Below is a modular Data Protection and IP Annex for a SaaS/App and IP transaction addressing user data, usage logs, and algorithmic outputs. It is structured for insertion into a Master Subscription Agreement, License Agreement, or Technology/IP Transaction Agreement. Bracketed selections and labeled alternatives (Alt A/B/C) provide negotiation fallbacks. References to GDPR, UK GDPR, and U.S. state privacy laws (including CPRA) are included. Parties should tailor defined terms, scope, and jurisdictional modules to their deal and regulatory footprint.
DATA PROTECTION AND INTELLECTUAL PROPERTY ANNEX
This Data Protection and Intellectual Property Annex (Annex) is incorporated into and forms part of the [Master Subscription Agreement/Technology License and IP Transfer Agreement] (Agreement) between [Customer] and [Provider] (each a Party and together the Parties). Capitalized terms not defined in this Annex have the meaning given in the Agreement.
-
Defined Terms
1.1 Applicable Data Protection Laws means all laws, regulations, and regulatory guidance applicable to the processing of Personal Data under the Agreement, including, as applicable: (a) the EU General Data Protection Regulation 2016/679 (GDPR); (b) the UK GDPR and the Data Protection Act 2018; (c) the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, CPRA), and other U.S. state privacy laws to the extent applicable (e.g., VCDPA, CPA, UCPA, CTDPA); and (d) any substantially similar laws in other jurisdictions.
1.2 Personal Data has the meaning set forth in Applicable Data Protection Laws and includes personal information under CPRA.
1.3 Customer Data means (a) Personal Data provided or made available by or on behalf of Customer to Provider in connection with the Services; (b) content, files, and records ingested into the Services by or for Customer; and (c) data collected from end users of Customer’s applications via the Services, excluding Provider Logs and Aggregated/Deidentified Data.
1.4 Provider Logs means telemetry, diagnostics, performance, and usage logs generated by the Services, which may include limited Personal Data (e.g., device identifiers, IP addresses, timestamps, event data).
1.5 Algorithm Outputs means the outputs, predictions, recommendations, inferences, generated content, and other results produced by the Services for Customer from Customer Data and/or Provider Materials.
1.6 Derived Data means data derived from processing of Customer Data or Algorithm Outputs that is transformed to remove direct identifiers and is used to develop or improve the Services or models, subject to Section 5 (Training/Improvements).
1.7 Deidentified Data and Aggregated Data mean data that meets the de-identification and/or aggregation standards under Applicable Data Protection Laws and cannot reasonably be used to identify an individual or Customer, directly or indirectly, provided the Provider maintains and complies with safeguards and commitments required by those laws.
1.8 Subprocessor means any third party engaged by Provider to Process Personal Data on behalf of Customer in connection with the Services.
1.9 Standard Contractual Clauses or SCCs means Module(s) of the European Commission’s Decision 2021/914 as updated or replaced, and the UK Addendum or IDTA as applicable.
-
Roles and Scope of Processing
2.1 Role.
Option A (Processor Model): For Customer Data, Provider acts as a Processor (GDPR)/Service Provider (CPRA), and Customer acts as Controller/Business. Provider will Process Customer Data only on documented instructions from Customer, as set out in the Agreement and this Annex.
Option B (Hybrid Model): (i) For Customer Data, Provider acts as Processor/Service Provider; and (ii) for Provider Logs, each Party acts as an independent Controller/Business. Provider will not combine Provider Logs with Customer Data except as strictly necessary to provide, secure, and support the Services.
Option C (Controller-to-Controller): For Customer Data and Provider Logs, the Parties act as independent Controllers/Businesses, each determining its own purposes and means of Processing. [Note: This option materially changes obligations and is typically disfavored by customers for user data.]
2.2 Subject Matter and Duration. The subject matter, duration, nature, and purpose of Processing; types of Personal Data; and categories of Data Subjects are described in Schedule 1 (Data Processing Details).
2.3 Instructions. Provider shall Process Customer Data only (a) to provide, maintain, and support the Services; (b) to carry out documented instructions of Customer; and (c) as required by Applicable Law, in which case Provider shall inform Customer prior to Processing unless legally prohibited.
