Data Processing Addendum

Northeastern University is committed to protecting the personal information it may share or make accessible to its vendors, suppliers, contractors, researchers and partners (“You”) during the course of providing educational programs and services, performing research and supporting our operations (collectively, “Operations”).  The Northeastern University Data Processing Addendum (“DPA”) sets forth the privacy requirements governing Your handling of Personal Information and is part of your agreement with Northeastern that references the DPA.

Northeastern may update the DPAs from time to time for legal compliance purposes.  However, the DPA in effect on the date You enter into Your agreement with Northeastern shall govern during the term of the agreement, unless the parties otherwise agree in writing.  Historical versions will be added below when a new DPA version is released.

The DPA that applies (i.e., DPA: Processor or DPA: Controller) may be referenced in your agreement with Northeastern.  If it is not, the DPA that applies will (in accordance with data protection laws) depend on the context of the activities You perform under Your agreement with Northeastern.  The DPA: Processor applies to when You are processing personal information on Northeastern’s behalf and under Northeastern’s authority.  The DPA: Controller applies when You alone (or together with Northeastern) determine the purposes of the collection and processing any personal information and the means and methods of processing it.  Unless You (i) have a direct relationship with the individual whose personal data you are Processing or (ii) are accessing personal information in order to engage in research for an organization other than Northeastern, the DPA: Processor applies.  If you are not certain whether the Processor or Controller DPA applies, please email

Data Processing Agreement: Processor

Data Processing Agreement: Controller