Third-Party Risk Management SOP - Texas
THIRD-PARTY RISK MANAGEMENT SOP — TEXAS SUPPLEMENT
Organization: [________________________________]
SOP Number: TPRM-TX-[____]
Version: [____]
Effective Date: [__/__/____]
Approved By: [________________________________]
TABLE OF CONTENTS
- Purpose and Scope
- Texas Regulatory Framework
- Definitions
- Risk Tiering — Texas Enhancements
- Third-Party Lifecycle — Texas Requirements
- Roles and Responsibilities
- Documentation and Systems of Record
- Metrics, KRIs, and Reporting
- Exceptions and Compensating Controls
- Review Cadence
- Annexes
1. PURPOSE AND SCOPE
1.1 Purpose
This SOP supplements the Universal TPRM SOP with Texas-specific requirements under the Texas Data Privacy and Security Act (TDPSA) (Tex. Bus. & Com. Code Ch. 541, effective July 1, 2024), the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code § 521.053), and the Capture or Use of Biometric Identifier Act (CUBI) (Tex. Bus. & Com. Code § 503.001).
1.2 Scope
Applies to all third-party relationships involving:
☐ Personal data of Texas consumers (as defined under TDPSA § 541.001)
☐ Sensitive data of Texas consumers (§ 541.001(29))
☐ Biometric identifiers of Texas residents (CUBI § 503.001)
☐ Sensitive personal information triggering TX breach notification (§ 521.053)
☐ Services delivered to Texas-based operations or customers
2. TEXAS REGULATORY FRAMEWORK
| Statute | Key Vendor Requirements |
|---|---|
| TDPSA, Ch. 541 | Consumer rights (access, correction, deletion, portability, opt-outs); processor obligations (§ 541.105); data protection assessments; universal opt-out mechanism recognition |
| § 541.105 (Processor Obligations) | Process only on documented instructions; implement appropriate security; support consumer rights; allow audits; delete/return data on termination; notify if unable to comply |
| § 541.101(b) (Sensitive Data) | Consent required before processing sensitive data; COPPA compliance for children under 13 |
| § 521.053 (Breach Notification) | Notice to affected TX residents within 60 days; AG notification if >250 residents affected (HB 4, 2023) |
| § 503.001 (CUBI) | Informed consent before capturing biometric identifiers; destroy within 1 year of purpose cessation; no sale/disclosure without consent; reasonable care in storage |
3. DEFINITIONS
| Term | Definition |
|---|---|
| Personal Data (TDPSA) | Information linked or reasonably linkable to an identified or identifiable individual; excludes de-identified or publicly available data (§ 541.001(22)) |
| Sensitive Data (TDPSA) | Racial/ethnic origin, religious beliefs, mental/physical health, sexual orientation, citizenship/immigration, genetic data, biometric data for identification, children's data, precise geolocation (§ 541.001(29)) |
| Controller | Person that determines purposes and means of processing personal data (§ 541.001(8)) |
| Processor | Person that processes personal data on behalf of a controller (§ 541.001(24)) |
| Biometric Identifier (CUBI) | Retina/iris scan, fingerprint, voiceprint, record of hand/face geometry (§ 503.001(a)) |
| Sensitive Personal Information (§ 521.002) | Name + SSN, DL#, financial account number, or other elements triggering breach notification |
4. RISK TIERING — TEXAS ENHANCEMENTS
| Factor | Elevated Risk Indicators |
|---|---|
| TDPSA Data Processing | Vendor processes personal data of TX consumers as a processor under § 541.105 |
| Sensitive Data | Vendor processes sensitive data requiring consumer consent under § 541.101(b) |
| Biometric Data (CUBI) | Vendor captures, uses, or possesses biometric identifiers under § 503.001 |
| High-Risk Processing | Vendor conducts targeted advertising, sale of data, or profiling triggering DPA under TDPSA |
| Children's Data | Vendor processes data of children under 13 |
| Breach Notification Data | Vendor processes sensitive personal information triggering § 521.053 |
Vendors processing CUBI-regulated biometric data shall be classified no lower than High tier. Vendors processing TDPSA sensitive data shall be classified no lower than Medium tier.
