DPA Short Form Transfer Addendum - California (Operational Compliance)

DPA SHORT FORM TRANSFER ADDENDUM -- CALIFORNIA

Operational Compliance Format -- Article Numbering

Addendum Effective Date: [__/__/____]

Reference Agreement: [________________________________] dated [__/__/____] (the "Agreement")

Transferor (Business): [________________________________] ("Transferor")

Transferee (Service Provider / Contractor): [________________________________] ("Transferee")

This Addendum supplements the Agreement and establishes the operational compliance framework for all transfers of Personal Information involving California consumers under the CCPA/CPRA.

ARTICLE I: DEFINITIONS AND INTERPRETATION

1.1 "Personal Information" -- As defined in Cal. Civ. Code 1798.140(v), information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household.

1.2 "Sensitive Personal Information" -- As defined in Cal. Civ. Code 1798.140(ae), including SSN/driver's license/passport numbers, account credentials with financial data, precise geolocation, racial or ethnic origin, religious beliefs, union membership, personal communication contents, genetic data, biometric data for identification, health data, sexual orientation, citizenship/immigration status, and neural data (per SB 1223).

1.3 "Business Purpose" -- As defined in Cal. Civ. Code 1798.140(e), including auditing, security, debugging, short-term transient use, performing services, internal research, and quality verification.

1.4 "Service Provider" -- As defined in Cal. Civ. Code 1798.140(ag).

1.5 "Contractor" -- As defined in Cal. Civ. Code 1798.140(j).

1.6 "Sale / Sell" -- As defined in Cal. Civ. Code 1798.140(ad).

1.7 "Share" -- As defined in Cal. Civ. Code 1798.140(ah); cross-context behavioral advertising.

1.8 "De-Identified Information" -- As defined in Cal. Civ. Code 1798.140(m).

1.9 "Verifiable Consumer Request" -- As defined in Cal. Civ. Code 1798.140(ak).

1.10 "Data Breach" -- Unauthorized access to or exfiltration, theft, or disclosure of nonencrypted and nonredacted Personal Information, per Cal. Civ. Code 1798.82 and 1798.150.

ARTICLE II: OPERATIONAL SCOPE

2.1 Transferee Role: ☐ Service Provider ☐ Contractor ☐ Third Party

2.2 Compliance Implementation Checklist:

☐ Written contract executed specifying Business Purposes (this Addendum)
☐ Transferee compliance certification obtained (Article VI)
☐ Privacy notice updated to reflect Transfer
☐ Data inventory completed (Exhibit C)
☐ Technical measures verified (Exhibit B)
☐ Subprocessor list reviewed and approved
☐ Consumer rights response process established
☐ Breach notification workflow documented
☐ Risk assessment completed (where required)
☐ Annual monitoring schedule established

2.3 Business Purposes.

(a) [________________________________]
(b) [________________________________]
(c) [________________________________]

2.4 PI Categories Checklist.

☐ Identifiers (name, email, phone, address, IP, account ID)
☐ Customer records (financial, insurance, medical, education)
☐ Protected classifications (age, race, gender, disability, veteran status)
☐ Commercial information (purchase records, consumption tendencies)
☐ Biometric information
☐ Internet/network activity (browsing, search, interaction history)
☐ Geolocation data
☐ Sensory data (audio, visual, thermal, olfactory)
☐ Professional/employment information
☐ Education information
☐ Inferences and profiles
☐ Sensitive Personal Information (complete Section 4.2 checklist)

2.5 Consumer Categories.

☐ Customers ☐ Employees ☐ Applicants ☐ End Users ☐ Business Contacts
☐ Children under 13 ☐ Children 13-15 ☐ Other: [________________________________]

2.6 Duration. Agreement term plus [____] day wind-down.

ARTICLE III: LEGAL BASIS AND COMPLIANCE FRAMEWORK

3.1 Transfer Classification.

☐ Disclosure for Business Purpose (not a Sale or Share)
☐ Sale (opt-out rights apply)
☐ Sharing for cross-context behavioral advertising (opt-out rights apply)

3.2 Statutory Contract Compliance Matrix (Cal. Civ. Code 1798.100(d); 11 CCR 7051):

3.3 International Transfer (if applicable).

☐ EU-US Data Privacy Framework
☐ SCCs Module [____]
☐ UK Addendum / IDTA
☐ Not applicable (domestic only)

ARTICLE IV: DATA CLASSIFICATION

4.1 Standard PI Elements:

4.2 Sensitive PI Checklist (Cal. Civ. Code 1798.140(ae)):

4.3 If any SPI is checked, complete the Enhanced Safeguards in Article VII, Section 7.8.

ARTICLE V: TRANSFEROR OPERATIONAL OBLIGATIONS

5.1 Pre-Transfer Compliance Checklist:

☐ Privacy policy updated per Cal. Civ. Code 1798.100(a) and 11 CCR 7011-7012
☐ Notice at or before collection provided (Cal. Civ. Code 1798.100(b))
☐ "Do Not Sell or Share" link published (if applicable)
☐ "Limit the Use of My Sensitive Personal Information" link published (if applicable)
☐ Opt-in consent obtained for minors under 16 (Cal. Civ. Code 1798.120(c)-(d))
☐ GPC/universal opt-out mechanism honored (Cal. Civ. Code 1798.135(e))
☐ Data minimization review completed
☐ Risk assessment completed (where required by CPPA regulations)
☐ Cybersecurity audit completed (where required, effective Jan. 1, 2026)

