Virginia Privacy Addendum

Version 1.1.1

CDCK and Customer agree to add the following terms to their Agreement:


Both sides agree to do their respective parts to comply with the Virginia Consumer Data Protection Act or VCDPA, consistent with Customer’s role as controller and CDCK’s role as processor.


Whenever it is feasible and legal to do so, each side will give the other prompt Notice of consumer rights requests, regulatory inquiries, and other communications under the VCDPA. Both sides agree to cooperate in good faith to respond to and honor such communications.

Security and Breach Response

Taking into account the nature of processing and the information available to CDCK, CDCK will give Customer reasonable assistance in meeting the Customer’s obligations to secure personal data and notify of breaches.

Processor Requirements

CDCK and Customer intend the following terms to meet the requirements of VCDPA 59.1-579(B):


CDCK will process personal data on Customer’s behalf and in accordance with Customer’s instructions in order to provide services under the Agreement, for the duration of the Agreement.


CDCK will ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

Deletion or Return

At Customer’s direction, CDCK will delete or return all personal data to Customer as requested at the end of the provision of services, unless retention of the personal data is required by law.

Make Available

Upon the reasonable request of Customer, CDCK will make available to Customer all information in its possession necessary to demonstrate CDCK’s compliance with the obligations of the VCDPA.


CDCK will allow, and cooperate with, reasonable assessments of VCDPA compliance by Customer or Customer’s designated assessor. Alternatively, CDCK may arrange for a qualified and independent assessor to conduct an assessment of CDCK’s policies and technical and organizational measures in support of the obligations under the VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. CDCK shall provide a report of such independent assessment to Customer upon request.


CDCK will engage any subcontractor pursuant to a written contract in accordance with VCDPA 59.1-579(C) that requires the subcontractor to meet the obligations of CDCK with respect to the personal data.

De-Identified Data

If CDCK receives de-identified data from Customer, CDCK will comply with all relevant provisions of the VCDPA.


If the terms of this addendum conflict with terms of the Agreement, the terms of this addendum take precedence for personal data subject to the VCDPA.


  1. This addendum uses the terms consumer, de-identified data, processing, processor, and controller as defined by the VCDPA.

  2. This addendum uses the term personal data as defined by the VCDPA, limited to consumer personal data processed by CDCK on behalf of Customer.

  3. This addendum uses the term Notice as defined in the Agreement.