DPA Short Form Transfer Addendum
DPA SHORT FORM TRANSFER ADDENDUM
Addendum Effective Date: [__/__/____]
Reference Agreement: [________________________________] dated [__/__/____] (the "Agreement")
Transferor (Data Exporter): [________________________________] ("Transferor")
Transferee (Data Importer): [________________________________] ("Transferee")
This Data Processing and Transfer Addendum ("Addendum") supplements the Agreement and governs all transfers of Personal Data between the Parties. In the event of conflict between this Addendum and the Agreement on matters of data protection, this Addendum shall prevail.
1. DEFINITIONS
1.1 "Personal Data" means any information relating to an identified or identifiable natural person, including "personal information" as defined under the CCPA/CPRA (Cal. Civ. Code 1798.140(v)), "personal data" as defined under the GDPR (Article 4(1)), the VCDPA (Va. Code 59.1-575), the CPA (C.R.S. 6-1-1303(17)), the CTDPA (Conn. Gen. Stat. 42-515(17)), and the TDPSA (Tex. Bus. & Com. Code 541.001(23)), and analogous terms under other Applicable Data Protection Laws.
1.2 "Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.3 "Controller" means the natural or legal person that determines the purposes and means of Processing Personal Data, including a "business" under the CCPA/CPRA and analogous terms under other Applicable Data Protection Laws.
1.4 "Processor" means the natural or legal person that Processes Personal Data on behalf of the Controller, including a "service provider" or "contractor" under the CCPA/CPRA and analogous terms under other Applicable Data Protection Laws.
1.5 "Transfer" means any disclosure, transmission, sharing, or making available of Personal Data from the Transferor to the Transferee, whether by electronic transmission, physical delivery, granting of access, or any other means.
1.6 "Sensitive Data" means Personal Data revealing or concerning racial or ethnic origin; religious beliefs; mental or physical health diagnosis; sexual orientation or sex life; citizenship or immigration status; genetic data; biometric data processed for identification purposes; precise geolocation data; personal data of a known child (under 13 or under 16, as applicable); financial account information with access credentials; Social Security numbers, driver's license numbers, or passport numbers; contents of personal communications; and neural data, as applicable under relevant Applicable Data Protection Laws.
1.7 "De-Identified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person, provided the Controller or Processor that possesses the data takes reasonable measures to ensure the data cannot be associated with a natural person, publicly commits to maintain and use the data only in de-identified form, and contractually obligates any recipients to comply with these requirements.
1.8 "Sale" means the exchange of Personal Data for monetary or other valuable consideration, as defined under the CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, and other Applicable Data Protection Laws.
1.9 "Share" or "Sharing" means making Personal Data available to a third party for cross-context behavioral advertising, as defined under the CCPA/CPRA (Cal. Civ. Code 1798.140(ah)).
1.10 "Applicable Data Protection Laws" means all federal, state, and international laws, regulations, and binding guidance relating to data protection, data privacy, data security, and the Processing of Personal Data that apply to the Processing contemplated by this Addendum.
1.11 "Data Subject" or "Consumer" means the identified or identifiable natural person to whom Personal Data relates.
1.12 "Subprocessor" means any third party engaged by the Transferee to Process Personal Data on behalf of the Transferor.
1.13 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
1.14 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, supplemented, or replaced.
2. SCOPE AND PURPOSE OF TRANSFER
2.1 Transfer Relationship. The relationship between the Parties for purposes of this Addendum is:
☐ Controller-to-Controller Transfer
☐ Controller-to-Processor Transfer
☐ Processor-to-Processor Transfer
☐ Processor-to-Sub-Processor Transfer
2.2 Categories of Data Subjects. The Transfer involves Personal Data relating to the following categories of Data Subjects:
☐ Customers and prospective customers
☐ Employees and contractors of the Transferor
☐ End users of the Transferor's products or services
☐ Business contacts and representatives
☐ Vendors and suppliers
☐ Website visitors
☐ Other: [________________________________]
2.3 Categories of Personal Data. The Transfer involves the following categories of Personal Data:
☐ Contact information (name, email, phone, address)
☐ Account credentials and identifiers
☐ Financial and payment information
☐ Employment and HR data
☐ Usage and behavioral data
☐ Device and technical identifiers
☐ Communications content
☐ Geolocation data
☐ Other: [________________________________]
2.4 Purpose of Transfer. Personal Data is Transferred solely for the following purposes:
[________________________________]
[________________________________]
[________________________________]
2.5 Duration of Processing. Processing shall continue for the term of the Agreement plus any wind-down period not to exceed [____] days, unless otherwise required by Applicable Data Protection Laws.
2.6 Frequency of Transfer. Transfers shall occur:
☐ On a continuous or rolling basis
☐ On a periodic basis (specify frequency): [________________________________]
☐ On a one-time basis
☐ As needed to fulfill the purposes described in Section 2.4
3. LEGAL BASIS FOR TRANSFER
3.1 Domestic (US Interstate) Transfers. For Transfers of Personal Data within the United States, the Parties rely on one or more of the following legal bases:
☐ Performance of the Agreement (contractual necessity)
☐ Consent of the Data Subject or Consumer
☐ Legitimate business interests of the Transferor, provided such interests are not overridden by the rights and freedoms of the Data Subject
☐ Compliance with a legal obligation
☐ Other: [________________________________]
3.2 International Transfers. For Transfers of Personal Data from the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland to the United States or other third countries:
☐ EU-US Data Privacy Framework (DPF) certification
☐ UK Extension to the EU-US Data Privacy Framework
☐ Swiss-US Data Privacy Framework
☐ Standard Contractual Clauses (Module [____]: [________________________________])
☐ UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
☐ Binding Corporate Rules approved by a supervisory authority
☐ Derogation under GDPR Article 49 (specify): [________________________________]
☐ Other: [________________________________]
3.3 Transfer Impact Assessment. Before initiating any international Transfer, the Transferor shall, in cooperation with the Transferee, conduct a transfer impact assessment to evaluate the legal protections available in the destination country and determine whether supplementary measures are required. Such assessment shall be documented and made available to competent supervisory authorities upon request.
