Common Paper Data Processing Agreement
This is a fillable cover page for the Common Paper Data Processing Agreement. The binding terms are the external Standard Terms linked below — fill the fields here, then download the Word file to execute.
Parties
| Field | Description | Default |
|---|
| Company Name | Official company name | |
| Customer Contact Name | Customer contact name | |
| Customer Contact Title | Customer contact title | |
| Customer Address | Customer's physical address | |
| Provider Contact Name | Provider contact name | |
| Provider Contact Title | Provider contact title | |
| Provider Address | Provider's physical address | |
| Physical Address | Physical address for notifications | |
| Contact Address | Email and/or physical address | |
Service
| Field | Description | Default |
|---|
| Product Name | Name of product or service | |
Terms
| Field | Description | Default |
|---|
| Underlying Agreement | Name and date of the underlying agreement | |
| Provider Role | Provider's role (Controller or Processor) | |
| Custom Option | Custom option for selections | |
| Custom Options | Multiple custom options | |
| Url | URL for references | |
| Csa Reference | Common Paper CSA reference | |
| Non Csa Reference | Non-CSA agreement reference | |
| Text Box | General text box entry | |
Legal
| Field | Description | Default |
|---|
| Governing Law | Governing law state/province/country | |
| Eu Member State | EU Member State for disputes | |
| Uk Governing Law | UK governing law selection | |
| Dpa Covered Claims Detail | Specific scope of DPA Covered Claims (e.g., breach of DPA, gross negligence resulting in Security Incident) | |
| Has Dpa Governing Law | Set to true when DPA-specific governing law overrides the Agreement's governing law clause. | |
| Has Ccpa Terms | Set to true when California Consumer Privacy Act (CCPA) terms are included in the DPA. | |
Privacy
| Field | Description | Default |
|---|
| Subprocessor Name | Subprocessor name | |
| Countries List | List of all countries for data transfers | |
| Security Measures | Description of security measures | |
| Policy Url | URL of where to find policies | |
| Has Subprocessor | Set to true when a pre-approved subprocessor is specified. | |
| Has Eea Transfers | Set to true when EEA data transfer mechanisms are specified. | |
| Has Uk Transfers | Set to true when UK data transfer mechanisms are specified. | |
| Data Subject End Users | Set to true when end users or customers are included as data subjects. | |
| Data Subject Employees | Set to true when employees are included as data subjects. | |
| Data Subject Custom | Set to true to include a custom data subject category. Specify in custom_option. | |
| Pd Name | Set to true when Name is a category of personal data processed. | |
| Pd Contact | Set to true when contact information (email, phone, address) is a category of personal data processed. | |
| Pd Employment | Set to true when employment information (employee ID, compensation) is a category of personal data processed. | |
| Pd Financial | Set to true when financial information (bank account numbers) is a category of personal data processed. | |
| Pd Professional | Set to true when professional or biographic information (resume, CV) is a category of personal data processed. | |
| Pd Transactional | Set to true when transactional information (account info, purchases) is a category of personal data processed. | |
| Pd User Activity | Set to true when user activity and analysis (device info, IP address) is a category of personal data processed. | |
| Pd Location | Set to true when location information is a category of personal data processed. | |
| Pd Custom | Set to true to include a custom personal data category. Specify in custom_option. | |
| Processing Continuous | Set to true when data processing is continuous. | |
| Processing Frequency Custom | Set to true to specify a custom processing frequency. Specify in custom_options. | |
| Pa Receiving | Set to true when receiving data (collection, accessing, retrieval) is a processing activity. | |
| Pa Holding | Set to true when holding data (storage, organization, structuring) is a processing activity. | |
| Pa Using | Set to true when using data (analysis, consultation, testing) is a processing activity. | |
| Pa Updating | Set to true when updating data (correcting, adaptation, alteration) is a processing activity. | |
| Pa Protecting | Set to true when protecting data (restricting, encrypting, testing) is a processing activity. | |
| Pa Sharing | Set to true when sharing data (disclosure, dissemination) is a processing activity. | |
| Pa Returning | Set to true when returning data to the data exporter or data subject is a processing activity. | |
| Pa Erasing | Set to true when erasing data (destruction, deletion) is a processing activity. | |
| Pa Custom | Set to true to include a custom processing activity. Specify in custom_options. | |
