SaaS Contracts · Memo

Data Processing Addenda Under CCPA/CPRA for Cross-Border SaaS

I want to walk through the DPA structure I now treat as the floor for any cross-border SaaS deal touching California residents, and to be candid about the parts of the rulebook that are still moving.

The CCPA, as amended by the CPRA, brought California's data-processing framework closer in spirit to the GDPR than counsel often acknowledge. The California Privacy Protection Agency (CPPA) has used its rulemaking authority and a growing pile of enforcement advisories to push the framework even further toward processor-controller formalism. For cross-border SaaS deals, the practical effect is that the DPA you sign with a US vendor for European customers, the DPA you sign with the same vendor for California customers, and the DPA you sign with a Singapore or Tokyo affiliate for the same workload are converging on the same structural skeleton. The drafting work is not about choosing which framework controls. It is about layering them.

What CCPA/CPRA actually requires in a service-provider contract

Cal. Civ. Code section 1798.140(ag) defines a service provider and section 1798.140(ah) defines a contractor. The status matters because liability allocation, downstream use restrictions, and the right to audit all flow from it. The contract requirements are spelled out in section 1798.140(ag)(1)(A) through (E) and the CPPA regulations at Cal. Code Regs. tit. 11 sections 7050 and 7051. Drafted minimally, the contract must (a) specify that the personal information is disclosed only for limited and specified purposes; (b) require the service provider to comply with applicable obligations under the CCPA and to assist the business in meeting its CCPA obligations; (c) grant the business the right to take reasonable and appropriate steps to ensure that the service provider uses the personal information in a manner consistent with the business's obligations; (d) require the service provider to notify the business if it determines it can no longer meet its obligations; and (e) grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use.

The CPPA's 2024 regulations added detail on what counts as 'reasonable and appropriate steps' and made clear that a generic SOC 2 report is not, by itself, a sufficient audit substitute. The phrase counsel sometimes float in negotiations, the assertion that the vendor's SOC 2 satisfies the audit right, is not what the regulators are saying. I would expect every DPA to include either an annual right of audit at the business's cost on reasonable notice or a substitute mechanism (a current third-party assessment with scope sufficient to cover the processing activities) that the business is contractually entitled to receive.

The GDPR overlay

Most US SaaS vendors I work with use a single DPA built off the EU Standard Contractual Clauses (the 2021 SCCs) and add a CCPA addendum. The structural advantage is that the GDPR's Article 28 requirements are stricter on most points than CCPA's section 1798.140. If the vendor has built the GDPR pipes, the CCPA add-on is mostly definitional cleanup. Three points still need express California drafting.

First, the sale and share definitions. CPRA distinguishes between selling personal information and sharing it for cross-context behavioral advertising. The DPA needs an explicit no-sale, no-share representation from the service provider with respect to personal information disclosed under the agreement, and that representation should track the statutory definitions rather than restate them in conversational language. Second, sensitive personal information. Section 1798.140(ae) defines a category that includes some data EU practice treats as Article 9 special category data and some it does not. The DPA needs a flag for which fields in the dataset count as sensitive personal information under California's definition, even where the GDPR analysis says otherwise. Third, the deletion and correction obligations. CCPA's correction right (added by CPRA) imposes a service-provider obligation that the GDPR's rectification right does not map onto cleanly. The DPA needs a section that flows down the section 1798.106 obligation specifically.

Cross-border transfer mechanics

If the vendor processes data outside the US, two things matter. For European data subjects routed through the US deal, the EU-US Data Privacy Framework provides one transfer basis if both parties are self-certified and the relevant cluster of the framework applies to the workload. If the vendor is not certified, fall back on the 2021 SCCs with the United Kingdom Addendum if UK data is in scope. For Asian jurisdictions (Singapore, Japan, Korea, India), the analysis is more bespoke. Singapore's PDPA and Japan's APPI both have data-transfer rules that look superficially similar to GDPR's but read very differently on enforcement. I would not assume the SCCs do the work.

CCPA's role here is mostly about the downstream flow. If a California resident's data is sent from the business to a US vendor, then from the US vendor to a sub-processor in Singapore, the sub-processor contract must contain the same protections as the prime DPA. CPPA regulations at section 7051 are explicit on the flow-down requirement. The contract drafting move I make: include a sub-processor schedule with named entities, country of processing, purpose, and a thirty-day notice requirement for changes. Some vendors will resist naming every sub-processor. The reasonable compromise is naming all material sub-processors and granting the business the right to object to a new sub-processor (with the business's options on objection narrowly defined to avoid converting it into a unilateral termination right).

What CPPA enforcement has signaled

I am going to flag uncertainty here. The CPPA has been active since 2024 but its enforcement docket is still small. The first round of administrative actions has focused on (a) consumer-facing notice failures, (b) failures to honor opt-out signals (specifically Global Privacy Control), and (c) service-provider contracts that lack the section 1798.140(ag)(1) language. The Sephora settlement under the AG's prior authority (2022) is the most-cited precedent and it predates the CPPA rulemaking. The enforcement curve from 2025 onward will set the tone, and counsel should track CPPA advisories rather than relying on what worked in 2023.

The drafting implication: assume CPPA reads the contract literally. If the section 1798.140(ag)(1) elements are present but generic, expect that on audit the regulator will ask for evidence of the operational controls behind each obligation. Service providers that have a DPA but no documented breach-notification runbook, no documented sub-processor list, and no documented audit response will not have a good day. I include in every DPA a short compliance addendum that requires the service provider to maintain those artifacts and to make them available on request. It is administrative, but it is also the difference between a clean audit and a contested one.

The line I draw on warranties

One vendor-side trap. Vendors often add a representation that they comply with all applicable privacy laws. Customers should not accept that as a substitute for the specific CCPA flow-downs. A general compliance warranty is hard to enforce, easy to disclaim, and capped under the agreement's liability limits. The specific CCPA, GDPR, and other regime obligations should be in the DPA itself with their own breach-notification trigger and their own carve-out from the cap if the customer's regulatory exposure warrants it. For most enterprise deals, I push the customer to negotiate a privacy super-cap of at least three to five times the annual fees with a willful-misconduct uncap.

None of this is exotic. What is exotic, and what I keep seeing, is contracts that were drafted in 2020 with a one-paragraph CCPA addendum that has not been refreshed for CPRA, the 2024 regulations, or the cross-border transfer rules. If counsel inherits a portfolio of DPAs that predate the current rulebook, the cleanup is worth the effort. The exposure from a contract that names the wrong statute and the wrong audit standard is not theoretical.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Past matter outcomes depend on facts and the responding party; nothing here is a prediction of result.