3.4 State-Specific Basis. Where Applicable Data Protection Laws of a particular US state impose specific legal-basis requirements for Processing, the Parties shall document the applicable basis in Exhibit A (Data Transfer Impact Assessment) attached hereto.
4. DATA CATEGORIES AND SENSITIVITY CLASSIFICATION
4.1 Data Inventory Checklist. The Transferor represents that the following types of Personal Data will be included in the Transfer. Check all that apply:
Standard Personal Data:
☐ Full name
☐ Email address
☐ Phone number(s)
☐ Physical/mailing address
☐ Date of birth
☐ Gender
☐ Employer and job title
☐ IP address and device identifiers
☐ Cookie and tracking identifiers
☐ Purchase and transaction history
☐ Account preferences and settings
☐ Customer support records
Sensitive Personal Data (requires enhanced safeguards per Section 7):
☐ Social Security number or tax identification number
☐ Driver's license or government-issued ID number
☐ Passport number
☐ Financial account numbers with access credentials
☐ Payment card information (credit/debit card numbers)
☐ Precise geolocation data (within 1,750 feet / 533 meters)
☐ Racial or ethnic origin
☐ Religious or philosophical beliefs
☐ Health or medical information
☐ Sexual orientation or sex life
☐ Genetic data
☐ Biometric data processed for identification
☐ Citizenship or immigration status
☐ Personal data of known children (under 13 or under 16 as applicable)
☐ Contents of personal communications (mail, email, text)
☐ Neural data
☐ Union membership
☐ Criminal history or background check data
4.2 Sensitive Data Restrictions. If any Sensitive Data categories are checked above, the Transferee shall implement the enhanced technical and organizational measures specified in Section 7.8 and the Parties shall complete the Sensitive Data supplemental provisions in the applicable State-Specific Compliance Addenda (Section 16).
4.3 Prohibited Data. Unless expressly authorized in writing, the Transferor shall not Transfer, and the Transferee shall not Process: (a) data subject to the Payment Card Industry Data Security Standard (PCI DSS) without compliance certification; (b) protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) without a Business Associate Agreement; or (c) data regulated by the Gramm-Leach-Bliley Act (GLBA) without a compliant data-sharing agreement.
5. TRANSFEROR OBLIGATIONS
5.1 Lawful Collection. The Transferor represents and warrants that all Personal Data Transferred under this Addendum has been collected in accordance with Applicable Data Protection Laws, including providing required privacy notices to Data Subjects and obtaining any necessary consents.
5.2 Accuracy and Quality. The Transferor shall use commercially reasonable efforts to ensure that Personal Data Transferred is accurate, complete, and up-to-date for the purposes of the Transfer.
5.3 Required Disclosures. The Transferor shall ensure that its privacy notice or privacy policy accurately discloses the Transfer, including the categories of Personal Data shared, the purposes of Transfer, the categories of recipients, and all consumer rights related to the Transfer, as required by Applicable Data Protection Laws.
5.4 Consumer Consent and Opt-Out. Where Applicable Data Protection Laws require consent for the Transfer (including consent for Sensitive Data Processing), the Transferor shall obtain and document such consent prior to the Transfer. The Transferor shall honor opt-out requests (including universal opt-out mechanisms such as Global Privacy Control signals where required by law) and shall promptly notify the Transferee of any revocation of consent or opt-out that affects the scope of the Transfer.
5.5 Data Minimization. The Transferor shall Transfer only the minimum Personal Data reasonably necessary to achieve the purposes stated in Section 2.4 and shall not Transfer Personal Data in excess of what is required.
5.6 Data Protection Assessment. Where Applicable Data Protection Laws require the Transferor to conduct a data protection assessment, privacy impact assessment, or risk assessment prior to certain Processing activities (including Transfers involving Sensitive Data, targeted advertising, profiling, or Selling/Sharing), the Transferor shall complete such assessment before initiating the Transfer and shall retain documentation thereof.
5.7 Cooperation. The Transferor shall reasonably cooperate with the Transferee in the performance of the Transferee's obligations under this Addendum, including providing information necessary for the Transferee to respond to Data Subject requests and regulatory inquiries.
6. TRANSFEREE OBLIGATIONS
6.1 Purpose Limitation. The Transferee shall Process Personal Data received under this Addendum solely for the purposes described in Section 2.4 and strictly in accordance with the documented instructions of the Transferor. The Transferee shall not:
(a) Sell Personal Data;
(b) Share Personal Data for cross-context behavioral advertising;
(c) Process Personal Data for any purpose other than the specified business purposes;
(d) Retain, use, or disclose Personal Data outside the direct business relationship between the Parties;
(e) Combine Personal Data received from the Transferor with Personal Data received from other sources, except as expressly permitted by Applicable Data Protection Laws and this Addendum.
6.2 Compliance Certification. The Transferee certifies that it understands and will comply with the restrictions and obligations imposed by this Addendum and all Applicable Data Protection Laws, including the CCPA/CPRA requirements for service providers and contractors (Cal. Civ. Code 1798.100(d)).
