:

(a) Impose on each Sub-Processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA;

(b) Ensure that each Sub-Processor provides sufficient guarantees to implement appropriate technical and organizational measures;

(c) Remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

8.3 Current Sub-Processors. The current list of approved Sub-Processors is set forth in Annex C.

9. DATA SUBJECT / CONSUMER RIGHTS ASSISTANCE

9.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Privacy Laws, including but not limited to:

(a) Right to Know / Confirm / Access — Assisting the Controller in responding to requests to confirm whether Personal Data is being Processed and to provide access to such data;

(b) Right to Delete — Assisting the Controller in responding to deletion requests by deleting Personal Data upon Controller's instruction, and directing Sub-Processors to do the same;

(c) Right to Correct — Assisting the Controller in correcting inaccurate Personal Data upon Controller's instruction;

(d) Right to Data Portability — Providing Personal Data in a structured, commonly used, and machine-readable format upon Controller's request;

(e) Right to Opt Out of Sale/Sharing/Targeted Advertising — Implementing and honoring opt-out instructions transmitted by the Controller;

(f) Right to Limit Use of Sensitive Personal Information (California) — Implementing instructions to limit the use and disclosure of Sensitive Personal Information;

(g) Right to Appeal — Providing information necessary for the Controller to respond to consumer appeals.

9.2 The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly regarding Personal Data Processed under this DPA and shall not respond to such request without the Controller's prior written authorization, unless required by Applicable Privacy Laws.

9.3 The Processor shall provide reasonable assistance free of charge; however, if requests are excessive, repetitive, or manifestly unfounded, the Processor may charge a reasonable fee based on administrative costs.

10. DATA BREACH NOTIFICATION

10.1 The Processor shall notify the Controller of any confirmed or reasonably suspected Data Breach without undue delay and in no event later than:

☐ [____] hours (recommended: 24-48 hours) after the Processor becomes aware of the Data Breach

10.2 The notification shall include, to the extent reasonably available:

(a) A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) The name and contact details of the Processor's data protection officer or other contact point;

(c) A description of the likely consequences of the Data Breach;

(d) A description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including measures to mitigate its possible adverse effects;

(e) The date and time of discovery of the Data Breach;

(f) Whether the Personal Data was encrypted or otherwise rendered unusable at the time of the breach.

10.3 The Processor shall:

(a) Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, containment, mitigation, and remediation of the Data Breach;

(b) Preserve evidence related to the Data Breach and not alter, destroy, or conceal any evidence;

(c) Assist the Controller in complying with its notification obligations to Data Subjects, Supervisory Authorities, and consumer reporting agencies under Applicable Privacy Laws, including:

• California: notification without unreasonable delay (Cal. Civ. Code § 1798.82)
• Colorado: notification within 30 days (C.R.S. § 6-1-716)
• Connecticut: notification within 60 days (Conn. Gen. Stat. § 36a-701b)
• Virginia: notification without unreasonable delay (Va. Code § 18.2-186.6)
• Texas: notification as quickly as possible; AG within 60 days if 250+ residents (Tex. Bus. & Com. Code § 521.053)
• Florida: notification within 30 days (Fla. Stat. § 501.171)

(d) Not make any public statement regarding the Data Breach without the Controller's prior written consent, unless required by law.

11. DATA PROTECTION IMPACT ASSESSMENTS

11.1 The Processor shall provide reasonable assistance to the Controller in conducting DPIAs where required by Applicable Privacy Laws, including:

(a) Colorado CPA (C.R.S. § 6-1-1309)

(b) Connecticut CTDPA (Conn. Gen. Stat. § 42-524)

(c) Virginia VCDPA (Va. Code § 59.1-580)

(d) Texas TDPSA (Tex. Bus. & Com. Code § 541.107)

(e) Florida FDBR (Fla. Stat. § 501.712)

(f) California CPRA (CPPA rulemaking on risk assessments / cybersecurity audits)

11.2 Assistance shall include providing information reasonably necessary for the Controller to conduct the DPIA, including information about the Processor's Processing activities, security measures, and risk mitigation practices.

11.3 The Processor shall cooperate with any Supervisory Authority in connection with DPIAs or risk assessments to the extent required by Applicable Privacy Laws.

