🇺🇸 United States · DPA Generator
A complete Data Processing Agreement Word document tailored to a named AI vendor + service: 12 main DPA clauses + Schedule 1 Particulars of Processing (Art. 28(3) mandatory schedule) + Schedule 2 Technical and Organisational Measures (12 control domains × measure × implementation × evidence) + Schedule 3 Sub-Processors (pre-populated with typical sub-processors for the named vendor, with explicit verify-against-vendor callout) + Schedule 4 International Transfer Mechanism + Annex A AI-Specific Contract Terms (6 AI clauses covering training-data restrictions, IP ownership, automated decision-making transparency, bias and fairness, AI error liability, model-update notification + exit rights) + Annex B Negotiation Checklist (10 items with vendor positions, your counter-positions, red flags, and fallback positions) + Annex C Qualified Legal Review Notes (consolidated list of inline review-required callouts grouped by counsel competence) + signature blocks.
The output is anchored on the regulations that apply to AI deployments in US. The top frameworks cited:
Developers of covered ADMT must give deployers technical documentation (intended uses, categories of training data, known limitations, usage instructions); deployers must notify individuals before ADMT use in a consequential decision and disclose an adverse outcome within 30 days; consumers may request data correction and meaningful human review. Core obligations begin 1 January 2027.
AI developers and deployers must avoid prohibited uses, provide clear disclosures when consumers interact with AI in consequential contexts, conduct algorithmic-discrimination assessments for in-scope systems, and report adverse incidents to the Texas Attorney General. Compliance with NIST AI RMF and recognised standards is treated as a rebuttable presumption of reasonable care.
Businesses must disclose automated decision-making logic upon consumer request, allow opt-out of profiling for targeted advertising or significant decisions, and conduct and document risk assessments for high-risk data processing activities.
Operators of bots that interact with California consumers in commercial or electoral contexts must clearly and conspicuously disclose that the consumer is communicating with a bot, with the disclosure designed to inform a reasonable person communicating with the bot. Disclosure must not be hidden behind interaction or buried in a privacy notice.
You describe your organisation, the AI vendor (Processor), the AI service being procured, and the categories of personal data the service will process. The tool maps your jurisdiction + industry + risk appetite into a structured, schedule-based DPA ready to redline with your legal team.
The DPA follows the format working contract lawyers recognise — main clauses for the contractual body, schedules for the GDPR Art. 28(3) particulars (subject matter / duration / nature / purpose / data categories / data subject categories), schedules for the operational details (TOMs, sub-processors, transfer mechanism), and annexes for the AI-specific protections + negotiation positions + consolidated review-required notes. Risk-appetite-driven defaults (security standard, audit notice, breach window, liability cap, model-update notice) are internally consistent across clauses, schedules, and the negotiation checklist. This is an AI-assisted drafting aid intended to accelerate review by qualified data-protection counsel.
$39 · one-time — answer a 6-question intake (including jurisdiction = US), and download your tailored document immediately.
Generate DPA →Also available framed for your sector → see industry-specific pages