6.3 Confidentiality. The Transferee shall ensure that all personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.4 Security Measures. The Transferee shall implement and maintain the technical and organizational measures described in Section 7, appropriate to the nature, scope, context, and purposes of Processing and the risks to Data Subjects.
6.5 Breach Notification. The Transferee shall comply with the Data Breach notification obligations set forth in Section 10.
6.6 Cooperation with Consumer Rights. The Transferee shall cooperate with the Transferor to fulfill consumer and Data Subject rights requests as described in Section 8.
6.7 Data Protection Officer. If required by Applicable Data Protection Laws, the Transferee shall designate a data protection officer or privacy contact and provide the Transferor with current contact information: [________________________________].
6.8 Regulatory Notification. The Transferee shall promptly notify the Transferor if it determines that it can no longer meet its obligations under this Addendum or under Applicable Data Protection Laws.
6.9 Remediation Rights. Upon receiving notice under Section 6.8, the Transferor shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Personal Data by the Transferee, including by suspending the Transfer and/or terminating this Addendum.
7. TECHNICAL AND ORGANIZATIONAL MEASURES
7.1 General Obligation. The Transferee shall implement and maintain technical and organizational measures that provide a level of security appropriate to the risk of Processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.
7.2 Encryption.
(a) Data in transit: All Personal Data shall be encrypted using TLS 1.2 or higher (or equivalent standard) during transmission.
(b) Data at rest: All Personal Data stored on the Transferee's systems shall be encrypted using AES-256 or equivalent encryption standard.
(c) Key management: Encryption keys shall be stored separately from encrypted data and rotated at least annually.
7.3 Access Controls.
(a) Role-based access control (RBAC) shall be implemented, limiting access to Personal Data to authorized personnel on a need-to-know basis.
(b) Multi-factor authentication (MFA) shall be required for all administrative access to systems containing Personal Data.
(c) Access permissions shall be reviewed at least quarterly and promptly revoked upon personnel role change or termination.
(d) Unique user credentials shall be assigned to each individual; shared accounts are prohibited.
7.4 Pseudonymization and De-Identification.
(a) Where technically feasible and consistent with the Processing purpose, the Transferee shall pseudonymize Personal Data so that the data can no longer be attributed to a specific Data Subject without the use of additional information.
(b) Where De-Identified Data is sufficient for the Transferee's purposes, the Parties shall use De-Identified Data in lieu of Personal Data.
(c) The Transferee shall not attempt to re-identify De-Identified Data and shall contractually prohibit downstream recipients from re-identification.
7.5 Network and System Security.
(a) Firewalls, intrusion detection/prevention systems, and endpoint protection shall be maintained on all systems Processing Personal Data.
(b) Vulnerability assessments shall be conducted at least quarterly and penetration testing at least annually.
(c) Security patches for critical vulnerabilities shall be applied within [____] days of release.
(d) Secure software development lifecycle (SDLC) practices shall be followed for all applications Processing Personal Data.
7.6 Logging and Monitoring.
(a) Access to Personal Data shall be logged, including the identity of the accessor, the data accessed, the date and time of access, and the action taken.
(b) Logs shall be retained for a minimum of [____] months and shall be protected against tampering.
(c) Automated monitoring and alerting shall be implemented to detect unauthorized access or anomalous activity.
7.7 Physical Security.
(a) Data centers and facilities Processing Personal Data shall maintain physical access controls including badge access, visitor logs, and surveillance.
(b) Physical media containing Personal Data shall be securely stored and destroyed when no longer needed using NIST SP 800-88 compliant methods or equivalent.
7.8 Enhanced Measures for Sensitive Data. Where the Transfer involves Sensitive Data, the Transferee shall additionally implement:
(a) Field-level encryption for Sensitive Data elements;
(b) Data masking or tokenization for Sensitive Data in non-production environments;
(c) Enhanced access logging with real-time alerting for Sensitive Data access;
(d) Segregated storage or database-level isolation for Sensitive Data;
(e) Annual privacy impact assessments specific to Sensitive Data Processing.
7.9 Audit Rights. The Transferor's audit rights with respect to the measures described in this Section 7 are set forth in Section 12.
7.10 Business Continuity and Disaster Recovery. The Transferee shall maintain business continuity and disaster recovery plans that include provisions for the protection and recovery of Personal Data, with a recovery time objective (RTO) of [____] hours and a recovery point objective (RPO) of [____] hours.
8. CONSUMER AND DATA SUBJECT RIGHTS SUPPORT
8.1 General Obligation. The Transferee shall cooperate with and assist the Transferor in fulfilling its obligations to respond to Consumer and Data Subject rights requests under Applicable Data Protection Laws.
8.2 Categories of Rights. The Transferee shall support the Transferor's compliance with the following rights, as applicable under the relevant jurisdiction:
(a) Right to Know / Access: The right to obtain confirmation of whether Personal Data is being Processed and to receive a copy of such data.
(b) Right to Deletion / Erasure: The right to request deletion of Personal Data, subject to applicable exceptions.
(c) Right to Correction / Rectification: The right to request correction of inaccurate Personal Data.
(d) Right to Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format.
(e) Right to Opt Out of Sale/Sharing: The right to direct the cessation of Sale or Sharing of Personal Data.
(f) Right to Limit Use of Sensitive Data: The right to limit the use and disclosure of Sensitive Personal Information.
(g) Right to Non-Discrimination / Non-Retaliation: The right not to be discriminated against for exercising privacy rights.
(h) Right to Appeal: The right to appeal a denial of a rights request.