12. RECORD-KEEPING

12.1 The Processor shall maintain records of Processing activities carried out on behalf of the Controller, including:

(a) The name and contact details of the Processor and each Controller on whose behalf the Processor acts;

(b) The categories of Processing carried out on behalf of the Controller;

(c) Where applicable, transfers of Personal Data to a third country, including identification of the third country and documentation of appropriate safeguards;

(d) A general description of the technical and organizational security measures.

12.2 The Processor shall make such records available to the Controller and any Supervisory Authority upon request.

13. AUDIT RIGHTS

13.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Privacy Laws.

13.2 The Controller shall have the right to conduct audits of the Processor's compliance with this DPA, including:

☐ Option A — Direct Audit: The Controller or its authorized third-party auditor may conduct on-site or remote audits of the Processor's facilities, systems, and records, upon reasonable prior written notice (minimum [____] business days), during normal business hours, no more than [____] time(s) per twelve (12) month period.

☐ Option B — Third-Party Audit Report: The Processor shall, at least annually, engage a qualified independent third-party auditor to perform an audit of its controls and security measures (e.g., SOC 2 Type II, ISO 27001 certification) and shall provide the resulting report or certification to the Controller upon request. The Controller may conduct additional direct audits only if the third-party audit report reveals material deficiencies or if there has been a Data Breach.

☐ Option C — Combination: Both options apply.

13.3 The Processor shall cooperate fully with any audit and shall provide reasonable access to relevant facilities, systems, personnel, and records.

13.4 Audit costs shall be borne by:

☐ The Controller

☐ The Processor (if the audit reveals material non-compliance)

☐ Shared as follows: [________________________________]

13.5 The Processor shall promptly remediate any deficiencies identified during an audit within a reasonable timeframe agreed upon by the Parties.

14. CROSS-BORDER DATA TRANSFERS

14.1 The Processor shall not transfer Personal Data outside the jurisdiction from which it was collected unless:

(a) The Controller has provided prior written authorization; and

(b) Appropriate safeguards are in place, which may include:

☐ Standard Contractual Clauses (SCCs) approved by the European Commission (where EU/EEA data is involved)

☐ Data Privacy Framework certification

☐ Binding Corporate Rules

☐ Contractual safeguards substantially equivalent to the protections required by Applicable Privacy Laws

☐ Other lawful transfer mechanisms: [________________________________]

14.2 The Processor shall promptly inform the Controller of any legal requirement it becomes aware of that may affect its ability to comply with cross-border transfer restrictions.

15. DATA RETURN AND DELETION

15.1 Upon expiration or termination of the Master Agreement, or upon the Controller's earlier written request, the Processor shall, at the Controller's election:

☐ Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; and/or

☐ Securely delete all Personal Data in the Processor's possession or control, including all copies, backups, and archives, using methods that render the data permanently unrecoverable (e.g., NIST SP 800-88 guidelines for media sanitization)

15.2 The Processor shall complete the return or deletion within [____] days following the Controller's instruction or termination of the Master Agreement.

15.3 The Processor shall certify in writing to the Controller that all Personal Data has been returned or securely deleted, as applicable.

15.4 Notwithstanding the foregoing, the Processor may retain Personal Data to the extent required by Applicable Privacy Laws, provided that the Processor:

(a) Shall continue to comply with this DPA with respect to such retained data;

(b) Shall Process such data only for the purpose required by law;

(c) Shall securely delete such data promptly upon the expiration of the legal retention requirement.

16. CCPA/CPRA-SPECIFIC PROVISIONS (CALIFORNIA)

To the extent the CCPA/CPRA (Cal. Civ. Code § 1798.100 et seq.) applies to the Processing:

16.1 The Processor is acting as a:

☐ Service Provider (§ 1798.140(ag))

☐ Contractor (§ 1798.140(j))

16.2 The Processor certifies that it understands and will comply with the restrictions and obligations set forth in this DPA and the CCPA/CPRA, and shall not:

(a) Sell or share Personal Information;

(b) Retain, use, or disclose Personal Information for any purpose other than the business purposes specified in this DPA and the Master Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the services specified in the Master Agreement;

(c) Retain, use, or disclose Personal Information outside of the direct business relationship between the Processor and the Controller;

(d) Combine Personal Information received from the Controller with Personal Information received from or on behalf of another person, or collected from the Processor's own interaction with the consumer, unless expressly permitted under § 1798.140(e)(6).