- Compliance Undertakings
3.1 Provider as Processor/Service Provider (where applicable). Provider shall:
(a) not Sell or Share Customer Data (as defined in CPRA) or use Customer Data for any purpose other than Business Purposes specified in the Agreement;
(b) not combine Customer Data with Personal Data received from other customers, except as permitted under CPRA for limited Service Provider purposes (e.g., detecting security incidents, protecting against illegal activity) or as expressly instructed by Customer;
(c) comply with all obligations of a Processor/Service Provider under Applicable Data Protection Laws and provide the certification required under CPRA that it understands and will comply with these restrictions.
3.2 Customer Responsibilities. Customer is responsible for (a) establishing a lawful basis for Processing; (b) providing required notices and obtaining consents from Data Subjects as needed; (c) the accuracy, quality, and legality of Customer Data; and (d) configuring the Services in compliance with Applicable Data Protection Laws.
- Security and Breach Notification
4.1 Security Measures. Provider shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful Processing and accidental loss, destruction, or damage, as described in Schedule 2 (Security Measures). [Negotiate: references to ISO/IEC 27001; SOC 2 Type II; encryption at rest/in transit; access controls; secure SDLC; vulnerability management; pen testing.]
4.2 Audit and Certifications.
Option A (Report-Only): Provider will provide, upon request and at least annually, (i) current SOC 2 Type II or ISO 27001 certificate, (ii) executive summary of penetration tests, and (iii) responses to a reasonable security questionnaire (no more than once annually).
Option B (Onsite/Third-Party Audit): In addition to Option A, Customer may conduct an on-site audit or designate a mutually agreed independent auditor no more than once annually, subject to reasonable notice, confidentiality, and minimal business disruption. [Provider may charge reasonable fees for audits exceeding report review.]
Option C (Escalation Right): If Provider’s report reveals material control failures not remedied within [60] days, Customer may suspend affected Processing or terminate the Agreement for cause.
4.3 Security Incident Notification. Provider shall notify Customer without undue delay and in any event within [48] hours after becoming aware of a Personal Data Breach affecting Customer Data, including details reasonably available to Provider. Provider will take reasonable steps to mitigate adverse effects and cooperate with Customer in required notifications. [Note: GDPR authority notification is “without undue delay and, where feasible, not later than 72 hours”; this clause is a contractual customer notification.]
- Use of Algorithm Outputs; Training and Improvements
5.1 Ownership and License to Outputs.
Option A (Customer Ownership): As between the Parties, Customer owns all right, title, and interest in Algorithm Outputs generated for Customer, excluding Provider Materials and underlying models. Provider assigns to Customer any rights it may obtain in such Outputs, subject to Provider’s reserved rights in Provider Materials.
Option B (License to Outputs): As between the Parties, Provider retains ownership in Algorithm Outputs; Provider grants Customer a perpetual, worldwide, irrevocable, royalty-free license to use, reproduce, display, distribute, and create derivative works of Algorithm Outputs for Customer’s internal and external business purposes.
Note: Jurisdictional limits may apply to IP protection of non-human-authored works; Parties should align on whether Outputs are protectable works and allocate risk accordingly.
5.2 Improvements and Feedback. Customer grants Provider a non-exclusive, worldwide, royalty-free license to use Feedback for any purpose. [Alt: assign Feedback; [Alt: license limited to Service improvement]]. Provider will not identify Customer as the source of Feedback without consent.
5.3 Training Rights (Use of Customer Data and Outputs to Improve Models).
Option A (No Training by Default): Provider shall not use Customer Data or Algorithm Outputs to train, retrain, or fine-tune models for the benefit of Provider or third parties, except on documented instructions or with Customer’s prior written consent.
Option B (Deidentified/Aggregated Training): Provider may use Deidentified Data and Aggregated Data derived from Customer Data or Outputs to develop and improve the Services and models, provided Provider: (i) maintains technical and organizational safeguards preventing reidentification; (ii) does not attempt to reidentify; (iii) does not use the data to target or profile Data Subjects; and (iv) complies with CPRA and similar laws’ deidentification requirements.
Option C (Opt-Out Model): Provider may use Customer Data for model improvements unless Customer opts out via written notice or administrative controls. Provider shall provide a straightforward opt-out mechanism and honor it within [10] days.
