DATA PROCESSING ADDENDUM (SHORT FORM) — FLORIDA

DPA Effective Date: [__/__/____]

Master Agreement Reference: [________________________________] ("Master Agreement")

CONTROLLER:

("Controller")

PROCESSOR:

("Processor")

1. DEFINITIONS

1.1 "Applicable Florida Laws" means the Florida Digital Bill of Rights (Fla. Stat. §§ 501.701–501.722), the Florida Information Protection Act (Fla. Stat. § 501.171), and any other Florida state laws, regulations, or regulatory guidance relating to data protection, security, or privacy applicable to the Parties and the Processing.

1.2 "Consumer" means an individual who is a Florida resident acting only in an individual or household context (Fla. Stat. § 501.702).

1.3 "Controller" means a person that, alone or jointly with others, determines the purpose and means of processing personal data (Fla. Stat. § 501.702).

1.4 "Processor" means a person that processes personal data on behalf of a controller (Fla. Stat. § 501.702).

1.5 "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual. Does not include deidentified data, publicly available information, or aggregate data (Fla. Stat. § 501.702).

1.6 "Personal Information" (FIPA) means an individual's first name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (c) financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account; (d) any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (e) an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; (f) a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account; or (g) biometric data or geolocation data (as expanded by SB 262).

1.7 "Sensitive Data" means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identification; personal data from a known child; or precise geolocation data (Fla. Stat. § 501.702).

1.8 "Processing" means any operation performed on personal data, including collection, recording, organization, storage, use, disclosure, or destruction.

1.9 "Data Breach" means unauthorized access to or acquisition of electronic data containing personal information that compromises the security, confidentiality, or integrity of the data.

1.10 "Sub-Processor" means any third party engaged by the Processor to perform Processing activities on behalf of the Controller.

2. SCOPE AND PURPOSE

2.1 This DPA applies to the Processing of Personal Data and Personal Information by the Processor on behalf of the Controller pursuant to the Master Agreement.

2.2 The subject matter, nature, purpose, duration, types of data, and categories of data subjects are described in Annex A.

2.3 This DPA is incorporated into the Master Agreement. In case of conflict regarding data protection, this DPA prevails.

3. PROCESSOR OBLIGATIONS (Fla. Stat. § 501.711)

The Processor shall:

3.1 Process Personal Data only in accordance with the Controller's documented instructions, as set forth in this DPA, the Master Agreement, and any written instructions provided from time to time.

3.2 Ensure that each person processing Personal Data is subject to a duty of confidentiality with respect to such data.

3.3 At the Controller's direction, delete or return all Personal Data to the Controller at the end of the provision of services, unless retention is required by law.

3.4 Make available to the Controller all information in the Processor's possession necessary to demonstrate the Processor's compliance with its obligations under the FDBR and this DPA.

3.5 Allow and cooperate with reasonable assessments by the Controller, or arrange for a qualified and independent assessor to conduct an assessment of the Processor's policies and technical and organizational measures in support of the obligations under the FDBR, and provide a report of such assessment to the Controller upon request.

3.6 Engage Sub-Processors only with the Controller's prior authorization and pursuant to written contracts meeting the requirements of Section 8.

3.7 Not sell Personal Data.

3.8 Not process Personal Data for purposes other than those specified in this DPA and the Master Agreement.

3.9 Not combine Personal Data received from the Controller with Personal Data received from other sources, except as authorized by the Controller in writing.

3.10 Notify the Controller without undue delay if the Processor determines it can no longer meet its obligations under Applicable Florida Laws.

4. CONTROLLER DUTIES (Fla. Stat. § 501.709)

The Controller acknowledges its obligations under the FDBR, including:

4.1 Limiting collection of Personal Data to what is adequate, relevant, and reasonably necessary (data minimization).

4.2 Not processing Personal Data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless consumer consent is obtained.

4.3 Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices.

4.4 Not processing Personal Data in violation of state and federal anti-discrimination laws.

4.5 Obtaining consent before processing Sensitive Data or data from a known child (Fla. Stat. §§ 501.714, 501.703).

4.6 Providing transparent privacy notices pursuant to Fla. Stat. § 501.710.

5. PROCESSING INSTRUCTIONS

5.1 The Processor shall Process Personal Data only for the specific purposes set forth in Annex A and the Master Agreement.

5.2 The Processor shall immediately inform the Controller if an instruction would, in the Processor's opinion, violate Applicable Florida Laws.

5.3 The Processor shall not:

(a) Sell Personal Data;

(b) Process Personal Data for targeted advertising unless authorized by the Controller and consistent with consumer opt-out rights;

(c) Retain, use, or disclose Personal Data for any purpose other than the specified business purposes;

(d) Process Personal Data outside the direct business relationship with the Controller.

