Data Processing Addendum (DPA)
By executing this Agreement, ll Vendor Legal Name ll (“Vendor”) hereby certifies to ll Company Legal Name ll (“Company”) that Vendor complies with the following obligations as of the Effective Date of the Agreement and will continue to comply with the following obligations for so long as Vendor maintains a business relationship with Company or retains Company-related Personal Information (as defined below).
To access the appropriate Data Processing Addendum (DPA), please click on the relevant link below:
Definitions
Agreement – The ll Agreement Name ll (including this addendum) and any SOW, Insertion Order, or other referencing document.
Applicable Privacy Laws - All applicable current and future federal, state, and local laws, ordinances, regulations, and orders relating to privacy, data security, and the processing, storage, protection, and disclosure of Personal Information, including, but not limited to, the California Consumer Privacy Act, California Privacy Rights Act, Colorado Privacy Act, Virginia Consumer Data Protection Act, and similar federal or state laws.
Consumer - A natural person to whom Personal Information relates, directly or indirectly, and including, without limitation, a “consumer” as defined under Applicable Privacy Laws.
Consumer Rights Request - A request by a Consumer to exercise one or more rights provided to such Consumer under Applicable Privacy Laws.
Personal Information - Information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable person or household.
Sale - Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Information to a third party for monetary or other valuable consideration. A “sale” does not include disclosure of a Consumer’s Personal Information to a third party when the Consumer uses or directs Vendor or Company, as applicable, to (i) intentionally disclose their Personal Information or (ii) intentionally interact with one or more third parties. “Sale” and its variants may be used uncapitalized in this addendum for ease of reading.
Security Breach - The unauthorized acquisition, access, use, disclosure, modification, or loss of Personal Information, or any other event that compromises the security, confidentiality, or integrity of Personal Information.
Share - Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Information to a third party for cross-context behavioral advertising or targeted advertising (as defined under Applicable Privacy Laws), whether or not for monetary or other valuable consideration. “Share” does not include disclosure of a Consumer’s Personal Information to a third party when the Consumer uses or directs Vendor or Company, as applicable, to (i) intentionally disclose their Personal Information or (ii) intentionally interact with one or more third parties. “Share” and its variants may be used uncapitalized in this addendum for ease of reading.
General Obligations
Vendor complies, and will comply at all times, with Applicable Privacy Laws.
With respect to Personal Information Vendor collects or processes on behalf of Company while providing services to Company, the following provisions apply:
Vendor will process the Personal Information specified in this Addendum solely for the limited purposes and duration specified in the Agreement or this Addendum, including Exhibit A.
Vendor understands and agrees that it will not (i) sell or share Personal Information; (ii) retain, use, or disclose Personal Information for any purpose other than the specific purpose of performing the services in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the services specified in this Addendum; (iii) retain, use, or disclose Personal Information outside of the direct business relationship between Vendor and Company; or (iv) disclose Personal Information to any third party except for sub-processors; or (v) use Personal Information to train, improve, or develop any algorithms, artificial intelligence models, machine learning systems, or similar technologies without Company's express written consent-(a) pursuant to a written contract restricting the sub-processors’ use and disclosure of such Personal Information to the same extent as Vendor and (b) after providing Company written notice of such sub-processors’ engagement to process such Personal Information to which Company has not objected within fifteen (15) business days of receiving such notice.
Personal Information shall be retained only as long as necessary to perform the contracted services, with a default maximum retention period of [12 months] after agreement termination, unless otherwise agreed in writing. For any AI, machine learning, or algorithmic uses, zero data retention applies and immediate deletion is required upon task completion, absent Company's express written consent.
To the extent prohibited by Applicable Privacy Laws, Vendor will not combine or co-mingle Personal Information it processes on behalf of third parties or itself with Personal Information it processes on behalf of Company.
Vendor will implement reasonable and appropriate physical, technical, and administrative safeguards consistent with industry standards and compliant with Applicable Privacy Laws to protect Personal Information from unwarranted, accidental, or unauthorized access, use, disclosure, modification, or loss, and will comply at all times with Exhibit B hereto.
Personal Information will be considered Company’s confidential information for all purposes.
Upon termination of the Agreement, Vendor will return or destroy, at Company’s option, Personal Information unless retention of such Personal Information is required by laws or regulations applicable to Vendor or Company consents to the retention.
Vendor will comply with all requirements, including contractual requirements, imposed by Applicable Privacy Laws upon its processing of the Personal Information even if such requirements are not enumerated herein such that Vendor will be deemed a service provider, data processor, or similar term under Applicable Privacy Laws with regard to such processing.
Vendor will provide reasonable assistance to Company to facilitate Company’s compliance with Applicable Privacy Laws.
