DATA PROCESSING ADDENDUM (SHORT FORM) — CALIFORNIA

DPA Effective Date: [__/__/____]

Master Agreement Reference: [________________________________] ("Master Agreement")

BUSINESS (Controller):

("Business")

SERVICE PROVIDER / CONTRACTOR (Processor):

("Processor")

Processor Classification Under CCPA/CPRA:

☐ Service Provider (Cal. Civ. Code § 1798.140(ag)) — a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract

☐ Contractor (Cal. Civ. Code § 1798.140(j)) — a person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract

1. DEFINITIONS

1.1 "CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code § 1798.100 et seq., and the implementing regulations at 11 CCR § 7000 et seq.

1.2 "Business" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information and meets the CCPA/CPRA applicability thresholds (§ 1798.140(d)).

1.3 "Service Provider" means a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract (§ 1798.140(ag)).

1.4 "Contractor" means a person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract (§ 1798.140(j)).

1.5 "Third Party" means a person who is not the business with whom the consumer intentionally interacts, a service provider, or a contractor (§ 1798.140(ai)).

1.6 "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (§ 1798.140(v)).

1.7 "Sensitive Personal Information" means personal information that reveals: (a) Social Security, driver's license, state ID, or passport number; (b) account log-in credentials with security code; (c) precise geolocation; (d) racial or ethnic origin; (e) religious or philosophical beliefs; (f) union membership; (g) contents of mail, email, text (where business is not intended recipient); (h) genetic data; (i) biometric data for identification; (j) health data; or (k) sex life or sexual orientation data (§ 1798.140(ae)).

1.8 "Business Purpose" means the use of personal information for the business's operational purposes or other notified purposes, provided that the use is reasonably necessary and proportionate for those purposes (§ 1798.140(e)).

1.9 "Sell" / "Selling" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to a third party for monetary or other valuable consideration (§ 1798.140(ad)).

1.10 "Share" / "Sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to a third party for cross-context behavioral advertising (§ 1798.140(ah)).

1.11 "Cross-Context Behavioral Advertising" means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services (§ 1798.140(k)).

1.12 "Processing" means any operation performed on personal information.

1.13 "Sub-Processor" means any service provider, contractor, or other third party engaged by the Processor to carry out Processing activities on behalf of the Business.

2. SCOPE AND PURPOSE

2.1 This DPA applies to the Processing of Personal Information by the Processor on behalf of the Business in connection with the services provided under the Master Agreement.

2.2 The subject matter, nature, business purposes, duration, types of personal information, and categories of consumers are described in Annex A.

2.3 This DPA is incorporated into the Master Agreement. In case of conflict regarding privacy and data protection, this DPA prevails.

3. CCPA/CPRA SERVICE PROVIDER / CONTRACTOR OBLIGATIONS (Cal. Civ. Code § 1798.100(d))

The Processor certifies that it understands and will comply with the following restrictions and obligations under the CCPA/CPRA:

3.1 Prohibition on Selling or Sharing

The Processor shall not sell or share Personal Information received from, or on behalf of, the Business.

3.2 Use Limitations

The Processor shall not retain, use, or disclose Personal Information:

(a) For any purpose other than the specific business purpose(s) set forth in Annex A and the Master Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the services specified in the Master Agreement;

(b) Outside of the direct business relationship between the Processor and the Business;

(c) For the purpose of cross-context behavioral advertising.

3.3 Prohibition on Combining Personal Information

The Processor shall not combine Personal Information received from, or on behalf of, the Business with:

(a) Personal Information that it receives from, or on behalf of, another person or persons; or

(b) Personal Information collected from its own interaction with the consumer;

UNLESS expressly permitted to combine or update Personal Information under § 1798.140(e)(6) to:

☐ Perform services on behalf of the Business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the Business;

☐ Detect data security incidents or protect against fraudulent or illegal activity;

☐ Other permitted purpose: [________________________________]

3.4 Compliance Certification

The Processor certifies that it understands the restrictions in Sections 3.1–3.3 and will comply with them (§ 1798.100(d)(2)).

