Service provider agreements limit use of PI to contracted purposes

Why it matters

CCPA § 1798.100(d) and § 1798.140(ag) establish that disclosing PI to a "service provider" does not constitute a "sale" — but only when a written contract prohibits the service provider from using the PI for any purpose beyond performing the contracted service. Without that contract, your payment processor, email provider, and error tracker are legally "third parties" receiving PI for commercial purposes, which converts every API call into a data sale. Stripe, SendGrid, Resend, Sentry, and Vercel all offer Data Processing Addendums that satisfy this requirement — but you must accept them explicitly, not assume they apply by default.

Remediation

Accept Data Processing Addendums (DPAs) with every vendor that receives personal information. Most are available in each vendor's admin dashboard or legal portal.

CCPA Service Provider Agreement Checklist

Required contractual provisions (CCPA § 1798.100(d)):
- Prohibit retaining/using/disclosing PI beyond the contracted purpose
- Certify understanding of restrictions

Vendors with CCPA-compliant DPAs:
□ Stripe     — stripe.com/legal/dpa (Dashboard > Settings > Legal)
□ SendGrid   — sendgrid.com/policies/dpa
□ Resend     — resend.com/legal/dpa
□ Google     — Accept in Google Admin Console (covers GA4 + Google Ads)
□ Sentry     — sentry.io/legal/dpa
□ Vercel     — vercel.com/legal/dpa
□ Supabase   — supabase.com/privacy

After accepting DPAs, update your privacy policy to classify these vendors as "service providers" or "contractors" — not "third parties" — so consumers understand their PI is not being sold to them.

Detection

ID: ccpa-readiness.data-handling.service-provider-contracts
Severity: low
What to look for: Under CCPA, disclosing PI to a "service provider" or "contractor" does not constitute a "sale" or "sharing" — but only if the service provider has a written contract that prohibits them from retaining, using, or disclosing the PI for any purpose other than performing the contracted services. Check whether agreements are in place with major third-party services that receive personal data: payment processors (Stripe), email providers (SendGrid, Postmark, Resend), analytics (Google Analytics, Mixpanel), customer support (Intercom, Zendesk), error tracking (Sentry), and cloud hosting (AWS, Vercel, Supabase). Look for DPA acceptance, service provider terms, or data processing addendums that include the CCPA-required contractual restrictions. Count all instances found and enumerate each.
Pass criteria: Written agreements (DPAs, service provider terms) are in place with all major third-party services that receive PI. These agreements restrict the service provider's use of PI to the contracted purpose. The privacy policy refers to these parties as "service providers" or "contractors" rather than "third parties." At least 1 implementation must be confirmed.
Fail criteria: Major third-party services (payment processor, email provider) have no DPA or service provider terms. Privacy policy refers to service providers as generic "third parties" that share data without distinction. No contractual restrictions on downstream use.
Skip (N/A) when: Application uses no third-party services that receive personal information.
Detail on fail: Example: "SendGrid receives user email addresses for transactional email but no DPA or service provider agreement is documented. Privacy policy lists SendGrid as a 'partner' rather than a service provider with contractual restrictions.".

Remediation: Accept or sign service provider / DPA terms with each vendor:

CCPA Service Provider Agreement Checklist:

Required contractual provisions (per CCPA § 1798.100(d)):
- Prohibit retaining, using, or disclosing PI for commercial purposes beyond the contract
- Prohibit retaining, using, or disclosing PI outside the direct business relationship
- Certify understanding of restrictions and compliance

Key vendors with CCPA-compliant service provider terms:
□ Stripe     — stripe.com/legal/dpa (accept via Dashboard Settings > Legal)
□ SendGrid   — sendgrid.com/policies/dpa
□ Resend     — resend.com/legal/dpa
□ Postmark   — postmarkapp.com/gdpr (covers CCPA service provider requirements)
□ Google     — Accept DPA in Google Admin Console (covers GA4, Google Ads)
□ Sentry     — sentry.io/legal/dpa
□ Vercel     — vercel.com/legal/dpa
□ Supabase   — supabase.com/privacy

Update privacy policy to identify these parties as "service providers" and note
their contractual obligation to use PI only for contracted services.

