DATA PROCESSING ADDENDUM (SHORT FORM) — TEXAS

DPA Effective Date: [__/__/____]

Master Agreement Reference: [________________________________] ("Master Agreement")

CONTROLLER:

("Controller")

PROCESSOR:

("Processor")

1. DEFINITIONS

1.1 "Applicable Texas Laws" means the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541), the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Ch. 521), and any other Texas state laws, regulations, or regulatory guidance relating to data protection, security, or privacy applicable to the Parties and the Processing.

1.2 "Consumer" means an individual who is a resident of Texas acting only in an individual or household context. It does not include an individual acting in a commercial or employment context (§ 541.001(8)).

1.3 "Controller" means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data (§ 541.001(9)).

1.4 "Processor" means a person that processes personal data on behalf of a controller (§ 541.001(24)).

1.5 "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual. Does not include deidentified data or publicly available information (§ 541.001(22)).

1.6 "Sensitive Data" means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identification; personal data from a known child; or precise geolocation data (§ 541.001(29)).

1.7 "Sensitive Personal Information" (Ch. 521) means an individual's first name or first initial and last name in combination with: Social Security number; driver's license or government-issued ID number; account number, credit/debit card number with security code, access code, or password; or information regarding an individual's physical or mental health condition, treatment, or payment for healthcare (§ 521.002(a)(2)).

1.8 "Processing" means any operation performed on personal data, including collection, recording, organization, storage, use, disclosure, or destruction (§ 541.001(25)).

1.9 "Data Breach" means unauthorized access to or acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information or personal data.

1.10 "Targeted Advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications (§ 541.001(32)).

1.11 "Sale of Personal Data" means sharing, disclosing, or transferring personal data for monetary or other valuable consideration to a third party (§ 541.001(28)).

1.12 "Sub-Processor" means any third party engaged by the Processor to perform Processing activities on behalf of the Controller.

2. SCOPE AND PURPOSE

2.1 This DPA applies to the Processing of Personal Data and Sensitive Personal Information by the Processor on behalf of the Controller pursuant to the Master Agreement.

2.2 The subject matter, nature, purpose, duration, types of data, and categories of data subjects are described in Annex A.

2.3 This DPA is incorporated into the Master Agreement. In case of conflict regarding data protection, this DPA prevails.

3. PROCESSOR OBLIGATIONS (Tex. Bus. & Com. Code § 541.151)

The Processor shall:

3.1 Process Personal Data only in accordance with the Controller's documented instructions, as set forth in this DPA, the Master Agreement, and any written instructions from time to time.

3.2 Ensure that each person processing Personal Data is subject to a duty of confidentiality with respect to such data.

3.3 At the Controller's direction, delete or return all Personal Data to the Controller at the end of the provision of services, unless retention is required by law.

3.4 Make available to the Controller all information in the Processor's possession necessary to demonstrate the Processor's compliance with its obligations under the TDPSA and this DPA.

3.5 Allow and cooperate with reasonable assessments by the Controller, or arrange for a qualified and independent assessor to conduct an assessment of the Processor's policies and technical and organizational measures in support of the obligations under the TDPSA, and provide a report of such assessment to the Controller upon request.

3.6 Engage Sub-Processors only pursuant to written contracts that require the Sub-Processor to meet the Processor's obligations with respect to Personal Data.

3.7 Not sell Personal Data.

3.8 Not process Personal Data for purposes of targeted advertising unless authorized by the Controller and consistent with consumer opt-out rights.

3.9 Not retain, use, or disclose Personal Data for any purpose other than the specified business purposes.

3.10 Notify the Controller without undue delay if the Processor determines it can no longer meet its obligations under Applicable Texas Laws.

4. CONTROLLER DUTIES (Tex. Bus. & Com. Code § 541.101)

The Controller acknowledges its obligations under the TDPSA:

4.1 Limiting collection of Personal Data to what is adequate, relevant, and reasonably necessary (data minimization).

4.2 Not processing Personal Data for purposes neither reasonably necessary to nor compatible with disclosed purposes, without consent.

4.3 Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the Personal Data at issue (§ 541.101(3)).

4.4 Not processing Personal Data in violation of anti-discrimination laws.

4.5 Obtaining consent before processing Sensitive Data (§ 541.103).

4.6 Complying with consent requirements for data from known children (§ 541.104).

4.7 Providing transparent privacy notices (§ 541.102).

4.8 Recognizing universal opt-out mechanisms effective January 1, 2025 (§ 541.055(e)).

5. PROCESSING INSTRUCTIONS

5.1 The Processor shall Process Personal Data only for the specific purposes set forth in Annex A and the Master Agreement.

5.2 The Processor shall immediately inform the Controller if an instruction would violate Applicable Texas Laws.

5.3 The Processor shall not:

(a) Sell Personal Data;

(b) Process Personal Data for targeted advertising unless specifically authorized and consistent with opt-out rights;

(c) Retain, use, or disclose Personal Data outside the direct business relationship;

(d) Combine Personal Data from the Controller with data from other sources without Controller's written authorization.