5.4 Non-Attribution. Provider shall not use Customer’s name, trademarks, or Output content for external training datasets, benchmarks, or marketing without Customer’s prior written consent.
-
Provider Logs and Telemetry
6.1 Permitted Uses. Provider may Process Provider Logs to (a) deliver, maintain, support, and secure the Services; (b) measure and report on service performance and capacity; (c) detect, investigate, and prevent fraud, abuse, and security incidents; and (d) comply with law. Provider will not Sell or Share Personal Data within Provider Logs.
6.2 Minimization and Retention. Provider will collect the minimum Provider Logs reasonably necessary and retain them for no longer than [90/180/365] days unless (i) required by law, (ii) necessary to investigate security incidents, or (iii) longer retention is approved in writing by Customer. [Alt: tie retention to documented data retention schedule.]
6.3 Role Alternatives. See Section 2.1. If independent Controller model applies, each Party shall provide legally required notices and honor applicable Data Subject rights for its own Processing.
-
Subprocessors
7.1 Authorization.
Option A (General Authorization): Customer authorizes Provider to engage Subprocessors listed at [URL/Schedule], subject to Provider’s obligations in this Section. Provider will provide at least [30] days’ notice of new Subprocessors and a mechanism to subscribe to updates. Customer may object on reasonable data protection grounds within [10] days; the Parties will work in good faith to resolve objections.
Option B (Specific Authorization): Provider shall not appoint a Subprocessor without Customer’s prior written approval for each Subprocessor.
7.2 Flow-down. Provider shall impose data protection obligations on Subprocessors that are at least as protective as those set out in this Annex. Provider remains responsible for Subprocessors’ performance.
-
Data Subject Requests; Assistance; DPIAs
8.1 Assistance. Taking into account the nature of Processing, Provider shall provide reasonable assistance to Customer to respond to Data Subject requests (access, deletion, correction, portability, restriction, objection, opt-out of targeted advertising or sale/sharing under U.S. laws), and to fulfill Customer’s obligations regarding security, breach notifications, recordkeeping, and impact assessments (DPIAs) and prior consultations.
8.2 CPRA Service Provider Terms. Provider certifies it understands and will comply with the CPRA’s restrictions for Service Providers and Contractors. Upon Consumer request relayed by Customer, Provider shall assist in responding to requests as required by CPRA.
-
International Data Transfers
9.1 Transfer Mechanisms. Where Provider’s Processing of Customer Data involves a transfer to a country not recognized as providing an adequate level of protection under Applicable Data Protection Laws, the Parties agree the SCCs (and UK Addendum/IDTA) are incorporated by reference as follows: [insert SCC module mapping: Controller–Processor (Module 2) and/or Processor–Processor (Module 3)]. The Parties complete the SCCs’ Annexes using Schedule 1 and Schedule 2 to this Annex.
9.2 Supplementary Measures. Provider shall implement supplementary measures, where required by a transfer impact assessment, including encryption-in-transit and at-rest, access controls, and policies for responding to government access requests.
9.3 China and Other Jurisdictions. For transfers subject to the PRC Personal Information Protection Law (PIPL) or similar regimes requiring security assessments, certifications, or standard contracts, the Parties will execute the required instruments and cooperate to complete assessments or filings before transfer. [Note: specify which party leads assessments; consider data localization constraints.]
-
Retention and Deletion
10.1 Upon termination or expiration of the Agreement or upon Customer’s written request, Provider shall promptly delete or return Customer Data (at Customer’s option), unless retention is required by law. [Alt: deletion within [30] days; destruction certificate upon request.]
10.2 Backups. Provider may retain encrypted backups for up to [90] days, inaccessible to production systems, after which they are overwritten in the ordinary course.
-
Government and Third-Party Requests
11.1 Legal Process. Provider shall not disclose Customer Data to any government or third party without prior written notice to Customer, unless legally prohibited. If prohibited, Provider shall use reasonable efforts to obtain a waiver to notify Customer. Provider will challenge unlawful or overbroad requests to the extent reasonable.
11.2 Transparency. Upon request, Provider will provide a summary of the volume and type of legal demands received relating to Customer Data, to the extent lawful.