6. CONFIDENTIALITY

6.1 All Processor personnel with access to Personal Data shall be bound by written confidentiality obligations.

6.2 The Processor shall limit access to Personal Data on a need-to-know basis.

6.3 The Processor shall provide regular training to personnel on data protection and security obligations.

7. SECURITY MEASURES

The Processor shall implement and maintain reasonable administrative, technical, and physical data security practices to protect Personal Data, consistent with FIPA (Fla. Stat. § 501.171(2)) and the FDBR:

7.1 Technical Measures

☐ Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)

☐ Multi-factor authentication for access to systems containing Personal Data

☐ Firewalls and intrusion detection/prevention systems

☐ Network segmentation

☐ Regular vulnerability scanning and annual penetration testing

☐ Automated patch management

☐ Access controls based on least-privilege and role-based principles

☐ Data loss prevention tools

☐ Security event logging and monitoring (log retention: [____] months)

7.2 Administrative Measures

☐ Written information security policy

☐ Designated security program coordinator(s)

☐ Regular employee security awareness training

☐ Background checks for personnel with access to Personal Data

☐ Incident response plan and designated response team

☐ Risk assessments conducted at least annually

☐ Vendor risk management program

☐ Business continuity and disaster recovery plans

7.3 Physical Measures

☐ Physical access controls to data processing facilities

☐ Visitor management and logging

☐ Secure disposal of physical media (shredding, degaussing, destruction)

☐ Environmental controls (fire suppression, climate control, power backup)

7.4 Detailed security measures are described in Annex B.

7.5 The Processor shall regularly test and update its security measures.

8. SUB-PROCESSOR MANAGEMENT (Fla. Stat. § 501.711)

8.1 The Processor shall not engage any Sub-Processor without:

☐ Option A: Prior specific written consent of the Controller for each Sub-Processor

☐ Option B: General written authorization with [____] days' prior notice and [____] days' objection period

8.2 The Processor shall impose on each Sub-Processor, by written contract:

(a) Data protection obligations no less protective than those in this DPA;

(b) Requirements to implement appropriate technical and organizational security measures;

(c) Obligations to notify the Processor immediately of any Data Breach;

(d) Obligations consistent with the FDBR processor duties.

8.3 The Processor shall remain fully liable for the performance of each Sub-Processor.

8.4 Current approved Sub-Processors are listed in Annex C.

9. DATA SUBJECT / CONSUMER RIGHTS ASSISTANCE (Fla. Stat. §§ 501.705, 501.706)

9.1 The Processor shall assist the Controller in responding to consumer rights requests under the FDBR, including:

(a) Right to Confirm and Access (§ 501.705(1)(a)) — providing information needed to confirm processing and access Personal Data;

(b) Right to Correct (§ 501.705(1)(b)) — correcting inaccurate Personal Data upon instruction;

(c) Right to Delete (§ 501.705(1)(c)) — deleting Personal Data upon instruction and directing Sub-Processors to do the same;

(d) Right to Data Portability (§ 501.705(1)(d)) — providing Personal Data in a portable, machine-readable format;

(e) Right to Opt Out (§ 501.705(1)(e)) — implementing opt-out instructions for targeted advertising, sale, and profiling.

9.2 The Processor shall promptly notify the Controller of any consumer request received directly and shall not respond without the Controller's authorization.

9.3 The Processor shall provide assistance free of charge for routine requests; fees for excessive requests may be agreed upon.

10. DATA BREACH NOTIFICATION

10.1 Processor-to-Controller Notification

The Processor shall notify the Controller of any Data Breach without undue delay and in no event later than:

☐ Ten (10) days following determination that a breach occurred (consistent with FIPA's third-party agent requirement, Fla. Stat. § 501.171(3))

☐ [____] hours (if a shorter timeframe is required by the Controller)

10.2 Content of Notification

The notification shall include:

(a) Description of the nature of the breach;

(b) Categories and approximate number of affected individuals;

(c) Types of Personal Data/Personal Information compromised;

(d) Contact information for the Processor's incident response lead;

(e) Description of likely consequences;

(f) Measures taken or proposed to contain and remediate;

(g) Whether affected data was encrypted.

10.3 Cooperation

The Processor shall:

(a) Cooperate in investigation, containment, and remediation;

(b) Preserve evidence;

(c) Assist the Controller in complying with FIPA notification obligations:

• Individual Notification: Within thirty (30) days after determination of the breach (Fla. Stat. § 501.171(4)(a));

• AG Notification: If the breach affects 500 or more Florida residents, notification to the Florida Department of Legal Affairs (Fla. Stat. § 501.171(3));

• Consumer Reporting Agencies: If the breach affects more than 1,000 individuals (Fla. Stat. § 501.171(6));

(d) Not issue public statements without the Controller's prior written consent.