6. CONFIDENTIALITY

6.1 All Processor personnel with access to Personal Data shall be bound by written confidentiality obligations.

6.2 Access limited on a need-to-know basis.

6.3 Regular training on data protection and security.

7. SECURITY MEASURES (Tex. Bus. & Com. Code §§ 541.101(3), 521.052)

The Processor shall implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Personal Data:

7.1 Technical Measures

☐ Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)

☐ Multi-factor authentication for access to systems containing Personal Data

☐ Firewalls, intrusion detection/prevention systems, and network segmentation

☐ Regular vulnerability scanning and annual penetration testing

☐ Automated patch management

☐ Role-based access controls with least-privilege principles

☐ Data loss prevention tools

☐ Security event logging and monitoring (log retention: [____] months)

7.2 Administrative Measures

☐ Written information security policy

☐ Designated security program coordinator(s)

☐ Regular employee security awareness training

☐ Background checks for personnel with access to Personal Data

☐ Incident response plan and designated response team

☐ Risk assessments conducted at least annually

☐ Vendor risk management program

☐ Business continuity and disaster recovery plans

7.3 Physical Measures

☐ Physical access controls to data processing facilities

☐ Visitor management and logging

☐ Secure disposal of physical media

☐ Environmental controls

7.4 Detailed security measures in Annex B.

7.5 Regular testing and updating of security measures.

8. SUB-PROCESSOR MANAGEMENT (Tex. Bus. & Com. Code § 541.151)

8.1 The Processor shall engage Sub-Processors only:

☐ Option A: With the Controller's prior specific written consent

☐ Option B: With general authorization and [____] days' prior notice / [____] days' objection period

8.2 Each Sub-Processor shall be bound by a written contract requiring the Sub-Processor to meet the Processor's obligations under this DPA and the TDPSA, including:

(a) Processing only per documented instructions;

(b) Confidentiality obligations;

(c) Appropriate security measures;

(d) Breach notification obligations;

(e) Cooperation with assessments and audits.

8.3 The Processor remains fully liable for Sub-Processor performance.

8.4 Approved Sub-Processors listed in Annex C.

9. CONSUMER RIGHTS ASSISTANCE (Tex. Bus. & Com. Code §§ 541.051–541.054)

9.1 The Processor shall assist the Controller in responding to consumer rights requests under the TDPSA:

(a) Right to Confirm and Access (§ 541.051(a)(1)) — providing information to confirm processing and enable access;

(b) Right to Correct (§ 541.051(a)(2)) — correcting inaccurate data upon instruction;

(c) Right to Delete (§ 541.051(a)(3)) — deleting data upon instruction and directing Sub-Processors to do the same;

(d) Right to Data Portability (§ 541.051(a)(4)) — providing data in portable, machine-readable format;

(e) Right to Opt Out of Targeted Advertising (§ 541.051(b)(1)) — implementing opt-out instructions;

(f) Right to Opt Out of Sale (§ 541.051(b)(2)) — ceasing sale of data upon instruction;

(g) Right to Opt Out of Profiling (§ 541.051(b)(3)) — implementing opt-out instructions.

9.2 The Processor shall implement technical mechanisms to recognize and honor universal opt-out signals (e.g., Global Privacy Control) effective January 1, 2025 (§ 541.055(e)), in coordination with the Controller.

9.3 The Processor shall promptly notify the Controller of any consumer request received directly and shall not respond without the Controller's authorization.

9.4 The Processor shall provide assistance in responding to consumer appeals (§ 541.054).

10. DATA BREACH NOTIFICATION

10.1 Processor-to-Controller Notification

The Processor shall notify the Controller of any Data Breach without undue delay and in no event later than:

☐ [____] hours (recommended: 24-48 hours) after the Processor becomes aware of the breach

10.2 Content of Notification

The notification shall include:

(a) Description of the nature of the breach;

(b) Categories and approximate number of affected individuals;

(c) Types of Personal Data / Sensitive Personal Information compromised;

(d) Contact information for the Processor's incident response lead;

(e) Description of likely consequences;

(f) Measures taken or proposed to contain and remediate;

(g) Whether data was encrypted at time of breach.

10.3 Cooperation

The Processor shall:

(a) Cooperate in investigation, containment, and remediation;

(b) Preserve evidence;

(c) Assist the Controller in complying with breach notification obligations under Tex. Bus. & Com. Code § 521.053:

• Individual Notification: Disclosure to each affected individual as quickly as possible;

• Attorney General Notification: If the breach involves 250 or more Texas residents, notification to the Texas Attorney General not later than the 60th day after the date on which the Controller determines the breach occurred;

• Consumer Reporting Agencies: If the breach affects more than 10,000 individuals at one time;

(d) Not issue public statements without Controller's prior written consent.