16.3 The Controller shall have the right to take reasonable and appropriate steps to help ensure that the Processor uses Personal Information in a manner consistent with the Controller's obligations under the CCPA/CPRA (§ 1798.100(d)(3)).

16.4 The Processor shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA/CPRA (§ 1798.100(d)(4)).

16.5 The Processor grants the Controller the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information (§ 1798.100(d)(5)).

17. CPA-SPECIFIC PROVISIONS (COLORADO)

To the extent the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) applies:

17.1 The Processor shall comply with C.R.S. § 6-1-1305, including:

(a) Processing Personal Data in accordance with the Controller's instructions;

(b) Ensuring confidentiality of Personal Data;

(c) Deleting or returning Personal Data at the Controller's direction;

(d) Making information available for compliance demonstrations;

(e) Allowing and cooperating with reasonable assessments;

(f) Engaging Sub-Processors only with the Controller's authorization and pursuant to written contracts meeting CPA requirements.

17.2 The Processor shall provide information reasonably necessary for the Controller to conduct DPIAs required under C.R.S. § 6-1-1309.

18. CTDPA-SPECIFIC PROVISIONS (CONNECTICUT)

To the extent the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.) applies:

18.1 The Processor shall comply with Conn. Gen. Stat. § 42-524, including all obligations comparable to those set forth in Section 17 for Colorado.

18.2 The Processor acknowledges the 2025 amendments (SB 1295, effective July 1, 2026), including the categorical prohibition on processing minors' personal data for targeted advertising or sale.

19. VCDPA-SPECIFIC PROVISIONS (VIRGINIA)

To the extent the Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.) applies:

19.1 The Processor shall comply with Va. Code § 59.1-579, including:

(a) Processing Personal Data in accordance with the Controller's instructions;

(b) Ensuring confidentiality;

(c) Deletion or return of Personal Data;

(d) Compliance demonstrations and audit cooperation;

(e) Sub-Processor engagement only pursuant to written contracts meeting VCDPA requirements.

19.2 The Processor shall provide information necessary for the Controller to conduct DPIAs under Va. Code § 59.1-580.

20. TDPSA-SPECIFIC PROVISIONS (TEXAS)

To the extent the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541) applies:

20.1 The Processor shall comply with Tex. Bus. & Com. Code § 541.151, including:

(a) Processing Personal Data solely pursuant to the Controller's documented instructions;

(b) Ensuring confidentiality;

(c) Deletion or return of Personal Data at the Controller's direction;

(d) Compliance demonstrations;

(e) Allowing and cooperating with reasonable assessments;

(f) Sub-Processor engagement pursuant to written contracts with equivalent obligations.

20.2 The Processor shall cooperate with the Controller in recognizing and honoring universal opt-out mechanisms effective January 1, 2025 (§ 541.055(e)).

20.3 The Processor acknowledges that data protection assessments may be made available to the Texas Attorney General upon request (§ 541.107(d)).

21. FDBR/FIPA-SPECIFIC PROVISIONS (FLORIDA)

To the extent the Florida Digital Bill of Rights (Fla. Stat. §§ 501.701–501.722) and/or the Florida Information Protection Act (Fla. Stat. § 501.171) apply:

21.1 The Processor shall comply with Fla. Stat. § 501.711, including all processor duties under the FDBR.

21.2 Under FIPA (Fla. Stat. § 501.171), the Processor shall:

(a) Take reasonable measures to protect and secure Personal Data in electronic form;

(b) Notify the Controller of any Data Breach no later than ten (10) days following discovery (Fla. Stat. § 501.171(3));

(c) Cooperate with the Controller in meeting FIPA's 30-day notification deadline to affected individuals.