(i) Right to Opt Out of Profiling / Automated Decision-Making: The right to opt out of Processing for profiling that produces legal or similarly significant effects.
8.3 Response Timelines. The Transferee shall respond to the Transferor's forwarded Consumer or Data Subject rights requests within the following timelines, or such shorter period as required by the relevant jurisdiction:
| Jurisdiction | Initial Response Deadline | Extension Available |
|---|---|---|
| GDPR (EEA/UK) | 30 days from receipt | Up to 60 additional days |
| California (CCPA/CPRA) | 45 days from receipt of verifiable request | Up to 45 additional days |
| Virginia (VCDPA) | 45 days from receipt | Up to 45 additional days |
| Colorado (CPA) | 45 days from receipt | Up to 45 additional days |
| Connecticut (CTDPA) | 45 days from receipt | Up to 45 additional days |
| Texas (TDPSA) | 45 days from receipt | Up to 45 additional days |
| Florida (FDBR) | 45 days from receipt | Up to 15 additional days |
| Universal (default) | 30 days from receipt | As required by law |
8.4 Verification Assistance. For verifiable consumer requests under the CCPA/CPRA, the Transferee shall assist the Transferor in verifying the identity of the requesting Consumer using commercially reasonable methods while minimizing additional data collection.
8.5 Direct Requests. If the Transferee receives a Consumer or Data Subject rights request directly, the Transferee shall promptly notify the Transferor and shall not respond to the request directly unless instructed to do so by the Transferor or required by Applicable Data Protection Laws.
8.6 Cost of Compliance. Unless otherwise agreed in the Agreement, each Party shall bear its own costs of complying with Consumer and Data Subject rights requests. If the Transferor's requests are unreasonably frequent or excessive, the Parties shall negotiate in good faith regarding cost allocation.
9. SUBPROCESSOR MANAGEMENT
9.1 Prior Authorization. The Transferee shall not engage any Subprocessor to Process Personal Data without:
☐ Specific prior written authorization from the Transferor for each Subprocessor; or
☐ General written authorization from the Transferor, subject to the notice and objection procedure in Section 9.2.
9.2 Notice of New Subprocessors. Where general authorization is granted, the Transferee shall notify the Transferor at least [____] days prior to engaging a new Subprocessor or replacing an existing Subprocessor. Such notice shall include the Subprocessor's identity, location, and the Processing activities to be performed.
9.3 Objection Right. The Transferor may object to a new Subprocessor within [____] days of receiving notice. If the Transferor objects on reasonable grounds related to data protection, the Transferee shall either: (a) not engage the Subprocessor for Processing the Transferor's Personal Data; or (b) propose a commercially reasonable alternative. If the Parties cannot resolve the objection within [____] days, the Transferor may terminate the affected portion of the Agreement upon written notice.
9.4 Flow-Down Obligations. The Transferee shall impose on each Subprocessor, by written contract, data protection obligations no less protective than those imposed on the Transferee under this Addendum, including:
(a) Purpose limitation and restrictions on Sale and Sharing;
(b) Confidentiality obligations;
(c) Technical and organizational security measures;
(d) Cooperation with Consumer and Data Subject rights requests;
(e) Breach notification obligations;
(f) Audit and inspection rights;
(g) Data return and deletion upon termination.
9.5 Liability for Subprocessors. The Transferee shall remain fully liable to the Transferor for the performance of each Subprocessor's obligations under this Addendum.
9.6 Current Subprocessor List. The Transferee's current list of Subprocessors is set forth at:
☐ Exhibit C attached hereto
☐ URL: [________________________________]
The Transferee shall keep the Subprocessor list current and update it promptly upon any changes.
10. DATA BREACH NOTIFICATION
10.1 Notification to Transferor. The Transferee shall notify the Transferor of any confirmed or reasonably suspected Data Breach without undue delay and in no event later than [____] hours after becoming aware of the Data Breach.
10.2 Content of Notification. The initial breach notification shall include, to the extent available:
(a) The nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) The name and contact details of the Transferee's privacy or security contact;
(c) A description of the likely consequences of the Data Breach;
(d) A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its adverse effects;
(e) Whether any Sensitive Data was involved;
(f) Whether law enforcement has been notified.
10.3 Supplemental Information. If the Transferee is unable to provide all required information at the time of initial notification, it shall provide the information in phases without further undue delay and shall provide written updates at least every [____] hours until the investigation is complete.
10.4 State-Specific Notification Timelines. The Parties acknowledge the following mandatory notification deadlines under state law, which may require the Transferor to notify affected individuals and regulators:
| Jurisdiction | Individual Notice Deadline | AG/Regulator Notice Threshold |
|---|---|---|
| California | Expedient, without unreasonable delay | AG if 500+ CA residents |
| New York (SHIELD Act) | 30 days from discovery | AG, DFS, Dept. of State, State Police |
| Texas | 60 days from determination | AG if 250+ TX residents (within 30 days) |
| Florida | 30 days from determination | AG if 500+ FL residents |
| Alabama | 45 days from determination | AG if 1,000+ AL residents |
| Colorado | 30 days from determination | AG if 500+ CO residents |
| Virginia | 60 days from discovery | AG |
| Connecticut | 60 days from discovery | AG |
10.5 Transferee Cooperation. The Transferee shall cooperate with the Transferor in investigating the Data Breach, fulfilling notification obligations, and mitigating harm to affected Data Subjects, including by preserving evidence, providing technical forensic information, and supporting credit monitoring or identity theft protection services if reasonably requested.
