This message was posted by a user wishing to remain anonymous
Hello,
Has anyone created a Data Processing Agreement (DPA) pursuant to CCPA/CPRA and have had any success getting your vendors to sign it? From what I understand, a separate DPA should be in place between us and any vendors classified as a contractor or service provider. My bank has created a DPA but has had no success getting vendors to sign it. Most have replied they will not sign external documents, or they reply with a reference to their own MSA citing their Confidentiality Clause or their adherence to applicable laws and regulations.
I have noticed that many vendors have DPAs on their websites that reference CCPA/CPRA. Do you feel that retaining these agreements satisfies CCPA/CPRA even if they are not specific to my institution? Or should we have a signed DPA between our vendor and us?
Thank you