A data processing addendum (DPA) is the part of a SaaS contract that governs how the vendor handles personal data on the customer's behalf. In the US, DPAs are no longer optional add-ons — they are increasingly required by state privacy laws (CCPA/CPRA in California, CPA in Colorado, VCDPA in Virginia, and a growing list of others), by sector-specific laws like HIPAA, and by international counterparties operating under GDPR. The gap between a 'real' DPA and a 'paper' DPA is wide. A real DPA imposes data minimisation, purpose limitation, sub-processor controls, security obligations, breach notification timelines, and customer audit rights. A paper DPA recites privacy law terms at a high level but gives the customer no operational rights. The terms that distinguish them — sub-processor consent, breach notification windows, audit frequency — are where the negotiation should focus.
What is a Data Processing Addendum?
A data processing addendum (DPA) in a US SaaS context is a contractual annex to a master agreement establishing the vendor's role as a service provider, processor, or business associate (depending on applicable law) and specifying the terms governing personal data handling. It is required (in substance) by: California Civil Code § 1798.140(ag) and § 1798.100 (CCPA service provider contract requirements); HIPAA (45 C.F.R. § 164.504(e)) for covered entities and business associates; state insurance and financial laws (e.g., NAIC Insurance Data Security Model Law); and contractually by any customer subject to GDPR for cross-border transfers.
Red flags to watch for
Under CCPA § 1798.140(ag), a service provider may not retain, use, or disclose personal information for any purpose other than performing services specified in the contract. A DPA that allows vendor independent use of customer data — for product improvement, analytics, or marketing — converts the vendor to a controller/business and triggers customer disclosure obligations to data subjects.
Customer-facing DPAs under GDPR Article 28 typically require advance, specific consent or a right to object to new sub-processors. A blanket consent at signing — with no notification of new sub-processors and no objection right — strips you of the right to know who actually processes your data.
GDPR Article 33 imposes a 72-hour notification obligation on controllers, which means processors must notify controllers without undue delay and ideally within 24 hours. State laws vary (e.g., 30 days under California Civil Code § 1798.82). Vendor DPAs that allow 5, 10, or 30 days for vendor-to-customer breach notification can put you in breach of your own obligations.
Article 28 GDPR and many state laws require the customer to have the ability to verify processor compliance. A DPA that limits audit rights to a once-yearly review of the vendor's SOC 2 report — without the right to conduct on-site audit on suspicion of breach — may not be sufficient for sensitive use cases.
Under HIPAA, Office for Civil Rights penalties for breaches can reach $2.067 million per violation per year (2025 inflation-adjusted). State privacy laws impose statutory damages under CCPA § 1798.150 of $100–$750 per consumer per incident. A vendor liability cap at 12 months of fees may be inadequate against this exposure — sensitive customers should negotiate uncapped liability for data breaches.
GDPR Article 28(3)(g), CCPA § 1798.105 (deletion rights), and HIPAA business associate agreement requirements all anticipate data return or destruction at termination. A DPA that conditions return on payment of an extra fee — or limits return to specified formats — can compromise your statutory obligations to data subjects.
Your legal rights
US customers using SaaS vendors for personal data processing are protected by: the California Consumer Privacy Act / California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.); the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.); the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq.); the Connecticut Data Privacy Act, Texas Data Privacy and Security Act, and other state laws; HIPAA (42 U.S.C. § 1320d, 45 C.F.R. Parts 160 and 164) for protected health information; the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801 et seq.) for financial information; sector-specific laws (FERPA for education, COPPA for children's data); and contractually by GDPR (where the customer is subject to it). Enforcement is by state attorneys general, the FTC under Section 5 of the FTC Act, the Office for Civil Rights (HIPAA), and private rights of action under specific statutes.
Questions to ask before you sign
- 1Is the vendor classified as a service provider/processor with no independent right to use customer data?
- 2How is sub-processor consent handled — advance notification, objection rights, or blanket consent?
- 3What is the breach notification window from vendor awareness — 24 hours, 72 hours, 30 days?
- 4What audit rights do I have, and can I conduct on-site audit on suspicion of a breach?
- 5Is liability for data breaches uncapped, or limited — and what is the cap?
- 6What is the data return and destruction process at termination, and is it included or fee-based?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.