10.6 Third-Party Agent Notification (Alabama). If the Transferee acts as a third-party agent under the Alabama Data Breach Notification Act (Ala. Code 8-38-1 et seq.), the Transferee shall notify the Transferor no later than ten (10) days following discovery of a Data Breach or reason to believe a Data Breach has occurred.
10.7 No Independent Notification. The Transferee shall not notify any affected Data Subjects, regulatory authorities, or the public of a Data Breach without the prior written authorization of the Transferor, except where required by Applicable Data Protection Laws.
11. DATA RETENTION AND DELETION
11.1 Retention Period. The Transferee shall retain Personal Data only for as long as necessary to fulfill the purposes of Processing described in Section 2.4, and in no event longer than the term of the Agreement plus [____] days for wind-down activities, unless a longer retention period is required by Applicable Data Protection Laws.
11.2 Retention Schedule. The Parties shall maintain a data retention schedule documenting the retention period for each category of Personal Data, the legal basis for retention, and the disposal method. The retention schedule shall be reviewed at least annually.
11.3 Return of Data. Upon the earlier of: (a) termination or expiration of the Agreement; (b) written request by the Transferor; or (c) completion of the Processing purpose, the Transferee shall, at the Transferor's election:
☐ Return all Personal Data to the Transferor in a structured, commonly used, and machine-readable format within [____] days; and/or
☐ Securely delete or destroy all Personal Data within [____] days.
11.4 Deletion Certification. Upon completion of deletion, the Transferee shall provide the Transferor with a written certification confirming that all Personal Data (including copies, backups, and archives) has been securely deleted or destroyed, specifying the method of destruction used. Such certification shall be provided within [____] days of completing deletion.
11.5 Backup and Archive Retention. Where Personal Data resides in backup systems or archives from which immediate deletion is not technically feasible, the Transferee shall: (a) isolate and protect the Personal Data from further Processing; (b) continue to apply the protections of this Addendum to such data; and (c) delete or destroy the Personal Data when the backup or archive is next scheduled for overwrite or deletion, and in any event within [____] months.
11.6 Legal Hold Exception. Notwithstanding the foregoing, the Transferee may retain Personal Data to the extent required by Applicable Data Protection Laws, tax laws, regulatory requirements, or pursuant to a litigation hold, provided that: (a) the Transferee notifies the Transferor of such retention; (b) the retained data is limited to the minimum necessary; and (c) the protections of this Addendum continue to apply for the duration of such retention.
12. AUDIT RIGHTS
12.1 Evidence-Based Audits. The Transferee shall make available to the Transferor, upon reasonable request, all information necessary to demonstrate compliance with this Addendum, including:
(a) Current SOC 2 Type II report (or SOC 1 Type II if applicable);
(b) ISO 27001 certification and statement of applicability;
(c) Results of most recent penetration test (executive summary);
(d) Completed security questionnaire (SIG, CAIQ, or equivalent);
(e) Privacy impact assessments relevant to the Transfer;
(f) Evidence of employee training on data protection.
12.2 On-Site or Remote Audit. If the evidence-based audit materials provided under Section 12.1 are insufficient to demonstrate compliance, the Transferor (or its designated independent third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of the Transferee's Processing activities and compliance with this Addendum, subject to the following conditions:
(a) Frequency: No more than [____] audit(s) per twelve (12) month period, unless a Data Breach has occurred or a regulatory authority requires additional audits;
(b) Notice: At least [____] business days' prior written notice;
(c) Scope: Limited to the Transferee's Processing of the Transferor's Personal Data and compliance with this Addendum;
(d) Timing: During normal business hours, with reasonable accommodations to minimize disruption;
(e) Confidentiality: The auditor shall execute a non-disclosure agreement and shall not access Personal Data of the Transferee's other customers;
(f) Cost Allocation: The Transferor shall bear the costs of the audit, provided that if the audit reveals a material non-compliance by the Transferee, the Transferee shall reimburse the Transferor's reasonable audit costs.
12.3 Regulatory Audits. The Transferee shall cooperate with audits or inspections conducted by regulatory authorities (including the California Privacy Protection Agency, state Attorneys General, and EU supervisory authorities) to the extent such audits relate to the Processing of the Transferor's Personal Data.
12.4 Remediation. If an audit reveals non-compliance with this Addendum, the Transferee shall prepare and implement a remediation plan within [____] days and shall provide evidence of remediation to the Transferor upon completion.
13. CROSS-BORDER AND INTERSTATE TRANSFER PROVISIONS
13.1 US Interstate Transfers. The Transferee acknowledges that Personal Data of residents of multiple US states may be included in the Transfer, and the Transferee shall comply with all Applicable Data Protection Laws in each state where affected Data Subjects reside.
13.2 International Transfer Mechanisms. Where Personal Data is Transferred from the EEA, UK, or Switzerland to the United States or another third country, the Parties shall use the transfer mechanism(s) identified in Section 3.2. The applicable SCCs, UK Addendum/IDTA, or other transfer mechanism documentation is attached as follows:
☐ Exhibit D: Standard Contractual Clauses (with Annexes)
☐ Exhibit E: UK International Data Transfer Addendum
☐ Other: [________________________________]
13.3 Supplementary Measures. Where the transfer impact assessment conducted under Section 3.3 identifies that the legal framework of the destination country does not provide an essentially equivalent level of protection, the Transferee shall implement supplementary measures including:
(a) Additional encryption of Personal Data before Transfer;
(b) Pseudonymization so that the data cannot be attributed to a specific Data Subject without additional information retained by the Transferor;
(c) Contractual commitments by the Transferee to challenge government access requests and notify the Transferor (to the extent legally permitted);
(d) Split Processing across multiple jurisdictions to prevent any single authority from accessing the complete dataset.
