Table of Contents
- What is a data use agreement?
- What is a limited data set?
- Who needs a data use agreement?
- When do you need a data use agreement?
- How does a DUA differ from other data agreements?
- What are the requirements of a DUA?
- Standard clauses of a data use agreement
- Managing data use agreements at scale
- Frequently asked questions about data use agreements
Want more content like this? Sign up for our monthly newsletter.
Key takeaways:
- Execute a data use agreement whenever sensitive information moves to external parties—the trigger is data sensitivity combined with external access, not the format or storage method.
- Mandate specific security measures in your DUA including encryption standards (AES-256), multi-factor authentication, role-based access controls, and breach notification timelines rather than relying on vague “reasonable security” language.
- Distinguish DUAs from other data agreements based on relationship structure: use DUAs for one-way data flow where you retain control, data processing agreements for GDPR compliance when vendors process data on your behalf, and business associate agreements for HIPAA-covered health information.
- Implement systematic DUA tracking through contract lifecycle management platforms to monitor active agreements, permitted uses, security compliance, and renewal deadlines across your organization.
How much control do you really have over your data once it leaves your organization? A data use agreement (DUA) is the legally binding contract that answers that question, governing exactly how one party may use data owned by another. Organizations use DUAs to protect sensitive information while enabling legitimate data sharing.
These agreements matter more than ever. Companies now routinely share customer data, research findings, and proprietary information across organizational boundaries. And third-party involvement in breaches doubled to 30% in a single year. Without clear contractual terms, that sharing creates legal and operational risk.
What is a data use agreement?
At its core, a DUA defines three things: the specific purposes for which recipients can use the data, the responsibilities each party holds for protecting it, and the restrictions that prevent misuse or unauthorized sharing. The goal is to create a clear legal framework, one that gives data owners confidence their information won’t be misused while giving recipients the access they need to do legitimate work.
What is a limited data set?
A limited data set is health information with specific identifiers removed to reduce privacy risk while maintaining research utility. Organizations use limited data sets when full de-identification would destroy the data’s analytical value.
The Health Insurance Portability and Accountability Act (HIPAA) defines 16 identifiers that must be removed to create a limited data set:
- Names
- Street addresses (city, state, and zip code may remain)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photos
Limited data sets may retain dates (admission, discharge, service, birth, death) and geographic information at the city or zip code level. This preserved detail supports longitudinal studies, geographic analysis, and age-related research that fully de-identified data cannot support.
Organizations must execute a data use agreement before sharing a limited data set. The DUA restricts how recipients may use the data and prohibits attempts to re-identify individuals.
Who needs a data use agreement?
Any time sensitive information moves between organizations, a DUA is the mechanism that defines the rules of engagement, protecting both the people whose data is at stake and the organizations handling it. These are the most common scenarios where you’ll need one.
Healthcare
Healthcare organizations need a DUA whenever they share patient data with external parties, an industry facing breach costs averaging $7.42 million per incident. This includes research partnerships, clinical trials, and third-party analytics providers.
The agreement establishes three critical protections:
- Permitted uses for the data
- Required security measures
- Breach response procedures
Research
Research institutions and individual researchers rely on DUAs to protect sensitive information during their studies. For example, if you’re sharing clinical trial results, a DUA ensures the recipient only uses the data for research purposes and strips out personal identifying information before they begin their analysis.
Technology
Software companies that share data with a third-party vendor to perform data analysis or develop new products also need to craft a DUA.
Finance
Financial institutions need DUAs when partnering with technology companies on product development. Banks sharing transaction histories, credit profiles, or behavioral data must contractually define how partners can use that information. The DUA protects both customer privacy and the bank’s proprietary business intelligence.
Government
When partnering with government agencies, you’ll need a DUA to ensure sensitive data is only shared for authorized purposes. The agreement guarantees that anyone accessing the information takes the right steps to protect its confidentiality.
When do you need a data use agreement?
You need a data use agreement whenever you’re sharing data that contains sensitive information with an external party. The trigger isn’t the data format or storage method, it’s the combination of data sensitivity and external access.
Specific triggers requiring a DUA:
- Sharing protected health information as a limited data set
- Providing customer data to vendors for analytics or processing
- Transferring research data between institutions
- Giving partners access to proprietary business intelligence
- Sharing employee information with benefits administrators
- Providing student records to researchers
- Allowing third-party access to financial transaction data
You don’t typically need a DUA for:
- Fully de-identified data with no re-identification risk
- Data the recipient already owns or controls
- Public information with no confidentiality concerns
- Internal data sharing within the same legal entity
If you’re unsure whether a DUA is needed, ask three questions: Does the data include personal or confidential information? Is a party outside your organization receiving access? Could misuse create legal, financial, or reputational risk? If you answer yes to all three, execute a DUA before sharing the data.