10.4 Breach Notification Content for Individuals (Fla. Stat. § 501.171(4)(e))

The Controller's notification to individuals shall include (with Processor's assistance):

☐ Date, estimated date, or estimated date range of the breach

☐ Description of the Personal Information that was the subject of the breach

☐ Contact information of the entity providing the notice

11. DATA PROTECTION ASSESSMENTS (Fla. Stat. § 501.712)

11.1 The Processor shall provide reasonable assistance to the Controller in conducting data protection assessments for processing that presents a heightened risk of harm, including:

(a) Processing for targeted advertising;

(b) Sale of Personal Data;

(c) Profiling with foreseeable risk of harm;

(d) Processing of Sensitive Data.

11.2 Assistance includes providing information about processing activities, security measures, and risk mitigation.

11.3 Assessments shall identify and weigh the benefits to the controller, consumer, and public against potential risks to consumer rights.

12. AUDIT RIGHTS

12.1 The Processor shall make available all information necessary to demonstrate compliance with this DPA and the FDBR.

12.2 The Controller may:

☐ Option A: Conduct direct on-site or remote audits upon [____] days' notice, no more than [____] time(s) per year

☐ Option B: Receive annual third-party audit reports (SOC 2 Type II, ISO 27001), with additional audit rights if deficiencies or breach occur

☐ Option C: Combination

12.3 Audit costs: ☐ Controller ☐ Processor (if non-compliance) ☐ Shared: [________________________________]

13. DATA RETURN AND DELETION

13.1 Upon termination or Controller's request, the Processor shall:

☐ Return all Personal Data in a structured, machine-readable format; and/or

☐ Securely delete all Personal Data (NIST SP 800-88 compliant)

13.2 Completion within [____] days.

13.3 Written certification of deletion or return.

13.4 Retention only as required by law, with continued DPA protections.

14. CROSS-BORDER DATA TRANSFERS

14.1 No transfer outside the United States without Controller's prior written authorization.

14.2 If authorized, appropriate safeguards shall include:

☐ Standard contractual clauses

☐ Data Privacy Framework certification

☐ Equivalent contractual protections

☐ Other: [________________________________]

15. RECORD-KEEPING

15.1 The Processor shall maintain records of Processing activities.

15.2 Records available to the Controller and regulators upon request.

16. SENSITIVE DATA (Fla. Stat. § 501.714)

16.1 The Processor shall not process Sensitive Data unless:

(a) The Controller has obtained the consumer's consent prior to processing; and

(b) The Processor has been specifically instructed to process such data in Annex A.

16.2 For data from known children, processing must comply with COPPA (15 U.S.C. § 6501 et seq.) and the FDBR.

16.3 The Processor shall implement heightened security measures for Sensitive Data, including:

☐ Additional encryption and access controls

☐ Limited access to designated personnel only

☐ Enhanced monitoring and logging

☐ Shorter retention periods where feasible

17. TERM AND TERMINATION

17.1 Effective on the DPA Effective Date; coterminous with the Master Agreement.

17.2 Termination upon material breach not cured within [____] days.

17.3 Immediate termination if the Processor can no longer meet its Applicable Florida Law obligations.

17.4 Sections 6, 7, 10, 13, and 18 survive termination.

18. LIABILITY AND INDEMNIFICATION

18.1 Liability.

☐ Subject to Master Agreement limitation of liability

☐ Separate cap: $[________________________________] or [____]x annual fees

☐ No cap for willful misconduct, gross negligence, or material breach of security obligations

18.2 The Processor shall indemnify the Controller for claims arising from Processor's breach of this DPA, violation of Applicable Florida Laws, or Data Breach caused by Processor's inadequate security.

18.3 The Controller shall indemnify the Processor for claims arising from Controller's breach, except where caused by Processor's fault.

19. GENERAL PROVISIONS

19.1 Governing Law. Laws of the State of Florida.

19.2 Forum. State or federal courts in [________________________________] County, Florida.

19.3 Amendments. Written agreement signed by both Parties.

19.4 Severability. Invalid provisions do not affect the remainder.

19.5 Order of Precedence. (1) Applicable Florida Laws; (2) this DPA; (3) Master Agreement.

20. SIGNATURES

CONTROLLER:

PROCESSOR:

ANNEX A — DATA PROCESSING DESCRIPTION

ANNEX B — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

ANNEX C — APPROVED SUB-PROCESSOR LIST

This template is provided by ezel.ai for informational purposes only and does not constitute legal advice. Consult qualified Florida counsel before executing this DPA.