13.4 Data Localization. Unless expressly authorized by the Transferor in writing:
☐ Personal Data shall be stored and Processed only within the United States.
☐ Personal Data shall be stored and Processed only within the EEA/UK.
☐ Personal Data may be stored and Processed in the following locations: [________________________________]
☐ No geographic restriction applies.
13.5 Change of Location. The Transferee shall notify the Transferor at least [____] days prior to any change in the geographic location where Personal Data is stored or Processed.
14. LIABILITY AND INDEMNIFICATION
14.1 Mutual Indemnification. Each Party ("Indemnifying Party") shall indemnify, defend, and hold harmless the other Party, its affiliates, and their respective officers, directors, employees, and agents ("Indemnified Party") from and against any third-party claims, actions, suits, proceedings, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to the Indemnifying Party's breach of this Addendum or violation of Applicable Data Protection Laws.
14.2 Transferee Indemnification. Without limiting Section 14.1, the Transferee shall indemnify the Transferor for:
(a) Fines, penalties, or assessments imposed by regulatory authorities resulting from the Transferee's non-compliance with this Addendum or Applicable Data Protection Laws;
(b) Costs of notifying affected Data Subjects and providing credit monitoring or identity theft protection services resulting from a Data Breach attributable to the Transferee;
(c) Claims by Data Subjects arising from the Transferee's unauthorized Processing of Personal Data.
14.3 Limitation of Liability. Unless prohibited by Applicable Data Protection Laws, the aggregate liability of each Party under this Addendum shall be subject to the limitation of liability provisions in the Agreement. Notwithstanding the foregoing, the following shall not be subject to any limitation of liability:
(a) Breaches of confidentiality obligations;
(b) Indemnification obligations for regulatory fines attributable to a Party's willful misconduct or gross negligence;
(c) Unauthorized Sale or Sharing of Personal Data.
14.4 Allocation of Regulatory Fines. Where a regulatory fine or penalty is imposed jointly on the Parties, the Parties shall allocate the fine in proportion to their respective responsibility for the underlying violation, as determined by mutual agreement or, failing agreement, by a court or arbitrator of competent jurisdiction.
15. TERM AND TERMINATION
15.1 Term. This Addendum shall become effective on the Addendum Effective Date and shall remain in effect for the duration of the Agreement, including any renewals or extensions.
15.2 Survival. The obligations of the Parties under Sections 1, 6.1, 7, 8, 10, 11, 12, 14, and this Section 15 shall survive termination or expiration of this Addendum for as long as the Transferee retains or has access to any Personal Data received under this Addendum.
15.3 Termination for Breach. Either Party may terminate this Addendum immediately upon written notice if the other Party materially breaches any provision of this Addendum and fails to cure such breach within [____] days of receiving written notice thereof (or immediately if the breach is not capable of cure).
15.4 Termination for Regulatory Change. If a change in Applicable Data Protection Laws renders the Transfer unlawful or impracticable, either Party may terminate this Addendum upon [____] days' written notice, provided the Parties first negotiate in good faith to amend this Addendum to comply with the changed requirements.
15.5 Effect of Termination. Upon termination or expiration of this Addendum, the Transferee shall comply with the data return and deletion obligations in Section 11 and shall cease all Processing of the Transferor's Personal Data except as required by Applicable Data Protection Laws.
16. STATE-SPECIFIC COMPLIANCE ADDENDA
16.1 California (CCPA/CPRA). Where Personal Data of California residents is included in the Transfer:
(a) The Transferee qualifies as a: ☐ Service Provider ☐ Contractor ☐ Third Party under the CCPA/CPRA.
(b) The Transferee shall not Sell or Share Personal Information.
(c) The Transferee certifies that it understands the restrictions in Cal. Civ. Code 1798.100(d) and will comply with them.
(d) The Transferee shall assist the Transferor with verifiable consumer requests within 45 days (extendable by 45 days).
(e) The Transferee shall comply with limitations on use of Sensitive Personal Information where the Consumer has exercised the right to limit.
(f) The Transferee shall permit the Transferor to monitor compliance through measures including automated scans, assessments, or audits at least once every twelve (12) months.
(g) The Transferee shall cooperate with the Transferor's cybersecurity audits and risk assessments as required by CPPA regulations.
(h) The Transferee shall recognize and honor Global Privacy Control (GPC) signals.
16.2 Texas (TDPSA). Where Personal Data of Texas residents is included in the Transfer:
(a) The Transferee shall act as a Processor under the TDPSA and Process Personal Data only pursuant to the Transferor's documented instructions.
(b) The Transferee shall assist the Transferor with consumer rights requests within 45 days (extendable by 45 days).
(c) The Transferee shall support the Transferor's data protection assessments for targeted advertising, Sale, profiling, and Sensitive Data Processing.
(d) Sensitive Data under the TDPSA includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data, data of children under 13, and precise geolocation.
(e) The Transferee shall recognize and honor universal opt-out mechanisms as required effective January 1, 2025.
(f) For Data Breaches affecting 250 or more Texas residents, the Transferor must notify the Texas Attorney General within 30 days; the Transferee shall cooperate accordingly.
16.3 Florida (FDBR). Where Personal Data of Florida residents is included in the Transfer:
(a) The Transferee shall act as a Processor under the FDBR and shall ensure that each person Processing Personal Data is subject to a duty of confidentiality.
(b) The Transferee shall assist the Transferor with consumer rights requests within 45 days (extendable by up to 15 days only).
