§ 2415fStatuteReference only

Processors’ Duties; Contracts Between Controllers and Processors

Effective January 1, 2028Reviewed July 2026

Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.

What it requires

Processors must follow controller instructions and assist with consumer-rights responses, security, and breach notification. Controller-processor contracts must require confidentiality, data deletion/return at contract end, subcontractor flow-down obligations, and cooperation with compliance audits. A processor that exceeds its instructions and starts determining the purposes of processing becomes a controller and can face direct Attorney General enforcement.

Legal text (excerpt)

A contract between a controller and a processor shall govern the processor's data processing procedures ... The contract shall require that the processor: (A) ensure that each person processing personal data is subject to a duty of confidentiality ...; (D) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract ....

Vermont Data Privacy and Online Surveillance Act: § 2415f, Statute, effective 2028

Primary source

Vermont Office of the Attorney General: § 2415f: Processors’ Duties; Contracts Between Controllers and Processors

Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit