DATA PROCESSING ADDENDUM (SHORT FORM) — NEW YORK

DPA Effective Date: [__/__/____]

Master Agreement Reference: [________________________________] ("Master Agreement")

CONTROLLER:

("Controller")

PROCESSOR:

("Processor")

1. DEFINITIONS

1.1 "Applicable NY Laws" means the New York SHIELD Act (N.Y. Gen. Bus. Law §§ 899-aa, 899-bb), 23 NYCRR Part 500 (if applicable), and any other New York state laws, regulations, or regulatory guidance relating to data protection, security, or privacy applicable to the Parties and the Processing.

1.2 "Private Information" has the meaning set forth in N.Y. Gen. Bus. Law § 899-aa(1)(b): personal information consisting of any information in combination with one or more of the following data elements, when the data element or the combination is not encrypted or is encrypted with an encryption key that has also been accessed or acquired: (i) Social Security number; (ii) driver's license number or non-driver identification card number; (iii) account number, credit or debit card number, in combination with any required security code, access code, password, or other information permitting access to an individual's financial account; (iv) account number or credit or debit card number, if circumstances exist where such number could be used to access an individual's financial account without additional identifying information; (v) biometric information; or (vi) a username or email address in combination with a password or security question and answer permitting access to an online account.

1.3 "Personal Information" has the meaning set forth in N.Y. Gen. Bus. Law § 899-aa(1)(a): any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

1.4 "Breach of the Security of the System" has the meaning set forth in N.Y. Gen. Bus. Law § 899-aa(1)(c): unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.

1.5 "Nonpublic Information" (23 NYCRR § 500.1) means, for entities subject to NYDFS regulation, all electronic information that is not publicly available, including business-related information, information concerning an individual identifiable through that individual, and health-related information.

1.6 "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.

1.7 "Sub-Processor" means any third party engaged by the Processor to perform Processing activities on behalf of the Controller.

2. SCOPE AND PURPOSE

2.1 This DPA applies to the Processing of Personal Information and Private Information by the Processor on behalf of the Controller in connection with the services provided under the Master Agreement.

2.2 The subject matter, nature, purpose, duration, types of data, and categories of data subjects are described in Annex A.

2.3 This DPA is incorporated into the Master Agreement. In the event of conflict regarding data protection, this DPA prevails.

3. PROCESSOR OBLIGATIONS

The Processor shall:

3.1 Process Personal Information only in accordance with the Controller's documented instructions and this DPA.

3.2 Ensure that all personnel authorized to Process Personal Information have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of Private Information, consistent with the SHIELD Act (N.Y. Gen. Bus. Law § 899-bb) and as described in Section 7 and Annex B.

3.4 Not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Information to any third party except as directed by the Controller or as required by law.

3.5 Not retain, use, or disclose Personal Information for any purpose other than the specific purposes set forth in this DPA and the Master Agreement.

3.6 Promptly notify the Controller if the Processor determines it can no longer meet its data security or confidentiality obligations.

3.7 Cooperate with the Controller in responding to any inquiries or investigations by the New York Attorney General, the New York Department of Financial Services, or other regulators.

4. CONFIDENTIALITY

4.1 The Processor shall ensure that all personnel with access to Personal Information:

(a) Are informed of the confidential nature of the information;

(b) Have executed written confidentiality agreements or are under statutory confidentiality obligations;

(c) Have received training on data security and privacy requirements applicable under New York law;

(d) Access Personal Information only as necessary to perform their duties.

4.2 The Processor shall limit access to Personal Information on a need-to-know basis.

5. PROCESSING INSTRUCTIONS

5.1 The Processor shall Process Personal Information only for the business purposes specified in Annex A and the Master Agreement.

5.2 The Processor shall immediately inform the Controller if an instruction would, in the Processor's opinion, result in a violation of Applicable NY Laws.