3.5 Right to Monitor Compliance

The Business has the right to take reasonable and appropriate steps to help ensure that the Processor uses Personal Information in a manner consistent with the Business's obligations under the CCPA/CPRA (§ 1798.100(d)(3)).

3.6 Notification of Inability to Comply

The Processor shall notify the Business if it determines that it can no longer meet its obligations under the CCPA/CPRA (§ 1798.100(d)(4)).

3.7 Right to Remediate

The Business has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information (§ 1798.100(d)(5)).

4. CONSUMER RIGHTS ASSISTANCE

The Processor shall assist the Business in responding to consumer rights requests under the CCPA/CPRA:

4.1 Right to Know / Access (§§ 1798.100, 1798.110, 1798.115)

The Processor shall provide the Business with information necessary to respond to consumer requests to know categories and specific pieces of Personal Information collected, disclosed, sold, or shared.

4.2 Right to Delete (§ 1798.105)

Upon receiving notification from the Business that a consumer has submitted a verified deletion request:

(a) The Processor shall delete the consumer's Personal Information from its records;

(b) The Processor shall notify any Sub-Processors to delete the consumer's Personal Information;

(c) The Processor shall comply unless an exception under § 1798.105(d) applies, in which case the Processor shall notify the Business and identify the applicable exception.

4.3 Right to Correct (§ 1798.106)

The Processor shall correct inaccurate Personal Information upon the Business's instruction, using commercially reasonable efforts.

4.4 Right to Opt Out of Sale/Sharing (§ 1798.120)

The Processor shall implement the Business's instructions to opt consumers out of the sale or sharing of their Personal Information. Because the Processor is prohibited from selling or sharing Personal Information under this DPA (Section 3.1), this provision primarily applies to the Processor's obligation to cooperate with the Business's upstream opt-out processes.

4.5 Right to Limit Sensitive Personal Information Use (§ 1798.121)

If the Processor processes Sensitive Personal Information, it shall limit such processing to the purposes authorized under § 1798.121(a) upon the Business's instruction, including:

(a) Performing services reasonably expected by an average consumer;

(b) Detecting security incidents;

(c) Ensuring physical safety;

(d) Short-term, transient use;

(e) Performing services on behalf of the Business;

(f) Verifying quality or safety of products/services.

4.6 Right to Data Portability

The Processor shall provide Personal Information in a structured, commonly used, machine-readable format upon the Business's request to facilitate data portability.

4.7 Direct Consumer Requests

If the Processor receives a consumer rights request directly, the Processor shall:

(a) Promptly forward the request to the Business;

(b) Not respond to the request without the Business's prior written authorization, unless required by law.

5. CONFIDENTIALITY

5.1 All Processor personnel with access to Personal Information shall be bound by written confidentiality obligations.

5.2 Access limited on a need-to-know basis.

5.3 Regular training on CCPA/CPRA requirements and data security.

6. SECURITY MEASURES

The Processor shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information (Cal. Civ. Code § 1798.100(e)):

6.1 Technical Measures

☐ Encryption of Personal Information in transit (TLS 1.2+) and at rest (AES-256 or equivalent)

☐ Multi-factor authentication for systems containing Personal Information

☐ Firewalls, IDS/IPS, network segmentation

☐ Regular vulnerability scanning and annual penetration testing

☐ Automated patch management

☐ Role-based access controls; least-privilege principles

☐ Data loss prevention tools

☐ Security event logging and monitoring (log retention: [____] months)

6.2 Administrative Measures

☐ Written information security policy

☐ Designated security program coordinator(s)

☐ Regular employee security awareness training

☐ Background checks for personnel with access to PI

☐ Incident response plan and response team

☐ Risk assessments conducted at least annually

☐ Vendor risk management program

☐ Business continuity and disaster recovery plans

6.3 Physical Measures

☐ Physical access controls to data processing facilities

☐ Visitor management and logging

☐ Secure disposal of physical and electronic media (NIST SP 800-88)

☐ Environmental controls

6.4 Detailed security measures in Annex B.

6.5 The Processor acknowledges that a breach of security involving unencrypted and unredacted Personal Information may give rise to a private right of action under Cal. Civ. Code § 1798.150, with statutory damages of $100–$750 per consumer per incident.

