Skip to main content

data-processing-addendum

Yes, absolutely. This is not just a good idea—it is a critical and standard requirement for any B2B software or consulting firm.

Including a clear demarcation between the data you collect about your website visitors and the data you handle on behalf of your clients is essential for legal compliance, clarity, and managing client expectations.

Your provided example is an excellent starting point. It uses the precise legal terminology from laws like the GDPR ("processor") and the CCPA/CPRA ("service provider").

Why This Clause is Non-Negotiable:

  1. Legal Compliance: Under regulations like GDPR and CCPA, the roles and responsibilities of the "data controller" (your client) and the "data processor" (you) are legally distinct. Your website privacy policy governs your actions as a controller of personal data (e.g., data from your website contact form). You must explicitly state that this policy does not apply when you are acting as a processor for a client.
  2. Client Assurance: Your clients are the controllers for the data they give you. They need to know that you are not imposing your own privacy policy on their data or their customers' data. Their use of your services will be governed by a separate, more detailed agreement.
  3. Limiting Liability: This clause helps prevent a situation where a client's customer (an end-user) tries to claim that your website's privacy policy applies to the data your client processed using your services. It clearly defines the scope of your policy.

How to Draft This Section Effectively:

You can expand on your example to make it even clearer. Here is a template you can adapt:

Template for Your Privacy Policy

Scope of This Policy; Client Data

This Privacy Policy applies only to information that we collect through this website and in the course of our marketing and business development activities (e.g., information about our clients and prospective clients).

This policy does not apply to information that we process on behalf of our clients ("Client Data") in our capacity as a service provider or data processor. Our clients are the data controllers of Client Data, and they determine the purposes and means of the processing.

Our processing of Client Data is governed solely by the terms of our client agreements, including any applicable data processing addendum (DPA), rather than by this Privacy Policy. We process Client Data solely as instructed by our clients and in accordance with our contractual obligations.

If you are an end-user of one of our clients and have questions about how your data is handled, please contact the client directly. If we receive a request regarding Client Data, we will direct the individual to the relevant client.

Key Elements to Include:

  • Clear Title: Use a header like "Scope of This Policy" or "Client Data."
  • Define "Client Data": Explicitly state what falls under this category.
  • Use Correct Legal Roles: Use terms like "data controller" (your client), "data processor" or "service provider" (you).
  • Reference Governing Documents: Point the reader to the actual governing documents—the Master Service Agreement (MSA) and Data Processing Addendum (DPA). This is crucial.
  • Instructions for End-Users: Tell an individual (whose data you might be processing for a client) who to contact (the client, not you). This is a best practice and often a contractual requirement.

Best Practice Recommendation:

  1. Create a Data Processing Addendum (DPA): Have a standalone DPA that you can attach to your client contracts. This DPA outlines in detail your security measures, data processing instructions, subprocessor policies, and obligations under GDPR, CCPA, etc.
  2. Integrate this into Contracts: Ensure your MSA or consulting agreement clearly states that the DPA governs the processing of Client Data.

By including this clause, you demonstrate professionalism, a strong understanding of data privacy laws, and respect for your clients' roles and responsibilities. It builds trust and is a sign of a mature, compliant organization.