5.3 The Processor shall not combine Personal Information received from the Controller with Personal Information received from other sources, except as expressly authorized by the Controller in writing.

6. DATA SUBJECT RIGHTS ASSISTANCE

6.1 Although New York does not currently have a comprehensive consumer privacy law granting individual access, deletion, or correction rights, the Processor shall:

(a) Assist the Controller in responding to any consumer inquiries regarding the handling of their Personal Information;

(b) Cooperate with the Controller in fulfilling any privacy rights obligations that may arise under other applicable laws (e.g., CCPA/CPRA for California residents, VCDPA for Virginia residents);

(c) Promptly forward to the Controller any requests received directly from individuals regarding their Personal Information;

(d) Cooperate with the Controller in responding to any future rights that may be enacted under pending New York privacy legislation (e.g., the New York Privacy Act, S3044 / A4947; the New York Data Protection Act, S8524).

7. SECURITY MEASURES (SHIELD ACT COMPLIANCE)

Consistent with N.Y. Gen. Bus. Law § 899-bb, the Processor shall implement and maintain reasonable safeguards including:

7.1 Administrative Safeguards

☐ Designation of one or more employees to coordinate the data security program

☐ Identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Private Information

☐ Assessment of the sufficiency of safeguards in place to control identified risks

☐ Employee training and management on security program practices and procedures

☐ Selection of service providers capable of maintaining appropriate safeguards, and contractual requirements for them to do so

☐ Adjustment of the security program in light of business changes or new circumstances

7.2 Technical Safeguards

☐ Risk assessment in network and software design

☐ Risk assessment in information processing, transmission, and storage

☐ Detection, prevention, and response to attacks or system failures

☐ Regular testing and monitoring of key controls, systems, and procedures

☐ Encryption of Private Information in transit (TLS 1.2+) and at rest (AES-256 or equivalent)

☐ Multi-factor authentication for access to systems containing Private Information

☐ Intrusion detection and prevention systems

☐ Automated vulnerability scanning and patch management

☐ Data loss prevention tools

☐ Security event logging and monitoring with log retention of at least [____] months

7.3 Physical Safeguards

☐ Risk assessment of information storage and disposal

☐ Detection, prevention, and response to physical intrusions

☐ Protection against unauthorized access during collection, transportation, and destruction or disposal

☐ Secure disposal of Private Information when no longer needed

7.4 Additional Security Measures

☐ Annual penetration testing

☐ Incident response plan with designated response team

☐ Business continuity and disaster recovery plans

☐ Background checks for personnel with access to Private Information

☐ Written information security policy

☐ Regular security awareness training for all personnel

7.5 The detailed security measures are set forth in Annex B.

7.6 The Processor shall regularly test, assess, and evaluate the effectiveness of its security measures and update them as necessary.

8. SUB-PROCESSOR MANAGEMENT

8.1 The Processor shall not engage any Sub-Processor without:

☐ Option A: The Controller's prior specific written consent for each Sub-Processor

☐ Option B: The Controller's general written authorization, with at least [____] days' prior notice and an objection period of [____] days

8.2 The Processor shall impose on each Sub-Processor, by way of a written contract:

(a) Data security obligations no less protective than those in this DPA;

(b) Requirements consistent with the SHIELD Act's provisions for selecting service providers capable of maintaining appropriate safeguards (N.Y. Gen. Bus. Law § 899-bb(2)(a)(iii)(E));

(c) Obligations to notify the Processor immediately of any Data Breach.

8.3 The Processor remains fully liable for the acts and omissions of its Sub-Processors.

8.4 The current list of approved Sub-Processors is set forth in Annex C.

9. DATA BREACH NOTIFICATION

9.1 The Processor shall notify the Controller of any confirmed or reasonably suspected Breach of the Security of the System affecting Personal Information or Private Information without undue delay and in no event later than:

☐ [____] hours (recommended: 24 hours) after the Processor becomes aware of the breach

9.2 The notification shall include, to the extent available:

(a) Description of the nature of the breach, including categories and approximate number of affected individuals;

(b) Contact information for the Processor's incident response lead;

(c) Description of the likely consequences;

(d) Description of measures taken or proposed to contain and remediate the breach;

(e) Date and time of discovery;

(f) Whether affected data was encrypted.

