top of page
Home Page Banner Header v2.png

Data Privacy Addendum (DPA) EXAMPLE


This Data Privacy Addendum ("DPA") is entered into by and between:
[Client Name / Tribal Government] ("Client")
and
DREAM Software LLC ("Service Provider")
Effective Date:  

This DPA supplements and forms part of any underlying agreement (e.g., MSA, SOW).

 

1. Purpose
This DPA governs the processing, handling, storage, and protection of data by Service Provider on behalf of Client.

 

2. Definitions

  • Client Data: Any data provided by or on behalf of Client

  • Sensitive Data: Includes but is not limited to:

    • Protected Health Information (PHI) under HIPAA

    • Criminal Justice Information (CJI) under CJIS

    • Personally identifiable information (PII)

  • Applicable Law: Includes tribal, federal, and state laws as determined by Client

 

3. Data Ownership & Sovereignty

  • All Client Data remains the sole property of Client

  • Nothing in this DPA transfers ownership rights to Service Provider

  • Service Provider acknowledges Client’s sovereign authority over its data

  • Data governance shall defer to Client’s laws, policies, and jurisdiction where applicable

 

4. Permitted Use of Data
Service Provider shall:

  • Process Client Data only for authorized purposes

  • Not sell, share, or use data for secondary purposes

  • Follow documented instructions from Client

 

5. Data Security Measures
Service Provider agrees to implement administrative, technical, and physical safeguards, including:

  • Encryption (at rest and in transit)

  • Role-based access controls

  • Multi-factor authentication (where applicable)

  • Audit logging and monitoring

  • Secure development practices

 

6. HIPAA Compliance (if applicable)
Where Client Data includes PHI:

  • Service Provider agrees to comply with HIPAA requirements

  • A Business Associate Agreement (BAA) shall be executed if required

  • Service Provider will:

    • Safeguard PHI

    • Limit access to authorized personnel

    • Report breaches in accordance with HIPAA timelines

 

7. CJIS Compliance (if applicable)
Where Client Data includes Criminal Justice Information:

  • Service Provider will comply with the CJIS Security Policy, including:

    • Background checks for personnel (as required)

    • Secure data transmission and storage

    • Access restrictions and authentication controls

  • Service Provider agrees to cooperate with audits or compliance reviews

 

8. Data Location & Storage

  • Data shall be stored in locations approved by Client

  • Client may require:

    • U.S.-only storage

    • On-premises or tribal-controlled infrastructure

  • Service Provider will not relocate data without prior written consent

 

9. Subprocessors

  • Service Provider will not engage subprocessors without notice to Client

  • All subprocessors must meet equivalent data protection standards

  • Service Provider remains responsible for subprocessor compliance

 

10. Data Breach & Incident Response
In the event of a data incident:

  • Service Provider will notify Client without unreasonable delay

  • Notification will include:

    • Nature of the incident

    • Affected data

    • Mitigation steps taken

  • Service Provider will cooperate fully with Client response efforts

 

11. Data Retention & Destruction

  • Data will be retained only as long as necessary

  • Upon request or termination:

    • Data will be returned or securely destroyed

  • Destruction methods will meet industry standards

 

12. Audit & Compliance Rights
Client may:

  • Request documentation of security practices

  • Conduct audits (reasonable notice required)

  • Require remediation of identified risks

 

13. Confidentiality
Service Provider shall:

  • Maintain strict confidentiality of Client Data

  • Ensure all personnel are bound by confidentiality obligations

 

14. Liability & Indemnification
Liability related to data protection shall be governed by the underlying agreement unless otherwise specified.

 

15. Term & Termination
This DPA remains in effect for the duration of data processing activities.

 

16. Tribal Sovereignty Clause
Nothing in this DPA shall be interpreted as:

  • A waiver of sovereign immunity

  • Consent to jurisdiction outside Client’s authority

  • Limitation of Client’s governance over its data

 

17. Governing Law
To the extent applicable, this DPA shall be governed by:

  • Tribal law, where specified by Client

  • Otherwise, as defined in the underlying agreement

 

18. Signatures
[Client Name / Tribal Government]
By: __________________________
Name:
Title:
Date:

 

DREAM Software LLC
By: __________________________
Name:
Title:
Date:


This DPA is designed to be flexible and negotiable to meet the unique legal, cultural, and operational needs of each tribal client while maintaining strong compliance with federal data protection frameworks.

bottom of page