22. ADDITIONAL STATE LAW PROVISIONS

22.1 The Processor shall comply with all additional state privacy laws applicable to the Processing, including but not limited to:

• Utah Consumer Privacy Act (UCPA), Utah Code § 13-61-302
• Oregon Consumer Privacy Act (OCPA), Or. Rev. Stat. § 646A.582
• Montana Consumer Data Privacy Act (MCDPA), Mont. Code Ann. § 30-14-2813
• Iowa Consumer Data Protection Act, Iowa Code § 715D
• Indiana Consumer Data Protection Act, Ind. Code § 24-15
• Tennessee Information Protection Act (TIPA), Tenn. Code Ann. § 47-18-3212
• Delaware Personal Data Privacy Act, Del. Code tit. 6, Ch. 12D
• New Jersey Data Privacy Act, N.J. Stat. § 56:8-166 et seq.
• Nebraska Data Privacy Act, Neb. Rev. Stat. § 87-1101 et seq.
• Maryland Online Data Privacy Act, Md. Code Com. Law § 14-4601 et seq.
• Minnesota Consumer Data Privacy Act, Minn. Stat. § 325O.01 et seq.

22.2 As new state privacy laws take effect, the Processor shall cooperate with the Controller to implement any additional requirements.

23. TERM AND TERMINATION

23.1 This DPA shall become effective on the DPA Effective Date and shall remain in effect for the duration of the Master Agreement.

23.2 This DPA shall automatically terminate upon expiration or termination of the Master Agreement, subject to the Processor's continuing obligations regarding data return/deletion (Section 15) and any provisions that by their nature survive termination.

23.3 Either Party may terminate this DPA immediately upon written notice if:

(a) The other Party commits a material breach of this DPA and fails to cure such breach within [____] days of receiving written notice;

(b) The Processor notifies the Controller that it can no longer meet its obligations under Applicable Privacy Laws;

(c) A Supervisory Authority orders the cessation of Processing.

23.4 Sections 6 (Confidentiality), 7 (Security), 10 (Data Breach Notification), 15 (Data Return/Deletion), 24 (Liability), and 25 (General Provisions) shall survive termination.

24. LIABILITY AND INDEMNIFICATION

24.1 Liability Cap. Unless otherwise expressly agreed in the Master Agreement or this DPA:

☐ Option A: Liability under this DPA is subject to the limitation of liability provisions of the Master Agreement.

☐ Option B: The aggregate liability of each Party under this DPA shall not exceed $[________________________________] (or [____] times the annual fees paid under the Master Agreement).

☐ Option C: There shall be no cap on liability for Data Breaches caused by the Processor's willful misconduct, gross negligence, or material breach of this DPA.

24.2 Indemnification. The Processor shall indemnify, defend, and hold harmless the Controller and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

(a) The Processor's breach of this DPA;

(b) The Processor's violation of Applicable Privacy Laws;

(c) Any Data Breach caused by the Processor's failure to implement and maintain appropriate security measures;

(d) Any claim by a Data Subject or Supervisory Authority arising from the Processor's Processing of Personal Data in violation of this DPA or Applicable Privacy Laws.

24.3 The Controller shall indemnify, defend, and hold harmless the Processor from and against claims arising from the Controller's breach of this DPA or its obligations under Applicable Privacy Laws, except to the extent such claims arise from the Processor's own breach or negligence.

25. GENERAL PROVISIONS

25.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of [________________________________], without regard to its conflict of laws principles.

25.2 Entire Agreement. This DPA, together with the Master Agreement and its annexes, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and representations.

25.3 Amendments. This DPA may be amended only by a written instrument signed by both Parties.

25.4 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

25.5 Notices. All notices under this DPA shall be in writing and delivered to the contact information set forth above.

25.6 Order of Precedence. In the event of a conflict between this DPA, the Master Agreement, and any Applicable Privacy Law, the order of precedence shall be: (1) Applicable Privacy Laws; (2) this DPA; (3) the Master Agreement.

25.7 No Third-Party Beneficiaries. This DPA is for the benefit of the Parties and their permitted successors and assigns only and does not confer any rights on third parties, except to the extent that Data Subjects may enforce their rights under Applicable Privacy Laws.

26. SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Data Processing Addendum as of the DPA Effective Date.

CONTROLLER / BUSINESS:

PROCESSOR / SERVICE PROVIDER:

27. ANNEX A — DATA PROCESSING DESCRIPTION

28. ANNEX B — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

29. ANNEX C — APPROVED SUB-PROCESSOR LIST

This template is provided by ezel.ai for informational purposes only and does not constitute legal advice. Consult qualified legal counsel in each applicable jurisdiction before executing this DPA.