9.3 The Processor shall cooperate with the Controller to:

(a) Investigate, contain, and remediate the breach;

(b) Preserve evidence;

(c) Comply with the Controller's notification obligations under N.Y. Gen. Bus. Law § 899-aa, including:

• Individual Notification: Notification to affected New York residents within thirty (30) days from the date of discovery of the breach (as required by the 2024 amendment);

• Government Notification: Written notification to the New York Attorney General, the New York Department of State (Division of Consumer Protection), and the New York State Police, including the timing, content, and distribution of the notice and the approximate number of affected persons;

• NYDFS Notification: Notification to the New York Department of Financial Services as required by the 2024 amendment;

• Consumer Reporting Agencies: If more than 5,000 New York residents are notified at one time, notification to consumer reporting agencies.

9.4 The Processor shall not issue any public statement regarding the breach without the Controller's prior written consent, unless required by law.

10. AUDIT RIGHTS

10.1 The Controller shall have the right to audit the Processor's compliance with this DPA:

☐ Option A: Direct on-site or remote audit upon [____] business days' prior written notice, no more than [____] time(s) per year

☐ Option B: Annual third-party audit report (e.g., SOC 2 Type II, ISO 27001), with direct audit rights upon material deficiency or Data Breach

☐ Option C: Combination of both

10.2 The Processor shall cooperate fully with audits and provide reasonable access to facilities, systems, personnel, and records.

10.3 The Processor shall promptly remediate any deficiencies identified during an audit within [____] business days.

10.4 Audit costs shall be borne by: ☐ Controller ☐ Processor (if non-compliance found) ☐ Shared: [________________________________]

11. DATA RETURN AND DELETION

11.1 Upon expiration or termination of the Master Agreement, or upon the Controller's request, the Processor shall:

☐ Return all Personal Information to the Controller in a structured, machine-readable format; and/or

☐ Securely delete all Personal Information using methods rendering the data permanently unrecoverable (consistent with NIST SP 800-88)

11.2 Completion within [____] days of instruction or termination.

11.3 Written certification of deletion or return.

11.4 The Processor may retain Personal Information only as required by law, with continued DPA protections until deletion.

12. NYDFS CYBERSECURITY ADDENDUM (23 NYCRR PART 500)

Applicability:

☐ This section applies (one or both Parties are subject to 23 NYCRR Part 500)

☐ This section does not apply (skip to Section 13)

If applicable, the following additional requirements apply:

12.1 Third-Party Service Provider Security Policy (§ 500.11)

The Controller, as a Covered Entity under 23 NYCRR Part 500, requires the Processor to adhere to the following minimum cybersecurity practices:

☐ Use of multi-factor authentication for access to Nonpublic Information and systems (§ 500.12)

☐ Encryption of Nonpublic Information in transit over external networks and at rest (§ 500.15)

☐ Implementation of written cybersecurity policies and procedures

☐ Notification to the Controller within 72 hours of a cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operations of the Controller (§ 500.17)

☐ Annual penetration testing and bi-annual vulnerability assessments (§ 500.5)

☐ Provision of cybersecurity-related documentation upon request for the Controller's annual certification of compliance (§ 500.17(b))

12.2 Due Diligence and Risk Assessment

The Controller has conducted due diligence on the Processor's cybersecurity practices, including:

☐ Review of the Processor's cybersecurity policies and procedures

☐ Assessment of the Processor's access controls and use of encryption

☐ Evaluation of the Processor's incident response capabilities

☐ Verification of the Processor's compliance certifications (e.g., SOC 2, ISO 27001)