How does a DUA differ from other data agreements?
Organizations use multiple agreement types to govern data relationships. Each serves a distinct purpose based on the data flow and regulatory context.
DUA vs. data sharing agreement
A data use agreement governs one-way data flow from owner to user. The owner retains control and sets usage terms.
A data sharing agreement governs reciprocal exchange where multiple parties both contribute and receive data. All parties have obligations as both data providers and recipients.
Example: A hospital providing patient data to a research university uses a DUA. Two universities pooling research datasets for a joint study use a data sharing agreement.
DUA vs. data processing agreement (DPA)
A data processing agreement applies when one party processes personal data on behalf of another under the General Data Protection Regulation (GDPR) or similar privacy laws. The processor acts as a service provider with no independent right to use the data.
A data use agreement grants specific usage rights to the recipient. The recipient may analyze, publish, or derive insights from the data within agreed boundaries.
Example: A cloud storage vendor holding your data uses a DPA (they’re just storing it). A marketing analytics firm examining your customer data to generate insights uses a DUA.
DUA vs. business associate agreement (BAA)
A business associate agreement is HIPAA’s specific version of a data processing agreement. It governs how business associates handle protected health information on behalf of covered entities.
A data use agreement under HIPAA specifically addresses limited data sets, or de-identified data that retains some utility for research.
Example: A billing company processing your healthcare claims needs a BAA. A researcher analyzing your de-identified patient outcomes needs a DUA.
The key distinction: BAAs cover fully identifiable protected health information and impose HIPAA’s full security rule. DUAs cover limited data sets with reduced identifiers and impose whatever terms the parties negotiate.
What are the requirements of a DUA?
A comprehensive DUA typically includes 24 core elements that define the data relationship, establish security requirements, and create accountability mechanisms. While that sounds like a lot to track, what this really means for you is ensuring every agreement covers these essential categories:
Identity and authority elements:
- Name
- Legal Authority for Data Use
- Program Authority for Data Use
- Custodian of Data
- Agency Point of Contact (Project Officer)
Purpose and scope elements:
- Purpose
- Background
- Mutual Interest of Entities
- Responsibilities of Entities
Financial elements:
- Funding Information
- Costs and Reimbursement
Security and compliance elements:
- Data Security Procedures
- Inspecting Security Arrangements
- Records Usage, Duplication, and Re-disclosure Restrictions
Operational elements:
- Data Transfer, Media, and Methods for the Exchange
- Reporting Requirements
- Record Keeping, Retention, and Disposition of Records
Risk and oversight elements:
- Potential Work Constraints
- Ownership
- Results Reporting and Public Data Release Conditions
- Data Release Policy and Procedures for Researchers
- Penalties for Unauthorized Information Disclosure
Contract administration elements:
- Term of the Agreement
- Constraints (Performance Standards, DUA Review Procedures, Audit Clause, Liability Issues, Definition of a Breach)
Standard clauses of a data use agreement
Every DUA looks a little different depending on the data involved and the relationship between the parties. That said, most agreements include some version of these core clauses.
Data definition
The data definition clause specifies exactly what information the DUA covers. This includes the data format, authorized users, and any restrictions on use.
Key components of a data definition clause:
- Precise description of included data elements
- File formats and delivery methods
- Access permissions by role
- Prohibited uses
- Geographic or temporal scope
Purpose of use
The purpose of use clause restricts how recipients may apply the data. This clause prevents mission creep, or situations where data shared for one purpose gets repurposed without authorization.
Typical restrictions include:
- Specific projects or initiatives only
- No commercial use of research data
- No combination with other datasets
- No transfer to third parties
These limitations protect data owners from liability and ensure compliance with privacy regulations.
Confidentiality
Confidentiality clauses prevent recipients from sharing data beyond agreed boundaries. These clauses create legal liability for leaks, whether intentional or accidental.
Standard confidentiality terms prohibit:
- Sharing data with unauthorized personnel
- Creating copies without permission
- Transferring data to third parties
- Discussing data contents publicly
- Retaining data after agreement termination
Data security
Data security clauses mandate specific protection measures recipients must implement. These requirements create enforceable standards that go beyond “reasonable” security.