11. DATA PROTECTION ASSESSMENTS (Tex. Bus. & Com. Code § 541.107)

11.1 The Processor shall provide reasonable assistance to the Controller in conducting data protection assessments for high-risk processing:

(a) Processing for targeted advertising;

(b) Sale of Personal Data;

(c) Profiling with foreseeable risk of harm to consumers;

(d) Processing of Sensitive Data.

11.2 The Processor shall provide information about processing activities, security measures, and risk mitigation practices.

11.3 The Processor acknowledges that data protection assessments may be made available to the Texas Attorney General upon request as part of an investigation (§ 541.107(d)), and shall not include trade secrets in information provided for this purpose (§ 541.201).

12. AUDIT RIGHTS

12.1 The Processor shall make available all information necessary to demonstrate compliance.

12.2 Audit options:

☐ Option A: Direct on-site or remote audits upon [____] days' notice, no more than [____] time(s) per year

☐ Option B: Annual third-party audit reports (SOC 2 Type II, ISO 27001), with additional rights if deficiency or breach

☐ Option C: Combination

12.3 Full cooperation with audits.

12.4 Prompt remediation of identified deficiencies within [____] business days.

12.5 Audit costs: ☐ Controller ☐ Processor (if non-compliance) ☐ Shared: [________________________________]

13. DATA RETURN AND DELETION

13.1 Upon termination or Controller's request:

☐ Return all Personal Data in structured, machine-readable format; and/or

☐ Securely delete all Personal Data (NIST SP 800-88 compliant)

13.2 Completion within [____] days.

13.3 Written certification.

13.4 Retention only as required by law, with continued DPA protections.

14. SENSITIVE DATA (Tex. Bus. & Com. Code § 541.103)

14.1 The Processor shall not process Sensitive Data unless:

(a) The Controller has obtained the consumer's consent; and

(b) The Processor has been specifically instructed to process such data in Annex A.

14.2 For data from known children (under 13), processing must comply with COPPA and TDPSA § 541.104.

14.3 Heightened security measures for Sensitive Data:

☐ Additional encryption and access controls

☐ Limited access to designated personnel only

☐ Enhanced monitoring and logging

☐ Shorter retention periods where feasible

15. UNIVERSAL OPT-OUT MECHANISMS (Tex. Bus. & Com. Code § 541.055(e))

15.1 The Processor shall, in coordination with the Controller, implement technical mechanisms to recognize and honor universal opt-out signals that clearly communicate a consumer's choice to opt out of:

(a) Processing for targeted advertising; and

(b) Sale of Personal Data.

15.2 The Processor shall:

☐ Recognize Global Privacy Control (GPC) as a valid opt-out mechanism

☐ Process opt-out signals within a reasonable timeframe

☐ Apply opt-out preferences to known consumers across browsers and devices where technically feasible

☐ Maintain records of opt-out requests and compliance

16. CROSS-BORDER DATA TRANSFERS

16.1 No transfer outside the United States without Controller's prior written authorization.

16.2 Appropriate safeguards for authorized transfers:

☐ Standard contractual clauses

☐ Data Privacy Framework certification

☐ Equivalent contractual protections

☐ Other: [________________________________]

17. RECORD-KEEPING

The Processor shall maintain records of Processing activities and make them available to the Controller and regulators upon request.

18. TERM AND TERMINATION

18.1 Effective on the DPA Effective Date; coterminous with the Master Agreement.

18.2 Termination upon material breach not cured within [____] days.

18.3 Immediate termination if Processor can no longer meet its Applicable Texas Law obligations.

18.4 Sections 6, 7, 10, 13, and 19 survive termination.

19. LIABILITY AND INDEMNIFICATION

19.1 Liability.

☐ Subject to Master Agreement limitation of liability

☐ Separate cap: $[________________________________] or [____]x annual fees

☐ No cap for willful misconduct, gross negligence, or material breach of security obligations

19.2 Processor indemnifies Controller for claims from Processor's breach, violation of Applicable Texas Laws, or Data Breach caused by Processor's inadequate security.

19.3 Controller indemnifies Processor for claims from Controller's breach, except where caused by Processor's fault.

19.4 The Parties acknowledge that the Texas Attorney General has exclusive enforcement authority under the TDPSA (§ 541.205) and may seek civil penalties of up to $7,500 per violation.

20. GENERAL PROVISIONS

20.1 Governing Law. Laws of the State of Texas.

20.2 Forum. State or federal courts in [________________________________] County, Texas.

20.3 Amendments. Written agreement signed by both Parties.

20.4 Severability. Invalid provisions do not affect the remainder.

20.5 Order of Precedence. (1) Applicable Texas Laws; (2) this DPA; (3) Master Agreement.

20.6 Trade Secrets. Nothing in this DPA requires disclosure of trade secrets (§ 541.201).

21. SIGNATURES

CONTROLLER:

PROCESSOR:

ANNEX A — DATA PROCESSING DESCRIPTION

ANNEX B — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

ANNEX C — APPROVED SUB-PROCESSOR LIST

This template is provided by ezel.ai for informational purposes only and does not constitute legal advice. Consult qualified Texas counsel before executing this DPA.