LEGAL DOCUMENTATION

Data Processing Addendum (DPA)

Last updated: June 05, 2026

1. Purpose & Core Scope

This Data Processing Addendum ("DPA") is integrated into the general Terms of Service and applies to all agreements where Privia Solutions acts as a Data Processor on behalf of our clients (the Data Controller).

This DPA ensures our joint processing operations remain compliant with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and standard international transfer regulations.

2. Controller & Processor Roles

The contract defines roles and instructions as follows:

  • Instructions: Privia Solutions processes personal data solely on written instructions from the Data Controller, including with respect to transfers of personal data to standard cloud-hosting subprocessors.
  • Personnel: All staff members, solutions architects, and operations leads handling controller database tables are subject to strict legal confidentiality agreements.
  • Rights Cooperation: The Processor will implement technical tools to assist the Controller in responding to data subject access or deletion requests.

3. Authorized Subprocessors

The Controller grants general authorization to the Processor to engage sub-processors (such as cloud hosting, DB replication, or transactional mail hosts) under these conditions:

  • The Processor maintains an updated list of authorized subprocessors.
  • The Processor provides the Controller with a 15-day notification window before adding new subprocessors, allowing the Controller to object on reasonable data protection grounds.
  • Contracts with subprocessors bind them to equivalent security controls as those outlined in this DPA.

4. Technical & Organizational Measures (TOMs)

We implement the following Technical and Organizational Measures to guarantee data integrity:

Physical Isolation

Logical separation of database shards and multi-tenant profiles.

Audit Verification

Providing SOC 2 audit summary reports to confirm architecture parameters.

Threat Detection

Forced firewalls, active intrusion prevention systems, and log alerts.

Backup Schedules

Hourly encrypted snapshot volumes stored across multi-regions.

5. Breach Notification Schedule

Incidents: Privia Solutions will notify the Data Controller in writing within 72 hours of confirming any unauthorized access, accidental exposure, or compromise of Controller personal data. We will provide detailed reports on the affected scopes, diagnostic analysis, and mitigation steps taken.

6. Data Erasure & Return

Within 30 calendar days of contract termination, the Controller may instruct the Processor to either:

  • Securely return all database entries and account records in a structured JSON or CSV format.
  • Securely delete all copies of Controller personal data, overwriting storage disks in accordance with standard cryptographic cleanup guidelines.