6.6 The Processor shall participate in cybersecurity audits if and when required under CPPA rulemaking pursuant to § 1798.185(a)(15).

7. OPT-OUT PREFERENCE SIGNALS / GLOBAL PRIVACY CONTROL

7.1 The Processor shall cooperate with the Business in recognizing and honoring opt-out preference signals, including the Global Privacy Control (GPC), as valid consumer requests to opt out of the sale or sharing of Personal Information (Cal. Civ. Code § 1798.135(b); 11 CCR § 7025).

7.2 The Processor shall:

☐ Implement technical mechanisms to recognize and process GPC signals received from the Business's platforms

☐ Treat GPC signals as valid opt-out requests for the browser or device on which the signal is received

☐ Apply opt-out preferences to known consumers across browsers and devices where technically feasible

☐ Maintain records of opt-out requests and compliance

8. SUB-PROCESSOR MANAGEMENT

8.1 The Processor shall not engage any Sub-Processor without:

☐ Option A: The Business's prior specific written consent for each Sub-Processor

☐ Option B: The Business's general written authorization with [____] days' prior notice and [____] days' objection period

8.2 Each Sub-Processor shall be bound by a written contract that:

(a) Is consistent with the requirements of § 1798.100(d) — specifically, each Sub-Processor that is a service provider or contractor must be contractually prohibited from selling or sharing, retaining/using/disclosing for unauthorized purposes, and combining Personal Information in the same manner as the Processor;

(b) Requires the Sub-Processor to certify that it understands and will comply with CCPA/CPRA restrictions;

(c) Requires appropriate security measures;

(d) Requires breach notification;

(e) Permits the Business to take reasonable steps to ensure compliance and to stop and remediate unauthorized use.

8.3 The Processor remains fully liable for Sub-Processor performance.

8.4 Approved Sub-Processors listed in Annex C.

9. DATA BREACH NOTIFICATION

9.1 Notification to Business

The Processor shall notify the Business of any confirmed or reasonably suspected breach of security involving Personal Information without undue delay and in no event later than:

☐ [____] hours (recommended: 24-48 hours) after discovery

9.2 Content

(a) Description of the breach;

(b) Categories and approximate number of affected consumers;

(c) Types of Personal Information compromised;

(d) Contact details for the Processor's incident response lead;

(e) Likely consequences;

(f) Remediation measures;

(g) Encryption status of affected data.

9.3 Cooperation

The Processor shall:

(a) Cooperate in investigation, containment, and remediation;

(b) Preserve evidence;

(c) Assist the Business in complying with Cal. Civ. Code § 1798.82 (breach notification to affected California residents);

(d) Assist with notification to the California Attorney General (if 500+ residents affected);

(e) Not issue public statements without the Business's prior written consent.

9.4 Private Right of Action Exposure

The Parties acknowledge that Cal. Civ. Code § 1798.150 provides consumers with a private right of action for breaches involving nonencrypted and nonredacted Personal Information resulting from a business's failure to implement and maintain reasonable security procedures. The Processor's breach of its security obligations under this DPA may expose the Business to such claims.

10. RISK ASSESSMENTS AND CYBERSECURITY AUDITS (Cal. Civ. Code § 1798.185(a)(15))

10.1 The Processor shall provide reasonable assistance to the Business in conducting risk assessments and cybersecurity audits as may be required under CPPA rulemaking.

10.2 The Processor shall cooperate with any regulatory inquiries from the California Privacy Protection Agency (CPPA) or the California Attorney General.

11. AUDIT RIGHTS

11.1 The Business has the right to take reasonable and appropriate steps to ensure the Processor's compliance (§ 1798.100(d)(3)).