-
Confidentiality
12.1 Personnel and Subprocessors. Provider ensures that personnel and Subprocessors accessing Customer Data are bound by confidentiality obligations and have undergone appropriate training.
12.2 Conflicts. If a conflict exists between confidentiality terms in the Agreement and this Annex, the more protective standard for Customer Data applies.
-
Liability and Indemnities
13.1 Liability Allocation.
Option A (Carve-Out): The liability cap in the Agreement does not apply to (i) Provider’s breach of Section 3.1 (Service Provider restrictions), (ii) unauthorized disclosure of Customer Data caused by Provider’s breach of this Annex, (iii) infringement of IP in Algorithm Outputs under Section 14, or (iv) willful misconduct. [Alt: carve-out solely for data breach direct damages; [Alt: super-cap at [2x–3x] fees.]
13.2 Indemnity.
Option A (Provider Indemnity): Provider shall defend and indemnify Customer against third-party claims to the extent arising from Provider’s material breach of this Annex or Applicable Data Protection Laws, or from Subprocessor acts/omissions, resulting in unauthorized disclosure of Customer Data.
Option B (Mutual Indemnity): Each Party indemnifies the other for its independent-controller Processing (if applicable) that violates Applicable Data Protection Laws and causes harm.
-
Intellectual Property; Infringement; Output Risk Allocation
14.1 Background IP. Each Party retains ownership of its Background IP. Provider retains ownership of Provider Materials, models, pre-trained weights, and service infrastructure.
14.2 Output Ownership and License. See Section 5.1 (Options A/B). The Parties acknowledge that protectability of AI-generated content may vary by jurisdiction; nothing herein guarantees registrability or enforceability of copyrights in Outputs. [Optional: Provider disclaims authorship of non-human-generated content; Customer represents it will ensure sufficient human authorship when seeking copyright protection.]
14.3 IP Indemnity for Outputs.
Option A (Provider Indemnity): Provider shall defend and indemnify Customer for third-party claims alleging that Customer’s use of Algorithm Outputs, as generated by unmodified Services and in accordance with the Agreement, infringes third-party IP rights, excluding claims based on Customer Data, Customer’s prompts/instructions, or combination with non-Provider materials. Remedies may include modify/replace, procure rights, or refund pro rata fees.
Option B (Limited Indemnity): Same as Option A, but excluding claims relating to text- or image-generation where Provider designates the feature as “experimental” or “beta”.
14.4 Moral Rights Waiver. To the extent permitted by law, Provider waives and will procure waivers of moral rights in Algorithm Outputs it could assert, limited to enabling Customer’s rights under Section 5.1.
-
Deidentified and Aggregated Data Commitments
15.1 Provider shall (a) maintain and implement technical controls and policies to prevent reidentification; (b) publicly commit to not reidentify Deidentified Data; and (c) contractually bind recipients to the same restrictions, consistent with CPRA and similar laws.
15.2 Provider will not attempt to or actually use Deidentified or Aggregated Data to single out or target any individual or Customer.
-
High-Risk Data and Sectoral Laws
16.1 Prohibited Data. Customer shall not submit special categories of data under GDPR, precise geolocation, biometric identifiers, or health/medical data unless expressly agreed in writing and subject to supplemental terms.
16.2 Sectoral Compliance. If the Parties agree to Process data regulated by sectoral laws (e.g., HIPAA, GLBA, FERPA), they will execute required addenda (e.g., BAA) before such Processing.
-
Order of Precedence
If there is a conflict between this Annex and the Agreement, this Annex controls with respect to data protection, privacy, and Algorithm Outputs/IP allocation.
Schedule 1 – Data Processing Details (SCC Annex I; UK Addendum Part 1; CPRA Description)
A. Parties
- Data Exporter/Controller/Business: [Customer details, contact, DPO if applicable]
- Data Importer/Processor/Service Provider: [Provider details, contact, DPO/Security Contact]
B. Description of Processing
- Subject matter: Provision of the Services under the Agreement.
- Duration: Term of the Agreement and any reasonable wind-down period.
- Nature and purpose: Hosting; data storage; compute; analytics; model inference; generation of Algorithm Outputs; customer support; security and incident response; billing.