(c) The FDBR applies primarily to controllers with annual gross revenues exceeding $1 billion; applicability shall be evaluated by the Transferor.
(d) Children's data protections: Processing Sensitive Data of a known child between 13 and 18 requires affirmative authorization; Processing data of a child under 13 requires COPPA compliance.
(e) For Data Breaches affecting Florida residents, the Transferor must notify affected individuals within 30 days of determination and notify the AG if 500 or more residents are affected.
(f) Civil penalties may be up to $50,000 per violation.
16.4 New York (SHIELD Act). Where Personal Data of New York residents is included in the Transfer:
(a) The Transferee shall maintain reasonable safeguards to protect private information of New York residents, including administrative safeguards (employee training, risk assessment, service provider oversight), technical safeguards (network security, software security, intrusion detection), and physical safeguards (secure storage, data disposal, access controls).
(b) As of December 21, 2024, Data Breaches must be reported to affected New York residents within 30 days of discovery.
(c) As of March 21, 2025, the definition of "private information" under the SHIELD Act is expanded to include medical information and health insurance information.
(d) Breach notifications must also be provided to the NY Attorney General, the Department of Financial Services, the Department of State, and the State Police.
(e) The Transferee shall evaluate Data Breaches under the SHIELD Act's harm-based standard (notification required where exposure is reasonably likely to result in misuse or cause financial or emotional harm).
16.5 Alabama. Where Personal Data of Alabama residents is included in the Transfer:
(a) The Transferee shall comply with the Alabama Data Breach Notification Act (Ala. Code 8-38-1 et seq.).
(b) The Transferor must provide notice to affected individuals within 45 days of determining that a Data Breach has occurred and is reasonably likely to cause substantial harm.
(c) If the Transferee acts as a third-party agent, it must notify the Transferor no later than 10 days following discovery of a Data Breach.
(d) If the Data Breach affects more than 1,000 Alabama residents, the Transferor must notify the Alabama Attorney General within 45 days.
(e) Sensitive personally identifying information under Alabama law includes name in combination with non-truncated SSN, driver's license number, financial account numbers with access credentials, medical history, health insurance information, and username/email with password or security question.
(f) Failure to comply with notification requirements may result in civil penalties of up to $5,000 per day.
16.6 Other Jurisdictions. For Personal Data of residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Oregon, Montana, Iowa, Indiana, Tennessee, and others as enacted), the Transferee shall comply with the applicable processor/service provider obligations, consumer rights requirements, and breach notification timelines, and the Parties shall amend this Addendum as necessary to address jurisdiction-specific requirements.
17. GENERAL PROVISIONS
17.1 Order of Precedence. In the event of conflict between the terms of this Addendum and the Agreement, this Addendum shall control with respect to matters of data protection, privacy, and security. In the event of conflict between the body of this Addendum and the SCCs or other international transfer mechanism, the mechanism providing greater protection to Data Subjects shall prevail.
17.2 Amendments. This Addendum may be amended only by a written instrument signed by both Parties, except that the Parties agree to negotiate in good faith any amendments necessary to comply with changes in Applicable Data Protection Laws.
17.3 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the Parties shall negotiate in good faith a replacement provision that achieves the original intent.
17.4 Governing Law. This Addendum shall be governed by and construed in accordance with the laws specified in the Agreement. Where the Agreement is silent on governing law, this Addendum shall be governed by the laws of [________________________________].
17.5 Entire Agreement. This Addendum, together with its Exhibits and the Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral, relating to the Processing and Transfer of Personal Data.
17.6 Notices. All notices under this Addendum shall be in writing and delivered to the addresses set forth below or as updated by written notice:
Transferor Privacy Contact: [________________________________]
Email: [________________________________]
Phone: [________________________________]
Transferee Privacy Contact: [________________________________]
Email: [________________________________]
Phone: [________________________________]
18. EXECUTION
By signing below, the Parties agree to be bound by the terms of this Addendum as of the Addendum Effective Date.
TRANSFEROR:
Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]
TRANSFEREE:
Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]
EXHIBIT A: DATA TRANSFER IMPACT ASSESSMENT
A.1 Assessment Details
Assessment Date: [__/__/____]
Assessor: [________________________________]
Approved By: [________________________________]
A.2 Transfer Description
| Element | Description |
|---|---|
| Transferor (Data Exporter) | [________________________________] |
| Transferee (Data Importer) | [________________________________] |
| Transfer Mechanism | [________________________________] |
| Categories of Data Subjects | [________________________________] |
| Categories of Personal Data | [________________________________] |
| Sensitive Data Included | ☐ Yes ☐ No |
| Purpose of Transfer | [________________________________] |
| Destination Country/State | [________________________________] |
A.3 Risk Assessment
| Risk Factor | Low | Medium | High | Mitigation Measures |
|---|---|---|---|---|
| Legal framework adequacy | ☐ | ☐ | ☐ | [________________________________] |
| Government access risk | ☐ | ☐ | ☐ | [________________________________] |
| Technical security measures | ☐ | ☐ | ☐ | [________________________________] |
| Organizational controls | ☐ | ☐ | ☐ | [________________________________] |
| Subprocessor chain risk | ☐ | ☐ | ☐ | [________________________________] |
| Data subject rights enforceability | ☐ | ☐ | ☐ | [________________________________] |
| Breach notification capability | ☐ | ☐ | ☐ | [________________________________] |
| Data minimization compliance | ☐ | ☐ | ☐ | [________________________________] |
A.4 Overall Risk Determination
☐ Low Risk -- Transfer may proceed with standard safeguards.