5.2 Data Quality. Transferor shall use commercially reasonable efforts to ensure accuracy and completeness of PI.

5.3 Opt-Out Forwarding. Transferor shall notify Transferee within [____] business days of receiving any consumer opt-out, right-to-limit, or deletion request affecting the Transfer.

5.4 Ongoing Monitoring Schedule:

ARTICLE VI: TRANSFEREE OPERATIONAL OBLIGATIONS

6.1 Prohibited Activities.

☐ The Transferee shall NOT Sell PI received under this Addendum.
☐ The Transferee shall NOT Share PI for cross-context behavioral advertising.
☐ The Transferee shall NOT retain, use, or disclose PI for purposes other than the Business Purposes.
☐ The Transferee shall NOT use PI outside the direct business relationship.
☐ The Transferee shall NOT combine PI with data from other sources (except as permitted).

6.2 Required Activities.

☐ Process PI only per documented instructions and specified Business Purposes.
☐ Maintain confidentiality of PI.
☐ Implement and maintain reasonable security (Cal. Civ. Code 1798.81.5(b)).
☐ Assist with verifiable consumer requests within 45-day timeline.
☐ Honor consumer right-to-limit for SPI.
☐ Recognize GPC signals (Cal. Civ. Code 1798.135(e); 11 CCR 7025).
☐ Cooperate with cybersecurity audits and risk assessments.

6.3 Compliance Certification Checklist:

6.4 Contractor-Specific Certification (Cal. Civ. Code 1798.140(j)(1)). If the Transferee is classified as a Contractor, the Transferee hereby certifies that it understands the restrictions set forth in this Addendum and will comply with them.

Authorized Signatory: [________________________________]
Date: [__/__/____]

6.5 Confidentiality. All personnel with PI access bound by written confidentiality obligations.

6.6 SPI Processing Limits. Where consumers exercise the right to limit (Cal. Civ. Code 1798.121), Transferee shall restrict SPI Processing to uses that are necessary to perform the services or provide the goods requested by the consumer.

6.7 De-Identification Standards. Where Transferee de-identifies PI, it shall: (a) implement technical safeguards prohibiting re-identification; (b) implement business processes preventing inadvertent re-identification; (c) implement business processes preventing release of De-Identified Information; and (d) make no attempt to re-identify (Cal. Civ. Code 1798.140(m)).

6.8 Inability to Comply. Transferee shall notify Transferor promptly if it can no longer meet its CCPA/CPRA obligations.

6.9 Remediation. Upon notice under 6.8, Transferor may stop and remediate unauthorized use, suspend Transfer, and/or terminate this Addendum.

ARTICLE VII: TECHNICAL AND ORGANIZATIONAL MEASURES

7.1 Security Standard. Reasonable security per Cal. Civ. Code 1798.81.5(b). Failure to maintain constitutes a basis for the private right of action under Cal. Civ. Code 1798.150.

7.2 Encryption. TLS 1.2+ in transit; AES-256 at rest; separate key management with annual rotation.

7.3 Access Controls. RBAC; MFA for admin/remote access; quarterly reviews; unique credentials; no shared accounts.

7.4 Pseudonymization. Applied where feasible; De-Identified Information used where sufficient.

7.5 Network Security. Firewalls; IDS/IPS; endpoint protection; quarterly vulnerability assessments; annual penetration testing; critical patches within [____] days.

7.6 Logging. Access logging with identity, data, timestamp, and action; [____] month retention; tamper protection; automated alerting.

7.7 Physical Security. Badge access; visitor logs; surveillance; NIST SP 800-88 compliant disposal.

7.8 Enhanced SPI Safeguards. If SPI is Processed: field-level encryption; tokenization in non-production; real-time access alerts; segregated storage; annual SPI-specific PIA.

7.9 Security Operations Checklist:

ARTICLE VIII: CONSUMER RIGHTS OPERATIONS

8.1 Rights Response Workflow:

8.2 Rights Coverage:

8.3 GPC Signal Handling. Transferee shall treat GPC signals as valid opt-out requests per 11 CCR 7025.

8.4 Authorized Agent Requests. Transferee shall process requests from authorized agents per 11 CCR 7063.

8.5 Minor Consumer Protections. For consumers known to be under 16, Transferee shall verify opt-in consent before any Sale or Sharing; for consumers under 13, parental consent is required.

