Data Processing Agreements: What Your Vendor Contracts Must Include When Third Parties Handle Customer Data

When a business shares customer data with a vendor (a payment processor, a cloud hosting provider, an analytics platform, a CRM system, an email marketing service, or any other third party that receives, stores, or processes personal information on the business's behalf), the relationship must be governed by a written contract that specifies how the vendor handles the data, what it can and can't do with it, and what happens when the relationship ends.

Under the TDPSA, a written contract between a controller and a processor is mandatory. Under the CCPA/CPRA, a written agreement with every service provider and contractor that receives personal information is required. Every other comprehensive state privacy law imposes a similar requirement. And even where no statute mandates one, a data processing agreement (DPA) protects the business if the vendor mishandles data, because without a DPA the business has no contractual basis for holding the vendor accountable.

If a payment processor suffers a data breach affecting your customers, your customers look to you. If an analytics vendor uses your customer data for its own advertising purposes, the CCPA treats that as a "sale" of personal information by your business. The DPA is the mechanism that prevents both scenarios by binding the vendor to the same privacy obligations the business owes its customers.

When a DPA Is Required

Under the TDPSA (Texas Business and Commerce Code § 541.054), a controller must establish a written contract with every processor that processes personal data on the controller's behalf. A "processor" is any entity that processes personal data on behalf of a controller, as distinguished from a controller (which determines the purposes and means of processing).

Under the CCPA/CPRA (Cal. Civ. Code § 1798.100(d) and CCPA Regulations 11 CCR § 7051), a business must have a written contract with every "service provider" (an entity that processes personal information on behalf of a business for a business purpose) and every "contractor" (a broader category that includes anyone to whom a business makes personal information available for a business purpose). California also requires contracts with "third parties" to whom the business sells or shares personal information, though those contracts have different requirements than service provider and contractor agreements.

Virginia (VCDPA § 59.1-579), Colorado (CPA § 6-1-1305), and Connecticut (CTDPA § 42-520) all require controller-processor contracts using substantially similar frameworks.

In practice, if your business processes personal data from residents of any state with a comprehensive privacy law and shares that data with any vendor, you need a DPA.

What the DPA Must Include

Core requirements are consistent across state privacy laws, though the specific language varies. A DPA that satisfies the TDPSA and the CCPA's requirements will satisfy most other state laws as well.

Processing instructions. The DPA must specify the purposes for which the processor may process personal data. Under both the TDPSA and the CCPA, the processor may process personal data only in accordance with the controller's documented instructions. Processing for any purpose other than the specified business purpose is prohibited.

Nature and purpose of processing. The DPA must describe what the vendor does with the data (stores it, analyzes it, transmits it, renders it into reports) and why (to provide the contracted service, to support the business's operations, to fulfill a specific function).

Type of data processed. The DPA should identify the categories of personal data the vendor receives (names, email addresses, payment information, browsing activity, geolocation, or whatever categories apply to the relationship). If sensitive data is involved (health information, biometric data, children's data, precise geolocation), the DPA should address it separately because sensitive data processing triggers heightened obligations under both the TDPSA and the CCPA.

Duration of processing. The DPA should specify how long the vendor retains the data and what happens when the retention period expires or when the business relationship ends.

Confidentiality. The vendor must impose confidentiality obligations on its personnel who handle the data. Employees and subcontractors who access personal data must be subject to confidentiality agreements or statutory confidentiality obligations.

Security obligations. The vendor must implement and maintain reasonable administrative, technical, and physical security measures appropriate to the volume and sensitivity of the data it processes. Rather than leaving "reasonable security" undefined, tie the obligation to a recognized standard (SOC 2 Type II compliance, ISO 27001 certification, NIST Cybersecurity Framework, or a comparable framework appropriate to the vendor's industry and the sensitivity of the data).

Sub-processor requirements. If the vendor uses sub-processors (downstream vendors that process personal data on the vendor's behalf), the DPA must address whether the vendor can engage sub-processors without the controller's prior written consent or on a notification-only basis, whether the same data protection obligations flow down to sub-processors, and what happens if a sub-processor fails to comply. Most privacy laws require that sub-processors be bound by the same obligations as the primary processor.

Breach notification. The vendor must notify the controller of any actual or suspected data breach affecting the controller's personal data within a specified timeline. Under Texas law, a data custodian that maintains but doesn't own sensitive personal information must notify the data owner "immediately" upon discovering a breach (§ 521.053(c)). DPA breach notification timelines of 48 to 72 hours give the controller enough time to meet its own notification obligations (60 days for individuals, 30 days for the AG under Texas law). A DPA that allows the vendor 30 days to notify the controller leaves the controller with almost no response time.