11.2 Audit options:

☐ Option A: Direct on-site or remote audit upon [____] days' notice, no more than [____] time(s) per year

☐ Option B: Annual third-party audit reports (SOC 2 Type II, ISO 27001), with additional direct audit rights if deficiency or breach

☐ Option C: Combination

11.3 Full cooperation; access to facilities, systems, personnel, and records.

11.4 Prompt remediation within [____] business days.

11.5 Audit costs: ☐ Business ☐ Processor (if non-compliance) ☐ Shared: [________________________________]

12. DATA RETURN AND DELETION

12.1 Upon termination or Business's request:

☐ Return all Personal Information in structured, machine-readable format; and/or

☐ Securely delete all Personal Information (NIST SP 800-88 compliant)

12.2 Completion within [____] days.

12.3 Written certification.

12.4 Retention only as required by law, with continued DPA protections.

13. CROSS-BORDER DATA TRANSFERS

13.1 No transfer outside the United States without the Business's prior written authorization.

13.2 Appropriate safeguards for authorized transfers:

☐ Standard contractual clauses

☐ Data Privacy Framework certification

☐ Equivalent contractual protections

☐ Other: [________________________________]

14. RECORD-KEEPING

The Processor shall maintain records of Processing activities and make them available to the Business and regulators upon request.

15. TERM AND TERMINATION

15.1 Effective on the DPA Effective Date; coterminous with the Master Agreement.

15.2 Termination upon material breach not cured within [____] days.

15.3 Immediate termination if Processor can no longer meet CCPA/CPRA obligations (§ 1798.100(d)(4)).

15.4 Sections 5, 6, 9, 12, and 16 survive termination.

16. LIABILITY AND INDEMNIFICATION

16.1 Liability.

☐ Subject to Master Agreement limitation of liability

☐ Separate cap: $[________________________________] or [____]x annual fees

☐ No cap for willful misconduct, gross negligence, or material breach of CCPA/CPRA obligations

☐ No cap for claims arising under Cal. Civ. Code § 1798.150 (private right of action for data breaches)

16.2 The Processor shall indemnify the Business for:

(a) Claims arising from the Processor's breach of this DPA;

(b) Processor's violation of CCPA/CPRA obligations;

(c) Data Breaches caused by Processor's failure to maintain reasonable security;

(d) Penalties or fines imposed by CPPA or AG arising from Processor's non-compliance;

(e) Consumer claims under § 1798.150 to the extent attributable to Processor's security failures.

16.3 The Business shall indemnify the Processor for claims arising from the Business's breach, except where caused by Processor's fault.

16.4 The Parties acknowledge that the CPPA may impose administrative fines of up to $2,500 per violation or $7,500 per intentional violation or violation involving a minor (§ 1798.155(b)).

17. GENERAL PROVISIONS

17.1 Governing Law. Laws of the State of California.

17.2 Forum. State or federal courts in [________________________________] County, California.

17.3 Amendments. Written agreement signed by both Parties.

17.4 Severability. Invalid provisions do not affect the remainder.

17.5 Order of Precedence. (1) CCPA/CPRA and implementing regulations; (2) this DPA; (3) Master Agreement.

18. SIGNATURES

BUSINESS (Controller):

SERVICE PROVIDER / CONTRACTOR (Processor):

ANNEX A — DATA PROCESSING DESCRIPTION

Permitted Business Purposes (check all that apply):

☐ Performing services (maintaining accounts, customer service, order processing, payment processing, financing, analytics, storage)

☐ Auditing (ad impressions, compliance)

☐ Short-term, transient use

☐ Security and integrity

☐ Debugging

☐ Internal research

☐ Quality/safety verification

☐ Other: [________________________________]

ANNEX B — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

ANNEX C — APPROVED SUB-PROCESSOR LIST

This template is provided by ezel.ai for informational purposes only and does not constitute legal advice. Consult qualified California privacy counsel before executing this DPA.