5. THIRD-PARTY LIFECYCLE — TEXAS REQUIREMENTS
5.1 Due Diligence Enhancements
| # | Requirement | Tier | Evidence |
|---|---|---|---|
| 5.1.1 | Verify vendor TDPSA processor obligations compliance (§ 541.105) | All w/ TX personal data | ☐ DPA ☐ Processor agreement |
| 5.1.2 | Assess consumer rights support (access, correction, deletion, portability, opt-outs) (§ 541.051) | Critical/High | ☐ Rights workflow documentation |
| 5.1.3 | Verify universal opt-out mechanism recognition (§ 541.055(e)) | Critical/High | ☐ Technical implementation evidence |
| 5.1.4 | Assess data protection assessment support capability (§ 541.105(b)) | Critical/High | ☐ DPA support documentation |
| 5.1.5 | Verify sensitive data consent mechanisms (§ 541.101(b)) | If sensitive data | ☐ Consent workflows |
| 5.1.6 | Evaluate CUBI compliance (informed consent, destruction, no sale) (§ 503.001) | If biometric data | ☐ CUBI compliance documentation |
| 5.1.7 | Verify breach notification capability (60-day compliance) | All w/ TX PI | ☐ IRP ☐ Notification SLA |
| 5.1.8 | Assess children's data protections (COPPA + TDPSA) | If children's data | ☐ COPPA documentation |
5.2 Contract Requirements — Texas Additions
| Clause | Requirement | Citation |
|---|---|---|
| TDPSA Processor Terms | Process only on documented instructions; implement appropriate security; maintain confidentiality; obtain controller approval for subprocessors; support consumer rights; allow audits; delete/return data on termination | § 541.105 |
| Breach Notification | Notify within [____] hours to support 60-day deadline; cooperate with AG notification if >250 affected | § 521.053 |
| Sensitive Data Consent | Process sensitive data only with documented consumer consent | § 541.101(b) |
| CUBI Compliance | Obtain informed consent before capturing biometric identifiers; do not sell/disclose; destroy within 1 year of purpose cessation; use reasonable care in storage | § 503.001 |
| Universal Opt-Out | Recognize and honor universal opt-out mechanisms | § 541.055(e) |
| Data Protection Assessment Cooperation | Cooperate with DPAs for targeted advertising, sale, profiling, sensitive data | § 541.105(b) |
| Consumer Rights Response | Support 45-day response timeline (+ 45-day extension) | § 541.055 |
5.3 Ongoing Monitoring — Texas Additions
| Activity | Frequency | Responsible |
|---|---|---|
| TDPSA processor compliance verification | Annual | Compliance / Privacy |
| Consumer rights request support review | Semi-Annual (Critical/High) | Privacy |
| CUBI compliance verification (if applicable) | Annual | Compliance |
| Universal opt-out mechanism testing | Annual | Security / Privacy |
| Breach notification readiness | Annual | Security / Compliance |
| Sensitive data consent verification | Annual | Privacy |
5.4 Offboarding — Texas Additions
☐ Confirm deletion of all TX consumer personal data per § 541.105(a)(4)
☐ For CUBI data: confirm destruction of biometric identifiers per § 503.001(c)(3)
☐ Obtain written destruction certification
☐ Verify subprocessors have deleted TX data
6. ROLES AND RESPONSIBILITIES
| Role | TX-Specific Responsibilities |
|---|---|
| Compliance | Monitor TDPSA/CUBI regulatory updates; coordinate AG notifications; verify processor compliance |
| Privacy | Assess TDPSA processor obligations; consumer rights support; data protection assessments |
| Security | Validate technical security measures; breach notification readiness; CUBI storage security |
| Legal | Ensure TDPSA/CUBI contract terms; advise on applicability |
| Business Owner | Ensure SLAs support 60-day breach notification; escalate TDPSA compliance gaps |
7. DOCUMENTATION
Additional TPRM platform fields:
☐ TDPSA applicability determination
☐ Processor agreement status
☐ CUBI applicability (biometric data flag)
☐ Sensitive data consent verification
☐ Universal opt-out compliance status
☐ TX breach notification SLA tracking
8. METRICS
| Metric | Target | Frequency |
|---|---|---|
| TDPSA processor agreements executed | 100% of applicable | Quarterly |
