Data Processing Agreement (DPA)
A contract required by every US state privacy law between a controller and any processor that handles personal data on its behalf, binding the processor to specific security, confidentiality, and subprocessor obligations.
Overview
A Data Processing Agreement (DPA) — sometimes called a "data processing addendum" or, under CCPA, a "service provider contract" — is the written agreement that governs how a processor may handle personal data entrusted to it by a controller. Without a valid DPA in place, a recipient of personal data is presumed to be a "third party" under US privacy law, which means any transfer to that recipient can qualify as a sale or a share and trigger opt-out obligations.
Every comprehensive US state privacy law mandates specific terms the DPA must contain. The required clauses are remarkably consistent across states, which means a single well-drafted DPA template can satisfy most jurisdictions simultaneously.
The DPA is the legal mechanism that lets a controller outsource processing — to a cloud host, a SaaS analytics vendor, a COI-tracking platform like Inori — without losing control over the underlying data.
When It Applies
A DPA is required before a controller discloses personal data to any entity that will process that data on the controller's behalf and under the controller's instructions. Common triggers:
- Onboarding a SaaS vendor that stores, analyzes, or acts on customer PII
- Engaging a cloud infrastructure provider (AWS, GCP, Supabase)
- Hiring a payment processor, email sender, or analytics provider
- Sharing data with a marketing platform for campaign execution on the controller's behalf
- Integrating a COI-tracking or vendor-compliance platform for commercial real estate operations
If the recipient determines its own purposes and means of processing, it is a separate controller and needs a controller-to-controller data-sharing agreement instead — not a DPA.
Required Clauses Across Jurisdictions
The consensus set of DPA terms required by CCPA/CPRA (§1798.140(ag)), VCDPA (§59.1-579), CPA (6-1-1305(5)), and the 17 comprehensive laws that followed:
| Clause | Purpose |
|---|---|
| Processing instructions | Processor acts only on documented instructions from the controller |
| Purpose limitation | Purposes are enumerated; processor cannot combine data with other sources for new purposes |
| Confidentiality | Personnel handling data are under confidentiality obligations |
| Security measures | Processor maintains "reasonable" or "appropriate" technical and organizational safeguards |
| Subprocessor flow-down | Any subprocessor is bound by equivalent terms; controller receives notice and can object |
| Assistance with DSARs | Processor helps the controller respond to consumer rights requests within the statutory timeline |
| Assistance with DPIAs | Processor provides information needed for the controller's risk assessments |
| Breach notification | Processor notifies the controller promptly of any security incident |
| Return or deletion on termination | At contract end, processor returns or deletes all controller data |
| Audit rights | Controller may audit or accept third-party audit reports (SOC 2, ISO 27001) |
California uniquely adds a prohibition on selling or sharing the personal data and on combining it with data from other sources — violations convert the processor into a "third party" and the transfer into a "sale" (see Sale of Personal Information).
How Inori Handles This
Inori operates as a processor on behalf of its customers, who are controllers of the vendor, tenant, and certificate-holder data flowing through the platform. The DPA governing this relationship lives at src/content/legal/dpa.mdx and is incorporated by reference into every paid-tier subscription.
Grounding in code:
- Instructions scope — the customer's
tenants.settingsrecord captures configured purposes;src/lib/billing/quota-enforcement.tsprevents Inori from processing beyond the declared scope. - Subprocessors — the current list (Anthropic for COI extraction via Claude Haiku, Supabase for storage, Firebase for hosting, and previously Stripe/Resend/S3 once LLC is finalized) is exposed at
/legal/subprocessorsand tracked insrc/content/legal/subprocessors.mdx. - DSAR assistance —
src/app/api/dsar/routes DSAR forwarding when a consumer contacts Inori directly about controller-owned data. - Breach notification — incident playbook codified in
src/lib/incident/breach-notification.tsmeets the state-by-state timelines indocs/privacy-knowledge/consolidated/COMPLIANCE_MATRIX.mdMatrix 6. - Return-or-delete — triggered by tenant deletion; hard-purge cron (
src/app/api/cron/hard-purge-deleted-accounts) enforces the 90-day floor.
Related Concepts
The DPA is meaningless without the controller/processor distinction it implements — see Controller vs Processor. For the risk-analysis inputs that the DPA entitles the controller to request, see DPIA. In the insurance-vendor context, the DPA typically sits alongside the Certificate of Insurance as the two instruments that govern a vendor relationship end-to-end.
See how Inori handles data processing agreement (dpa)
Try our free COI checker first, or start a free trial of the full platform.