Data Processing Agreement

About this Common Paper agreement

How was this agreement created?

The Common Paper DPA was created by a committee of dozens of attorneys representing technology vendors, procurement teams, boutique firms, and Big Law.

I see this agreement is hosted online. Does that mean it will change?

Version 1 of this agreement will remain unchanged and hosted at commonpaper.com/standards/data-processing-agreement/1.0. Over time, we will create new versions to accommodate changes to the law and additional use cases. We expect future changes to occur infrequently, and they will be posted as a new version. However, any new versions will not change agreements that incorporate prior versions.

How do I use this agreement?

To execute an agreement using the Common Paper DPA, first download a copy of the Cover Page in your preferred format. Then fill out the details of your agreement like approved subprocessors, and the details required in the SCC annexes like the categories of personal data being processed. Finally, sign your Cover Page with your counterparty via the signing process of your choice. The Cover Page incorporates the Standard Terms by reference, completing the executed agreement.

Do I have to incorporate the Standard Terms by reference?

You can also download the full version of the agreement here and include the Standard Terms in the agreement itself.

Can I customize the Cover Page?

Yes, you can feel free to change the Cover Page any way you like. Many companies decide to add their company branding or logo and edit some of the text. The only thing you are required to keep is the license information and link to the Standard Terms.

Can I customize the Standard Terms?

All modifications to the Standard Terms should be made by addendum on the Cover Page. Incorporating the Standard Terms by reference from the Common Paper website gives both sides assurance that all key details and modifications are explicitly called out in the Cover Page.

What license is this agreement released under?

Common Paper agreements are free to use and modify under CC BY 4.0.

What is GDPR?

GDPR or General Data Protection Regulation is a regulation that protects an individual’s personal data in Europe (EU) and the European Economic Area (EEA). It was adopted into UK law following the UK’s departure from the EU. The GDPR restricts what companies can and cannot do with the personal data of EU/EEA individuals. It also restricts companies from transferring personal data of an EU/EEA individual to a country outside of the EU/EEA without appropriate safeguards in place.

What are the SCCs?

The SCCs (short for standard contractual clauses and sometimes called the model clauses) are published and released by the European Commission as one way to allow for data transfers from the EU/EEA to outside of the EU/EEA. The SCCs contain contractual clauses to ensure appropriate data protection safeguards are established and followed under GDPR.

What version of the SCCs does this use?

The Common Paper DPA incorporates the new SCCs published in June 2021 following Schrems II. If this makes no sense to you, it means that the Common Paper DPA takes into account the most recent information as of the date of release.

Can I use this DPA for all processing activities?

No. The Common Paper Committee decided to create a simple DPA that everyone could understand. To remove complexity, the DPA was designed to support the most common scenario for cloud and hosted services: Controller-to-Processor and Processor-to-Processor relationships that include a cross-border transfer from within the EU/EEA to outside the EU/EEA. So this Common Paper DPA is not meant for Controller-to-Controller, Processor-to-Controller, or Joint Controller relationships, or for data transfers within the EU/EEA. If you need a DPA for these other situations, let us know.

Can I use this for compliance with CCPA or other data privacy regulations?

No, the Common Paper DPA is only designed for GDPR compliance. However, the Cover Page includes optional language to establish a service provider relationship under the California Consumer Privacy Act (CCPA). In addition, the Common Paper Committee is working on standard agreements for other data privacy regulations.