- Categories of Data Subjects: Customer’s end users; employees; contractors; authorized users; consumers.
- Types of Personal Data: Identifiers (name, email, IP address, device ID); account credentials; usage data and telemetry; content supplied by users; support tickets; [optional: payment tokens (no PAN); logs].
- Sensitive Data: [None/limited as agreed—insert if applicable].
- Frequency of transfers: Continuous as necessary for service delivery.
- Subprocessing: As listed at [URL/Schedule].
C. Competent Supervisory Authority
- For EU SCCs: [Identify based on Customer’s establishment].
D. CPRA Required Terms
- Business purposes: service delivery, security, debugging, short-term transient use, analytics, internal research, quality assurance, and service improvement as permitted.
- Certification: Provider certifies compliance with CPRA Service Provider restrictions.
Schedule 2 – Security Measures (SCC Annex II)
- Organizational: Information security policy; governance; risk management; employee screening and confidentiality; security training.
- Access Controls: Role-based access; MFA for administrative access; least privilege; JIT access; periodic access reviews.
- Data Protection: Encryption in transit (TLS 1.2+); encryption at rest (AES-256 or equivalent); key management; secrets management.
- Application Security: Secure SDLC; code reviews; dependency scanning; SAST/DAST; change management; CI/CD hardening.
- Infrastructure: Network segmentation; firewalls/WAF; hardening baselines; vulnerability management; monthly patching cadence.
- Monitoring and Logging: Centralized logging; anomaly detection; SIEM; EDR; immutable audit logs.
- Continuity: Documented BCP/DR; RPO ≤ [24] hours; RTO ≤ [24] hours; geo-redundant backups; disaster recovery testing.
- Testing: Annual independent penetration tests; remediation tracking; third-party assessments (SOC 2 Type II/ISO 27001).
- Data Subject Rights Support: Administrative tools or processes to access, correct, delete, or export data.
- Subprocessor Security: Due diligence; contractual security obligations; ongoing monitoring.
Negotiation Playbook (Concise)
- Roles: Prefer Processor/Service Provider for Customer Data; consider hybrid (independent controller) only for limited telemetry with strong minimization and opt-outs.
- Outputs Ownership: Customer Ownership (Alt A) where Customer bears regulatory/commercial risk; Provider may seek License (Alt B). Address human authorship caveats.
- Training: Default “no training” (Alt A) or deidentified-only (Alt B). If Provider insists on opt-out (Alt C), require product-level controls and clear SLAs.
- Subprocessors: General authorization with notice and objection rights; ensure rapid remediation and exit if objection unresolved.
- Security/Audit: At minimum SOC 2 Type II or ISO 27001; report-based audit, with onsite only if material issues.
- Breach Notice: 48 hours customer notice; cooperate with DPIA and notifications; define mitigation and credit monitoring if high risk.
- International Transfers: SCCs + UK Addendum; supplementary measures; PIPL module if China data implicated.
- Liability: Carve-outs/super-cap for data breach and CPRA violations; IP indemnity for Outputs with exclusions for Customer prompts.
- Logs: Limit personal data in telemetry; retention ≤ 180 days; ban sale/sharing; clear role allocation.
- Deidentified/Aggregated Data: Adopt CPRA-compliant safeguards; non-reidentification commitments.
Signature Blocks
By their duly authorized representatives, the Parties agree to this Annex as of the Effective Date of the Agreement.
[Customer]
Name:
Title:
Date:
[Provider]
Name:
Title:
Date:
Important Legal Notes
- GDPR: Controller–Processor obligations, 72-hour supervisory authority notice, SCCs for cross-border transfers, DPIAs where high risk.
- CPRA: Service Provider restrictions (no sale/sharing, use only for business purposes, assistance with consumer requests, deidentified data standards).
- UK: UK GDPR and UK Addendum/IDTA for transfers.
- Outputs IP: Protection and authorship standards vary by jurisdiction; ensure risk allocation if registration or enforceability is sought.
Please provide your preferred alternatives (e.g., 2.1 Option A/B, 5.1 Option A/B, 5.3 Option A/B/C) and any jurisdiction-specific requirements (EU/UK/US states/PRC) to finalize the Annex.