External references

ccpa · §1798.100(d) — Service provider contracts — written agreement limiting PI use to contracted purpose

ccpa · §1798.140(ag) — "Service provider" definition — DPA required to qualify as service provider vs. third party

gdpr · Art. 28 — Processor — data processing agreements required

iso-27001:2022 · A.5.19 — Information security in supplier relationships

Why it matters

Remediation

Accept Data Processing Addendums (DPAs) with every vendor that receives personal information. Most are available in each vendor's admin dashboard or legal portal.

CCPA Service Provider Agreement Checklist

Required contractual provisions (CCPA § 1798.100(d)):
- Prohibit retaining/using/disclosing PI beyond the contracted purpose
- Certify understanding of restrictions

Vendors with CCPA-compliant DPAs:
□ Stripe     — stripe.com/legal/dpa (Dashboard > Settings > Legal)
□ SendGrid   — sendgrid.com/policies/dpa
□ Resend     — resend.com/legal/dpa
□ Google     — Accept in Google Admin Console (covers GA4 + Google Ads)
□ Sentry     — sentry.io/legal/dpa
□ Vercel     — vercel.com/legal/dpa
□ Supabase   — supabase.com/privacy

Detection

ID: ccpa-readiness.data-handling.service-provider-contracts
Severity: low
What to look for: Under CCPA, disclosing PI to a "service provider" or "contractor" does not constitute a "sale" or "sharing" — but only if the service provider has a written contract that prohibits them from retaining, using, or disclosing the PI for any purpose other than performing the contracted services. Check whether agreements are in place with major third-party services that receive personal data: payment processors (Stripe), email providers (SendGrid, Postmark, Resend), analytics (Google Analytics, Mixpanel), customer support (Intercom, Zendesk), error tracking (Sentry), and cloud hosting (AWS, Vercel, Supabase). Look for DPA acceptance, service provider terms, or data processing addendums that include the CCPA-required contractual restrictions. Count all instances found and enumerate each.
Pass criteria: Written agreements (DPAs, service provider terms) are in place with all major third-party services that receive PI. These agreements restrict the service provider's use of PI to the contracted purpose. The privacy policy refers to these parties as "service providers" or "contractors" rather than "third parties." At least 1 implementation must be confirmed.
Fail criteria: Major third-party services (payment processor, email provider) have no DPA or service provider terms. Privacy policy refers to service providers as generic "third parties" that share data without distinction. No contractual restrictions on downstream use.
Skip (N/A) when: Application uses no third-party services that receive personal information.
Detail on fail: Example: "SendGrid receives user email addresses for transactional email but no DPA or service provider agreement is documented. Privacy policy lists SendGrid as a 'partner' rather than a service provider with contractual restrictions.".

Remediation: Accept or sign service provider / DPA terms with each vendor:

CCPA Service Provider Agreement Checklist:

Required contractual provisions (per CCPA § 1798.100(d)):
- Prohibit retaining, using, or disclosing PI for commercial purposes beyond the contract
- Prohibit retaining, using, or disclosing PI outside the direct business relationship
- Certify understanding of restrictions and compliance

Key vendors with CCPA-compliant service provider terms:
□ Stripe     — stripe.com/legal/dpa (accept via Dashboard Settings > Legal)
□ SendGrid   — sendgrid.com/policies/dpa
□ Resend     — resend.com/legal/dpa
□ Postmark   — postmarkapp.com/gdpr (covers CCPA service provider requirements)
□ Google     — Accept DPA in Google Admin Console (covers GA4, Google Ads)
□ Sentry     — sentry.io/legal/dpa
□ Vercel     — vercel.com/legal/dpa
□ Supabase   — supabase.com/privacy

Update privacy policy to identify these parties as "service providers" and note
their contractual obligation to use PI only for contracted services.

External references

ccpa · §1798.100(d) — Service provider contracts — written agreement limiting PI use to contracted purpose

ccpa · §1798.140(ag) — "Service provider" definition — DPA required to qualify as service provider vs. third party

gdpr · Art. 28 — Processor — data processing agreements required

iso-27001:2022 · A.5.19 — Information security in supplier relationships

Service provider agreements limit use of PI to contracted purposes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Service provider agreements limit use of PI to contracted purposes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History