Security
| Field | Description | Default |
|---|
| Other Security Certification | Name of additional security certification (e.g. "ISO 27701 Privacy Information Management") | |
| Dpa Security Reasonable Efforts | Set to true when Provider will use commercially reasonable efforts to secure the Service from unauthorized access. | |
| Has Dpa Security Policy | Set to true when Provider has a Security Policy available at the specified policy_url. | |
| Has Dpa Security Certifications | Set to true when Provider maintains annually updated security reports or certifications. | |
| Cert Iso 27001 | Set to true when Provider holds ISO 27001 certification. | |
| Cert Penetration Testing | Set to true when Provider performs regular penetration testing. | |
| Cert Soc2 Type1 | Set to true when Provider holds SOC 2 Type I certification. | |
| Cert Pci Level1 | Set to true when Provider holds PCI Level 1 certification. | |
| Cert Soc2 Type2 | Set to true when Provider holds SOC 2 Type II certification. | |
| Cert Pci Level2 | Set to true when Provider holds PCI Level 2 certification. | |
| Cert Hipaa | Set to true when Provider holds HIPAA certification. | |
| Cert Fedramp | Set to true when Provider holds FedRAMP Authorization. | |
| Cert Other | Set to true to include an additional security certification. Specify the certification in other_security_certification. | |
| Security Measures See Policy | Set to true when security measures reference the Security Policy. | |
| Security Measures Custom | Set to true to include custom security measures. Specify in custom_option. | |
| Sm Pseudonymization | Set to true when pseudonymization and encryption of personal data is a security measure. | |
| Sm Confidentiality | Set to true when ensuring ongoing confidentiality, integrity, availability, and resilience is a security measure. | |
| Sm Restore | Set to true when ability to restore availability and access after incidents is a security measure. | |
| Sm Testing | Set to true when regular testing and evaluation of security measures is a security measure. | |
| Sm User Auth | Set to true when user identification and authorization process protection is a security measure. | |
| Sm Transit | Set to true when protecting personal data during transmission (in transit) is a security measure. | |
| Sm Storage | Set to true when protecting personal data during storage (at rest) is a security measure. | |
| Sm Physical | Set to true when physical security of processing locations is a security measure. | |
| Sm Logging | Set to true when events logging is a security measure. | |
| Sm Config | Set to true when systems configuration and default configuration is a security measure. | |
| Sm Governance | Set to true when internal IT and IT security governance and management is a security measure. | |
| Sm Certification | Set to true when certification or assurance of processes and products is a security measure. | |
| Sm Minimization | Set to true when data minimization is a security measure. | |
| Sm Quality | Set to true when ensuring data quality is a security measure. | |
| Sm Retention | Set to true when ensuring limited data retention is a security measure. | |
| Sm Accountability | Set to true when ensuring accountability is a security measure. | |
| Sm Portability | Set to true when allowing data portability and ensuring erasure is a security measure. | |
Liability
| Field | Description | Default |
|---|
| Cap Multiplier | Liability cap multiplier | |
| Greater Of Dollar | Dollar amount for the greater-of liability cap | |
| Indemnification Csa Reference | Set to true when using Common Paper CSA-style indemnification reference for DPA Covered Claims. | |
| Indemnification Non Csa Reference | Set to true when using non-CSA indemnification language for DPA Covered Claims. | |
| Cap Csa Reference | Set to true when using CSA-style Increased Claim cap for DPA Covered Claims. | |
| Cap Non Csa Reference | Set to true when using non-CSA liability cap language for DPA Covered Claims. | |
Signature Block
| Field | Description | Default |
|---|
| Provider Signatory Type | Whether the Provider signatory is an entity or individual | entity |
| Provider Signatory Name | Full legal name of the Provider's signatory | |
| Provider Signatory Title | Title/role of the Provider's signatory (entity only) | |
| Provider Signatory Company | Company name for the Provider signatory (entity only) | |
| Customer Signatory Type | Whether the Customer signatory is an entity or individual | entity |
| Customer Signatory Name | Full legal name of the Customer's signatory | |
| Customer Signatory Title | Title/role of the Customer's signatory (entity only) | |
| Customer Signatory Company | Company name for the Customer signatory (entity only) | |
This template is a drafter's starting point. It does not constitute legal advice. Workflow support only. Not legal advice.