ARTICLE IX: SUBPROCESSOR MANAGEMENT

9.1 Authorization: ☐ Specific ☐ General (with notice)

9.2 Notice Period: [____] days before engagement.

9.3 Objection Period: [____] days from notice.

9.4 Flow-Down Requirements Checklist:

☐ No Sale or Sharing of PI
☐ Purpose limitation
☐ No combining PI from other sources
☐ Confidentiality obligations
☐ Reasonable security measures
☐ Consumer rights cooperation
☐ Breach notification
☐ Audit rights
☐ Deletion upon termination
☐ CCPA/CPRA compliance certification

9.5 Subprocessor Approval Tracker:

9.6 Liability. Transferee fully liable for subprocessor compliance.

ARTICLE X: DATA BREACH RESPONSE

10.1 Notification Timeline:

10.2 Breach Response Checklist:

☐ Breach detected and contained
☐ Transferor notified within required timeframe
☐ Scope and affected categories identified
☐ SPI / financial data involvement assessed
☐ Law enforcement notification evaluated
☐ Consumer notification drafted (per Cal. Civ. Code 1798.82)
☐ AG notification prepared (if 500+ CA residents)
☐ Credit monitoring/identity protection arranged (if applicable)
☐ Root cause analysis initiated
☐ Remediation plan developed

10.3 Private Right of Action Exposure (Cal. Civ. Code 1798.150). Statutory damages: $100-$750 per consumer per incident for unauthorized access/exfiltration/theft/disclosure of nonencrypted and nonredacted PI due to failure to maintain reasonable security.

10.4 Indemnification. Transferee indemnifies Transferor for breach-related costs attributable to Transferee's security failures.

ARTICLE XI: DATA RETENTION AND DELETION

11.1 Retention Schedule:

11.2 Deletion Process Checklist:

☐ Return/deletion election received from Transferor
☐ Primary data stores purged
☐ Backup systems identified
☐ Backup deletion scheduled (within [____] months)
☐ Subprocessors notified of deletion requirement
☐ Deletion certification prepared
☐ Certification delivered to Transferor (within [____] days)

11.3 Return. PI provided in structured, machine-readable format within [____] days.

11.4 Legal Hold. Retention permitted if legally required; Transferor notified; minimum data retained; protections continue.

ARTICLE XII: AUDIT AND MONITORING

12.1 Monitoring Schedule (11 CCR 7051(b) for Contractors):

12.2 Evidence-Based Materials. SOC 2 Type II; ISO 27001; penetration test summary; security questionnaire; PIA documentation; training records.

12.3 On-Site Audit. [____] per year; [____] days notice; limited scope; NDA required; Transferor bears cost unless material non-compliance found.

12.4 CPPA Cooperation. Transferee cooperates with CPPA investigations and enforcement actions.

12.5 Remediation. Non-compliance remediated within [____] days.

ARTICLE XIII: CROSS-BORDER PROVISIONS

13.1 Interstate. CA law applies to CA consumer PI regardless of processing location.

13.2 International. Transfer mechanisms per Article III, Section 3.3; TIA required.

13.3 Data Localization: ☐ US only ☐ US + EEA/UK ☐ Specific: [________________________________] ☐ No restriction

13.4 Change Notice: [____] days prior to relocation.

ARTICLE XIV: LIABILITY AND INDEMNIFICATION

14.1 Mutual indemnification for breaches of this Addendum.

14.2 Transferee Special Indemnification:

(a) CPPA/AG fines from Transferee non-compliance;
(b) Cal. Civ. Code 1798.150 claims from security failures;
(c) Consumer notification and credit monitoring costs;
(d) CPPA investigation response costs.

14.3 Penalties: Up to $2,500/violation; $7,500/intentional violation or minor's PI; statutory damages $100-$750/consumer/incident.

14.4 Uncapped Liability: Unauthorized Sale/Sharing; willful misconduct; breaches of Article VI.

ARTICLE XV: TERM AND TERMINATION

15.1 Term. Coterminous with Agreement.

15.2 Breach Termination. Cure period: [____] days (immediate if incurable).

15.3 Inability Termination. Immediate upon Section 6.8 notice.

15.4 Survival. Articles I, VI, VII, VIII, X, XI, XII, XIV survive.

ARTICLE XVI: EXECUTION

TRANSFEROR (BUSINESS):

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]

TRANSFEREE (SERVICE PROVIDER / CONTRACTOR):

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]

EXHIBIT A: RISK ASSESSMENT SUMMARY

Overall: ☐ Proceed ☐ Proceed with supplementary measures ☐ Do not proceed

EXHIBIT B: TECHNICAL MEASURES VERIFICATION

EXHIBIT C: DATA INVENTORY

SOURCES AND REFERENCES

• CCPA/CPRA Text -- California Attorney General
• CPPA Regulations, 11 CCR 7051 -- Contract Requirements
• CPPA Official Site -- California Privacy Protection Agency
• Jackson Lewis CCPA FAQ (2026)
• Transcend CPRA Service Provider Guide