☐ Medium Risk -- Transfer may proceed with supplementary measures documented below.
☐ High Risk -- Transfer requires additional review and approval before proceeding.
☐ Unacceptable Risk -- Transfer should not proceed.
A.5 Supplementary Measures Required
[________________________________]
[________________________________]
[________________________________]
A.6 Review Schedule
This assessment shall be reviewed: ☐ Annually ☐ Upon material change ☐ Other: [________________________________]
EXHIBIT B: TECHNICAL MEASURES CHECKLIST
The Transferee shall complete and return this checklist to the Transferor prior to or concurrently with execution of the Addendum.
B.1 Encryption
| Measure | Implemented | Standard/Details |
|---|---|---|
| Encryption in transit (TLS 1.2+) | ☐ Yes ☐ No | [________________________________] |
| Encryption at rest (AES-256+) | ☐ Yes ☐ No | [________________________________] |
| End-to-end encryption | ☐ Yes ☐ No ☐ N/A | [________________________________] |
| Key management system | ☐ Yes ☐ No | [________________________________] |
| Key rotation frequency | ☐ Yes ☐ No | [________________________________] |
B.2 Access Controls
| Measure | Implemented | Standard/Details |
|---|---|---|
| Role-based access control (RBAC) | ☐ Yes ☐ No | [________________________________] |
| Multi-factor authentication | ☐ Yes ☐ No | [________________________________] |
| Least-privilege access | ☐ Yes ☐ No | [________________________________] |
| Quarterly access reviews | ☐ Yes ☐ No | [________________________________] |
| Privileged access management | ☐ Yes ☐ No | [________________________________] |
| Automated de-provisioning | ☐ Yes ☐ No | [________________________________] |
B.3 Network Security
| Measure | Implemented | Standard/Details |
|---|---|---|
| Firewall protection | ☐ Yes ☐ No | [________________________________] |
| Intrusion detection/prevention | ☐ Yes ☐ No | [________________________________] |
| DDoS protection | ☐ Yes ☐ No | [________________________________] |
| Network segmentation | ☐ Yes ☐ No | [________________________________] |
| VPN or private connectivity | ☐ Yes ☐ No | [________________________________] |
B.4 Data Protection
| Measure | Implemented | Standard/Details |
|---|---|---|
| Data loss prevention (DLP) | ☐ Yes ☐ No | [________________________________] |
| Pseudonymization capability | ☐ Yes ☐ No | [________________________________] |
| Data masking (non-production) | ☐ Yes ☐ No | [________________________________] |
| Secure data disposal | ☐ Yes ☐ No | [________________________________] |
| Backup and recovery | ☐ Yes ☐ No | [________________________________] |
B.5 Monitoring and Response
| Measure | Implemented | Standard/Details |
|---|---|---|
| Security information and event management (SIEM) | ☐ Yes ☐ No | [________________________________] |
| 24/7 security operations center | ☐ Yes ☐ No | [________________________________] |
| Incident response plan | ☐ Yes ☐ No | [________________________________] |
| Log retention (minimum months) | ☐ Yes ☐ No | [________________________________] |
| Vulnerability scanning frequency | ☐ Yes ☐ No | [________________________________] |
| Penetration testing frequency | ☐ Yes ☐ No | [________________________________] |
B.6 Certifications and Compliance
| Certification | Current | Expiration Date |
|---|---|---|
| SOC 2 Type II | ☐ Yes ☐ No | [__/__/____] |
| ISO 27001 | ☐ Yes ☐ No | [__/__/____] |
| ISO 27701 | ☐ Yes ☐ No | [__/__/____] |
| PCI DSS (if applicable) | ☐ Yes ☐ No ☐ N/A | [__/__/____] |
| HITRUST (if applicable) | ☐ Yes ☐ No ☐ N/A | [__/__/____] |
| FedRAMP (if applicable) | ☐ Yes ☐ No ☐ N/A | [__/__/____] |
| Other: [________________] | ☐ Yes ☐ No | [__/__/____] |
EXHIBIT C: DATA INVENTORY TEMPLATE
| # | Data Element | Category | Sensitive | Source | Purpose | Retention Period | Deletion Method |
|---|---|---|---|---|---|---|---|
| 1 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 2 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 3 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 4 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 5 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 6 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 7 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 8 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 9 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| 10 | [________________________________] | [____] | ☐ Yes ☐ No | [________________________________] | [________________________________] | [________________________________] | [________________________________] |
Add additional rows as needed.
SOURCES AND REFERENCES
- CCPA/CPRA Full Text -- California Consumer Privacy Act and California Privacy Rights Act
- CPPA Regulations, 11 CCR 7051 -- Contract Requirements for Service Providers and Contractors
- Texas TDPSA -- Texas Data Privacy and Security Act
- Florida FDBR -- Florida Digital Bill of Rights
- New York SHIELD Act -- Stop Hacks and Improve Electronic Data Security Act
- Alabama Data Breach Notification Act -- Ala. Code 8-38-1 et seq.
- EU SCCs -- Standard Contractual Clauses for International Transfers
- EU-US Data Privacy Framework -- Adequacy decision and certification
About This Template
A contract is a written record of what two or more parties agreed to and what happens if someone does not follow through. Clear language, defined terms, and clean signature blocks keep disputes small and enforceable. The most common mistakes in contracts come from vague promises, missing details about timing or payment, and skipping standard protective clauses like governing law and dispute resolution.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: March 2026
Get your DPA Short Form Transfer Addendum, done and ready to use
Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. Drafting this from scratch takes hours. Finish yours in about 5 minutes for $49, one time.