Templates Compliance Regulatory Data Processing Agreement with AI Processing Annex
Universal
Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Data Processing Agreement with AI Processing Annex
Ready to Edit
Data Processing Agreement with AI Processing Annex - Free Editor

DATA PROCESSING AGREEMENT

(the “Agreement”)

This Data Processing Agreement is entered into by and between [CONTROLLER NAME] (“Controller”) and [PROCESSOR NAME] (“Processor”) and is effective as of [EFFECTIVE DATE]. This Agreement supplements the [UNDERLYING CONTRACT NAME] (the “Master Agreement”).

1. Definitions

Define key terms such as “Personal Data,” “Processing,” “Subprocessor,” “Security Incident,” “AI Output,” and “Training Data.” Include references to applicable statutes.

2. Roles & Instructions

  • Processor shall process Personal Data only on documented instructions from Controller.
  • Processor shall promptly notify Controller if unable to comply with an instruction due to applicable law.
  • Controller warrants that its instructions comply with applicable law.

3. Compliance Obligations

  • Processor shall comply with all applicable privacy and data protection laws, including CPRA, CPA, TDPSA, and GDPR (if applicable).
  • Processor shall provide information reasonably requested by Controller to demonstrate compliance.
  • Controller shall maintain an accurate record of processing activities.
  • Processor shall support Controller’s obligations relating to automated decision-making transparency, opt-outs, and risk assessments under the CPPA’s September 2025 ADMT regulations and any similar state laws.

4. Confidentiality & Personnel

  • Processor shall ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
  • Processor shall implement regular training regarding privacy, security, and AI usage limitations.

5. Security Measures

  • Processor shall implement appropriate technical and organizational measures described in Annex B.
  • Processor shall document incident response procedures and business continuity plans aligned with NIST/ISO frameworks.
  • Controller has the right to review security measures annually.

6. Subprocessors

  • Processor shall obtain Controller’s prior written authorization before engaging Subprocessors.
  • Processor shall enter into written agreements with Subprocessors imposing the same obligations as this Agreement.
  • Processor shall notify Controller at least [DAYS] days before adding or replacing Subprocessors.

7. Audit & Assessments

  • Controller may conduct audits up to [ANNUAL FREQUENCY] times per year with reasonable notice.
  • Processor shall cooperate with regulatory investigations and provide certifications or SOC reports upon request.
  • Parties shall bear their own costs unless the audit reveals material non-compliance.

8. Data Subject Rights Assistance

Processor shall assist Controller in responding to consumer rights requests, including access, deletion, correction, opt-out of sale/sharing, and opt-out of automated decision-making. Responses must be provided within the statutory timelines and recorded in Annex C.

9. Security Incidents

  • Processor shall notify Controller without undue delay, and in any event within [HOURS] hours, after becoming aware of a Security Incident.
  • Notification shall include the nature of the incident, categories of data affected, mitigation measures, and contact information.
  • Processor shall cooperate with investigations and remediation efforts.

10. International Transfers

If Personal Data is transferred outside the originating jurisdiction, Parties shall execute the appropriate Standard Contractual Clauses or other lawful transfer mechanisms. Attach completed SCC modules in Annex D.

11. Deletion & Return

Upon termination or expiration, Processor shall delete or return Personal Data (at Controller’s election) within [DAYS] days, unless retention is required by law. Processor shall certify deletion in writing.

12. Liability & Indemnification

  • Each Party’s aggregate liability under this Agreement is capped at [CAP AMOUNT], excluding breaches of confidentiality, data security obligations, or violation of state privacy statutes.
  • Processor shall indemnify Controller for third-party claims arising from Processor’s violation of applicable privacy laws or this Agreement.
  • Neither Party excludes liability for gross negligence, willful misconduct, or fraud.

13. Term & Termination

This Agreement remains in effect for the duration of the Master Agreement and any data processing thereafter. Either Party may terminate for material breach if not cured within [DAYS] days of written notice.

14. Miscellaneous

Include standard clauses on governing law, order of precedence, amendments, and notices.

ANNEX A – DATA INVENTORY

Provide a table listing categories of Personal Data, data subjects, purposes, retention, and legal bases. Highlight AI-related datasets and outputs.

ANNEX B – SECURITY MEASURES

Detail administrative, technical, and physical safeguards, including encryption, access controls, logging, vulnerability management, and incident response procedures.

ANNEX C – CONSUMER RIGHTS SUPPORT

Include workflow diagrams or tables summarizing Processor’s assistance obligations, response timelines, and escalation contacts.

ANNEX D – INTERNATIONAL TRANSFERS

Insert completed SCC modules, UK Addendum, or other transfer instruments.

ANNEX E – AI PROCESSING ADDENDUM

  1. Model Inventory: List AI models used, version, intended purpose, and applicable risk tier.
  2. Training & Fine-Tuning: Identify datasets used for training/fine-tuning, including any Personal Data. Document lawful basis and data minimization measures.
  3. Output Controls: Describe measures to prevent unauthorized disclosure of Personal Data in AI outputs (e.g., filters, human review).
  4. Risk Assessments: Summarize AI impact assessments, bias testing, and validation cadence.
  5. Human Oversight: Identify responsible roles for approving AI deployments and monitoring performance.
  6. Incident Response: Outline procedures for handling AI-related incidents such as hallucinations, bias findings, or security breaches.
  7. Regulatory Alignment: Map obligations triggered by the EU AI Act (in force since August 2024 with GPAI requirements effective August 2025) and document how the Parties will meet forthcoming milestones.
  8. Restrictions: Prohibit use of Personal Data for automated decision-making that produces legal or similarly significant effects without documented DPIAs and opt-out capabilities.

[// GUIDANCE: Align Annex E with EU AI Act readiness documentation if operating globally.]

AI Legal Assistant

Welcome to Data Processing Agreement with AI Processing Annex

You're viewing a professional legal template that you can edit directly in your browser.

What's included:

  • Professional legal document formatting
  • Universal jurisdiction-specific content
  • Editable text with legal guidance
  • Free DOCX download

Upgrade to AI Editor for:

  • 🤖 Real-time AI legal assistance
  • 🔍 Intelligent document review
  • ⏰ Unlimited editing time
  • 📄 PDF exports
  • 💾 Auto-save & cloud sync