| CUBI compliance verification | 100% of biometric vendors | Annual |
| Universal opt-out mechanism compliance | 100% of applicable | Annual |
| Vendors with 60-day breach notification SLAs | 100% | Quarterly |
| Data protection assessments completed | 100% of high-risk processing | Semi-Annual |
| Consumer rights support verification | 100% of Critical/High | Annual |
9. EXCEPTIONS
☐ TDPSA/CUBI exceptions require approval by [CCO / General Counsel]
☐ Document compensating controls with statutory reference
☐ Maximum exception duration: [____] days
10. REVIEW CADENCE
| Field | Information |
|---|---|
| SOP Owner | [________________________________] |
| Review Frequency | Annual, or upon TX regulatory change |
| Next Review | [__/__/____] |
11. ANNEXES
Annex A: TDPSA Processor Agreement Checklist
☐ Processing limited to documented instructions (§ 541.105(a)(1))
☐ Appropriate technical and organizational security (§ 541.105(a)(2))
☐ Confidentiality obligations (§ 541.105(a)(3))
☐ Data deletion/return on termination (§ 541.105(a)(4))
☐ Audit/assessment cooperation (§ 541.105(a)(5))
☐ Subprocessor management with controller approval
☐ Consumer rights support (access, correction, deletion, portability, opt-outs)
☐ Notification if unable to meet obligations
Annex B: CUBI Compliance Checklist
☐ Informed consent obtained before capturing biometric identifiers (§ 503.001(b))
☐ Notice of purpose and duration of collection provided
☐ Biometric identifiers not sold, leased, or disclosed without consent (§ 503.001(c)(1))
☐ Stored with reasonable care, at least same standard as other confidential information (§ 503.001(c)(2))
☐ Destroyed within 1 year of purpose cessation (§ 503.001(c)(3))
☐ Written retention/destruction schedule maintained
☐ Vendor CUBI compliance verified and documented
☐ Consent forms retained for audit purposes
Annex C: Texas Breach Notification Contract Clause Requirements
For all vendor contracts involving TX resident sensitive personal information:
☐ Vendor must notify organization within [____] hours of discovering breach
☐ Notification SLA must allow compliance with 60-day consumer notification deadline (§ 521.053)
☐ Vendor must cooperate with breach investigation
☐ Vendor must support identification of affected TX residents
☐ Vendor must support AG notification when >250 TX residents affected (HB 4, 2023)
☐ Vendor must preserve evidence and provide forensic cooperation
☐ Vendor must support consumer notification content requirements
Annex D: TDPSA Processor Due Diligence Questionnaire Supplement
| # | Question | Response | Evidence |
|---|---|---|---|
| D.1 | Does the vendor process personal data only on documented instructions? | ☐ Yes ☐ No | ☐ DPA |
| D.2 | Does the vendor implement appropriate technical and organizational security? | ☐ Yes ☐ No | ☐ SOC 2 ☐ ISO 27001 |
| D.3 | Does the vendor ensure confidentiality of processing personnel? | ☐ Yes ☐ No | ☐ Policy |
| D.4 | Can the vendor delete/return data on termination? | ☐ Yes ☐ No | ☐ DPA clause |
| D.5 | Will the vendor allow audits/assessments? | ☐ Yes ☐ No | ☐ DPA clause |
| D.6 | Can the vendor support consumer rights (access, correction, deletion, portability, opt-outs)? | ☐ Yes ☐ No | ☐ Workflow docs |
| D.7 | Does the vendor recognize universal opt-out mechanisms? | ☐ Yes ☐ No | ☐ Technical verification |
| D.8 | Does the vendor obtain consent before processing sensitive data? | ☐ Yes ☐ No ☐ N/A | ☐ Consent workflows |
| D.9 | For biometric data: does the vendor comply with CUBI? | ☐ Yes ☐ No ☐ N/A | ☐ CUBI documentation |
| D.10 | Will the vendor notify if unable to meet obligations? | ☐ Yes ☐ No | ☐ DPA clause |
SOURCES AND REFERENCES
- Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code Ch. 541 (eff. July 1, 2024)
- Tex. Bus. & Com. Code § 521.053 (Breach Notification; 60-Day Deadline)
- Tex. Bus. & Com. Code § 503.001 (CUBI)
- HB 4 (88th Legislature, 2023) — Enhanced AG enforcement
- OCC Bulletin 2023-17
- DOJ Evaluation of Corporate Compliance Programs (2023)
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026