Vendor will inform its employees, contractors, service providers, sub-processors, agents, and representatives of their compliance obligations and ensure that they comply with Applicable Privacy Laws and Vendor’s obligations hereunder to the same extent as Vendor. Vendor acknowledges and agrees that any compliance failure of its employees, contractors, service providers, sub-processors, agents, and/or representatives will be imputed to Vendor for purposes of the Agreement and this Addendum.
Security Breach Procedures and Responsibilities
Vendor shall:
Provide Company with the name and contact information for the security operations personnel of Vendor who shall serve as Company's primary security contact in resolving obligations associated with a Security Breach.
Notification Requirement: If Vendor suspects or confirms any actual or potential Security Breach affecting Personal Information, Vendor shall provide notice within twenty-four (24) hours—or sooner if required by law—via phone and email to Company’s designated security contact.
Notice Content: The notice shall include:
(a) a summary of the incident,
(b) the scope of impact,
(c) the steps taken to contain and investigate the incident, and
(d) the corrective measures undertaken.
Delivery of Notice: Vendor shall deliver such notice by email to legalnotices@sunrun.com and infosec@sunrun.com, with a copy by email to Vendor's primary business contact within Company.
Coordination: Immediately following the Vendor’s notification to Company of a Security Breach, the Parties shall coordinate a response. Vendor agrees to fully cooperate with Company in determining (i) what Personal Information was compromised, if any; (ii) what breach notifications are required by Law, if any; (iii) who is responsible under applicable law to issue breach notifications; and (iv) what other actions may be necessary to mitigate damages and legal risk arising from the Security Breach.
Root Cause Analysis (RCA): Vendor shall conduct an RCA to identify the cause of the breach, document corrective actions, and prevent recurrence. The RCA report shall be provided to Company within ten (10) business days of incident resolution.
Consumer Rights and Auditing
Consumer Rights Request Assistance: Vendor will, within fifteen (15) business days after Company’s request, provide to Company any and all relevant Personal Information in its possession or control and take all reasonable actions requested by Company, at Vendor’s expense, to assist in Company’s response to a Consumer Rights Request. Vendor will provide the requested information in a mutually acceptable electronic format. Personal Information is deemed within Vendor’s control if the Personal Information is possessed by Vendor or one of its affiliates, contractors, agents, employees, service providers, sub-processors, or representatives, or if Vendor is capable of directing the retrieval or deletion of such Personal Information. If Vendor is unable to delete all or part of a Consumer’s Personal Information for any reason, Vendor will notify Company within the time frame for deletion and specify (i) the specific pieces of Personal Information that it is unable to delete and (ii) the legal basis for its refusal to delete each piece of Personal Information. Vendor will work with Company in good faith to resolve any request for deletion that it asserts it is unable to fulfill.
Direct Consumer Rights Requests: In the event Vendor receives a Consumer Rights Request related to Personal Information, Vendor will inform the person of Vendor’s relationship with Company and instruct the person to make their Consumer Rights Request directly to Company.
Customer Inquiries: If Company receives an inquiry or complaint from a Company customer regarding Vendor’s possession or handling of Personal Information, Company may communicate that to Vendor’s primary security contact. Vendor shall provide Company the information and assistance necessary to resolve the Company customer issue.
Monitoring and Audit: Company, or Company’s designee, may monitor and audit Vendor’s use and disclosure of Personal Information for compliance with Applicable Privacy Laws and this Addendum, and Vendor will reasonably cooperate with such monitoring and auditing by Company including, without limitation, by providing documentation and other information in its possession demonstrating its compliance with Applicable Privacy Laws and this Addendum. Vendor will promptly provide written notice to Company if Vendor determines it is no longer able to meet its obligations under Applicable Privacy Laws or this Addendum. Upon receipt of such notice or after performing monitoring or auditing, Company may take actions that, in its sole discretion, are appropriate to stop and/or remediate Vendor’s unauthorized or legally noncompliant use or disclosure of Personal Information.
Data Protection Assessments: Vendor will provide reasonable assistance to Company in connection with Company’s performance of data protection assessments and cybersecurity audits required by Applicable Privacy Laws.
Indemnification for Security Breach
Pursuant to Section XX of the Agreement, Vendor shall defend, indemnify, and hold harmless Sunrun, and its offices, directors, employees, agents and subcontractors and Sunrun’s affiliates (collectively, “Sunrun Indemnitees”) from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorney fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers of Vendor, arising out of or resulting from any third-party claim against any Sunrun Indemnitee arising out of or resulting from a Security Breach by Vendor.
Exhibit A: Data Processing Instructions
Vendor will process Personal Information in accordance with the following instructions.