Assistance with consumer rights requests. When a consumer submits a request to access, delete, correct, or port their data, the controller may need the vendor's cooperation to fulfill the request. The DPA should require the vendor to assist the controller in responding to consumer rights requests, including providing data held by the vendor in a format the controller can use to fulfill the request.

Data return and deletion upon termination. When the business relationship ends, the vendor must return all personal data to the controller in a usable format and delete all copies of personal data from its systems within a defined period, with written confirmation of deletion upon request. Without this provision, the vendor may retain the data indefinitely after the relationship ends, which violates data minimization requirements under both the TDPSA and the CCPA.

Audit and assessment rights. The controller must have the right to verify the vendor's compliance with the DPA. This can be satisfied through the vendor providing its SOC 2 Type II report or equivalent audit documentation annually, the controller retaining the right to conduct or commission an independent audit of the vendor's data protection practices (typically limited to once per year with reasonable advance notice), and the vendor cooperating with data protection assessments that the controller is required to conduct under the TDPSA or other state privacy laws.

The CCPA's Additional Requirements

California's CCPA Regulations (11 CCR § 7051) impose nine mandatory contract terms for service providers and contractors that go beyond the baseline requirements of other state laws.

Service providers and contractors must contractually agree not to sell or share personal information received from the business, not to retain, use, or disclose personal information for any purpose other than the business purpose specified in the contract (including not using it for the vendor's own commercial purposes), not to combine personal information received from the business with personal information from other sources (unless permitted by the CCPA for a specific purpose), and to comply with the CCPA and provide the same level of privacy protection as the CCPA requires.

Contractors must additionally certify that they understand these restrictions and will comply with them. Service providers don't have this certification requirement, but the substantive restrictions apply to both.

California's regulations also require the business to maintain the ability to exercise its rights under the contract, including conducting audits and taking remedial action when the vendor fails to comply. A business that never exercises its audit rights or enforces the contract may find that its statutory defense (that the vendor was operating as a service provider) is unavailable when the regulator investigates.

Vendor Standard DPAs

Most SaaS vendors and cloud platforms present their DPA as a standard, non-negotiable document. For small and mid-size businesses, accepting the vendor's standard DPA may be the only option if the vendor doesn't negotiate individual terms.

Before accepting a vendor's standard DPA, review it against the TDPSA's and the CCPA's requirements. Confirm that the DPA restricts the vendor from using the data for its own purposes (many standard DPAs carve out the right to use aggregated or anonymized data for the vendor's product improvement, which may or may not comply with the CCPA depending on how "anonymized" is defined). Confirm that the breach notification timeline is 72 hours or less (some standard DPAs specify "without undue delay" or "within 30 days," which may not give the controller enough time). Confirm that sub-processor requirements include notification and flow-down of obligations (some standard DPAs allow the vendor to engage sub-processors without notice). And confirm that the data deletion provision includes written confirmation and a defined timeline (some standard DPAs reserve the right to retain data in backup systems for extended periods).

If the vendor's standard DPA doesn't satisfy your obligations, negotiate the specific provisions that fall short or document the deficiency in your data protection assessment so the business can make an informed risk decision.

Practical Recommendations

Inventory every vendor that receives personal information from your business. Payment processors, email platforms, analytics providers, CRM systems, cloud hosting, HR software, customer support tools, advertising platforms, and any other vendor that touches customer or employee data should have a DPA in place.

Use a single DPA template that satisfies both the TDPSA and the CCPA. California's requirements are the most prescriptive, and a DPA that complies with California will satisfy Texas and every other state privacy law's processor contract requirements. Start with California as the baseline and layer any Texas-specific provisions on top.

Negotiate breach notification timelines of 48 to 72 hours. A vendor that takes 30 days to notify you of a breach leaves you with no response time to meet your own statutory deadlines. If the vendor won't negotiate, document the risk in your data protection assessment.

Exercise your audit rights. Request the vendor's SOC 2 report annually, review it, and document the review. Under the CCPA, a business that never exercises its audit rights may lose the ability to claim the vendor was operating as a service provider, which shifts liability to the business for the vendor's data practices.

Review and update DPAs annually and whenever the vendor's services, data practices, or sub-processor relationships change. A DPA drafted three years ago for a vendor that has since added new data collection features, engaged new sub-processors, or expanded into new processing activities may no longer reflect the relationship or satisfy current regulatory requirements.

Need advice tied to your business issue?

Share the issue. Get direct attorney review. Receive a concrete recommendation.

Submit an Inquiry