Last review date: 31 December 2024

Yes. The obligations are as follows:

☒   controllers must conduct due conduct diligence on the processor to ensure it will provide appropriate security and processing of the personal data

☒   controllers must only use processors subject to a written agreement that complies with specific requirements. The CCPA requires businesses to enter into written contracts with service providers. The VCDPA and the CPA also require data controllers to enter into contracts with processors that govern the processor's data processing procedures performed on behalf of the controller.

☒   other

The GLBA Safeguards Rule requires covered financial institutions to conduct periodic assessments of the security practices of service providers.

Last review date: 31 December 2024

Yes. Various federal and state privacy laws impose direct obligations on processors (or equivalent terms). For example, under HIPAA, business associates have various direct regulatory obligations related to data security and breach notification. Similarly, many state data breach notification laws impose direct obligations on service providers that maintain data on behalf of data owners to report data security incidents to the data owners.