Nature and Purpose of Processing: [Insert description of “why” and “how” the processing is occurring]
Types of Personal Information to be Processed: [Insert categories and/or examples of Personal Information to be processed]
Categories of Consumers about whom Personal Information Relates: [Insert categories of consumers such as customers, prospective customers, business contacts, employees, job applicants].
Duration of Processing: Beginning on the Effective Date of this Agreement and continuing until terminated by either party in accordance with this Agreement.
Contact Details of Vendor’s Data Protection Officer or Chief Privacy Officer: [insert]
Exhibit B: Data Security Standards
Information Security Program
Vendor represents and warrants that its creation, collection, receipt, access, use, storage, disposal and disclosure of Personal Information does and will comply with all applicable federal and state privacy and data protection laws, as well as all other applicable regulations and directives.
Vendor shall implement and maintain a written information security program including appropriate policies, procedures and risk assessments. Vendor shall review its information security program at least annually and update the program as needed to address emerging cybersecurity threats.
Access Control and Authentication
Vendor shall enforce a strict least-privilege access model to ensure that only Authorized Persons with a legitimate business need have access to Personal Information. This includes robust access control policies, role-based access, and regular review of user permissions.
All systems or applications that store, process, or transmit Personal Information must enforce multi-factor authentication (“MFA”) for all administrative and privileged accounts. MFA is also strongly encouraged for all user access to systems containing Personal Information.
Vulnerability and Patch Management
Vendor will implement a formal vulnerability and patch management program. Critical and high-severity vulnerabilities identified in Vendor’s environment must be patched or remediated within a defined timeframe (e.g., 30 days) unless otherwise agreed to in writing. Security patches and updates shall be routinely applied to all systems and applications handling Personal Information.
Monitoring and Logging
Vendor must maintain comprehensive audit logs of all access to systems containing Personal Information. Logs must capture key security events (login attempts, data modifications, security changes, etc.) and must be retained in accordance with Applicable Privacy Laws and industry best practices. Vendor shall regularly review such logs to detect anomalous activity and respond in a timely manner.
Sub-processor Management
Vendor shall contractually require all sub-processors to implement and maintain the same or higher level of data protection, security controls, and incident response obligations outlined in this document. Vendor remains fully liable for the acts and omissions of its sub-processors.
Auditing and Assessment
Vendor shall undergo an annual independent security assessment or audit (e.g., SOC 2 Type II, ISO 27001, or equivalent) and shall, upon request, provide Sunrun with summaries of the assessments, including findings and remediation actions. Sunrun may also request documentation demonstrating Vendor’s ongoing compliance with industry standards.
Incident Response and Training
Vendor shall maintain a written incident response plan that addresses preparation, detection, analysis, containment, eradication, and recovery from security incidents. Vendor’s plan shall be tested and updated at least annually to ensure effectiveness.
In addition to annual security awareness training, Vendor shall conduct periodic, targeted training for employees with elevated privileges or those who handle Personal Information as part of their primary job function. This training shall include phishing simulations, secure coding practices (if applicable), and current best practices for handling sensitive data.
Data Handling and Disposal
Vendor shall implement and maintain a formal data classification policy that clearly designates types of data based on sensitivity, value, and regulatory requirements. Handling rules must be aligned with the classification level and must include specific controls for higher-risk data elements (e.g., SSNs, financial information).
At a minimum, Vendor’s safeguards for the protection of Personal Information shall include:
(i) limiting access of Personal Information to Authorized Persons;
(ii) securing business facilities, data centers, paper files, servers, backup systems and computing equipment, including all mobile devices and other equipment with information storage capability;
(iii) implementing network, application, database and platform security;
(iv) securing information transmission, storage and disposal;
(v) implementing authentication and access controls within media, applications, operating systems and equipment;
(vi) strictly segregating Personal Information from information of Vendor or its other customers so that Personal Information is not commingled with any other types of information;
(vii) conducting risk assessments, penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct any issues that are reported as a result of the testing;
(viii) implementing appropriate personnel security and integrity procedures and practices, including conducting background checks consistent with applicable law; and
(ix) providing appropriate privacy and information security training to Vendor’s employees.
Vendor shall dispose of or securely destroy Personal Information using methods that render the information unrecoverable (e.g., secure shredding, cryptographic erasure, or physical destruction of media), consistent with NIST SP 800-88 Guidelines for Media Sanitization or equivalent standards, immediately upon the conclusion of the retention period or at Sunrun’s instruction, unless otherwise required by law.
Vendor shall maintain a disciplinary process to address any unauthorized access, use or disclosure of Personal Information by any of Vendor’s officers, partners, principals, employees, agents or Vendors.