12.3 Minimum Cybersecurity Requirements

The Processor shall implement and maintain cybersecurity practices that include:

☐ A cybersecurity program designed to protect the confidentiality, integrity, and availability of the Controller's information systems and Nonpublic Information

☐ Access privileges limited to those necessary for the Processor's business purpose

☐ Risk-based policies and procedures for the use and security of encryption

☐ Policies and procedures for the secure disposal of Nonpublic Information that is no longer necessary

☐ An incident response plan

☐ Use of effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to Nonpublic Information

13. ADDITIONAL NEW YORK PROVISIONS

13.1 Social Security Number Protection (N.Y. Gen. Bus. Law § 399-ddd)

The Processor shall not:

☐ Publicly post or display Social Security numbers

☐ Print Social Security numbers on materials mailed to individuals (unless required by law)

☐ Require transmission of Social Security numbers over the internet unless the connection is secure

☐ Use Social Security numbers as primary account identifiers

13.2 Disposal of Records (N.Y. Gen. Bus. Law § 399-h)

The Processor shall dispose of records containing personal identifying information by shredding, destroying, or otherwise modifying records to render them permanently unreadable.

13.3 Employee Data (N.Y. Lab. Law § 203-d)

If the Processor processes employee personal information on behalf of the Controller, the Processor shall not publicly disclose such information without the employee's written consent, except where required by law.

13.4 Student Data (N.Y. Educ. Law § 2-d)

If the Processor processes student personally identifiable information on behalf of an educational agency, the Processor shall comply with Education Law § 2-d, including prohibitions on sale of student PII for commercial purposes.

14. CROSS-BORDER DATA TRANSFERS

14.1 The Processor shall not transfer Personal Information outside the United States without the Controller's prior written authorization.

14.2 If cross-border transfer is authorized, the Processor shall implement appropriate safeguards, including:

☐ Standard contractual clauses

☐ Data Privacy Framework certification

☐ Contractual protections equivalent to this DPA

☐ Other: [________________________________]

15. RECORD-KEEPING

15.1 The Processor shall maintain records of Processing activities, including categories of Processing, transfers, and security measures.

15.2 Records shall be made available to the Controller and any regulatory authority upon request.

16. TERM AND TERMINATION

16.1 This DPA is effective on the DPA Effective Date and continues for the duration of the Master Agreement.

16.2 Either Party may terminate upon material breach not cured within [____] days.

16.3 Sections 4, 7, 9, 11, and 17 survive termination.

17. LIABILITY AND INDEMNIFICATION

17.1 Liability.

☐ Subject to the Master Agreement's limitation of liability

☐ Separate cap: $[________________________________] or [____]x annual fees

☐ No cap for willful misconduct, gross negligence, or material breach of data security obligations

17.2 The Processor shall indemnify the Controller for claims arising from the Processor's breach of this DPA, violation of Applicable NY Laws, or Data Breach caused by the Processor's failure to maintain adequate security.

17.3 The Controller shall indemnify the Processor for claims arising from the Controller's breach of this DPA, except to the extent arising from the Processor's own fault.

18. GENERAL PROVISIONS

18.1 Governing Law. This DPA shall be governed by the laws of the State of New York, without regard to conflict of laws principles.

18.2 Forum. Any dispute shall be resolved in the state or federal courts located in [________________________________] County, New York.

18.3 Amendments. Amendments require written agreement signed by both Parties.

18.4 Severability. Invalid provisions shall not affect the remainder.

18.5 Order of Precedence. (1) Applicable NY Laws; (2) this DPA; (3) the Master Agreement.

19. SIGNATURES

CONTROLLER:

PROCESSOR:

ANNEX A — DATA PROCESSING DESCRIPTION

ANNEX B — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

ANNEX C — APPROVED SUB-PROCESSOR LIST

This template is provided by ezel.ai for informational purposes only and does not constitute legal advice. Consult qualified New York legal counsel before executing this DPA.