Common security mandates include:
- Encryption for data in transit and at rest (typically AES-256 or equivalent)
- Multi-factor authentication for data access
- Role-based access controls
- Secure physical storage for any printed materials
- Regular security audits and vulnerability assessments
- Incident response procedures
- Data breach notification timelines
The clause should specify whether you must meet particular frameworks like SOC 2, ISO 27001, or HIPAA security rules.
Data ownership
The data ownership clause can specify who owns the data and what rights the recipient has to use or disclose it. Clarifying ownership helps the data owner retain control over the data and take action if the recipient violates the terms of the agreement.
Roles and responsibilities
A strong DUA clearly outlines who is responsible for what. This includes defining the obligations of the data provider, the data recipient, and any IT or compliance stakeholders involved in securing the data transfer and storage. Without this clarity, it’s easy for obligations to fall through the cracks and for disputes to arise when something goes wrong.
Term and termination
Term and termination clauses define how long the DUA lasts and how either party can end it. Most DUAs run for a specific period (one to five years) with optional renewal terms.
Early termination typically allows exit for:
- Material breach by either party
- Regulatory violations
- Changes in law making the agreement unenforceable
- Mutual written consent
Upon termination, recipients must return or destroy all data within a specified timeframe, usually 30 to 90 days.
Liability and indemnification
Liability and indemnification clauses assign financial responsibility when something goes wrong. These provisions answer the question: who pays when data gets misused?
Standard liability terms cover:
- Data breach costs (notification, credit monitoring, and legal fees)
- Regulatory fines from violations
- Damages to data subjects
- Reputational harm to the data owner
- Third-party claims arising from data misuse
Recipients typically agree to indemnify (reimburse) data owners for losses caused by the recipient’s actions. Insurance requirements often accompany these clauses. Recipients may need cyber liability coverage of $1-5 million depending on data sensitivity.
Compliance with laws
Compliance clauses require both parties to follow applicable laws governing the data. With GDPR enforcement alone resulting in over €5.88 billion in cumulative fines according to DLA Piper, these clauses carry real financial weight. This includes privacy regulations, industry-specific rules, and cross-border data transfer requirements.
Key regulatory frameworks that typically apply:
- GDPR for European personal data
- CCPA/CPRA for California residents
- HIPAA for protected health information
- FERPA for student records
- Industry-specific regulations (financial services, telecommunications, etc.)
The clause should address conflict resolution—when state and federal laws differ, which takes precedence? When international transfers occur, which country’s law governs?
Dispute resolution
Dispute resolution clauses establish how you’ll handle disagreements without immediately going to court. These provisions typically require a stepped approach: negotiate first, escalate later.
A standard dispute resolution clause typically follows this progression:
- First, you’ll engage in good faith negotiation for 30 to 60 days.
- If negotiation fails, you’ll move to mediation with a neutral mediator.
- Next comes binding arbitration, which offers a faster and more private alternative to court.
- Finally, you’ll turn to litigation as an absolute last resort.
The clause specifies the location, applicable rules, and cost allocation for each step. Arbitration is often preferred for DUAs because it keeps sensitive data matters confidential. Court proceedings become public record.
Governing law
Governing law clauses specify which jurisdiction’s laws interpret the agreement. This matters because data protection requirements vary dramatically by location.
Contract interpretation typically follows the law of:
- The state where the data owner operates
- The state where the recipient operates
- A neutral jurisdiction chosen by both parties
- The location where data is physically stored
Beyond contract law, DUAs must comply with:
- General Data Protection Regulation (GDPR) for EU residents’ data
- California Consumer Privacy Act (CCPA) for California residents
- Health Insurance Portability and Accountability Act (HIPAA) for health information
- Gramm-Leach-Bliley Act (GLBA) for financial data
- Family Educational Rights and Privacy Act (FERPA) for student records
The U.S. lacks a federal comprehensive data protection law. Your DUA may need to comply with 20 state-level privacy statutes simultaneously, each with different requirements for consent, disclosure, and individual rights.
Managing data use agreements at scale
Managing multiple DUAs manually creates risk you can’t afford. When you’re tracking dozens or hundreds of data relationships—each with different permitted uses, security requirements, and termination dates—spreadsheets break down fast. When handled efficiently, high-volume, standardized agreements can move quickly. For instance, our research in the 2026 Contracting Benchmark Report found that standard agreements like non-disclosure agreements (NDAs) average just 12 days to sign with only 27% legal involvement. But achieving that kind of velocity with DUAs requires moving away from manual tracking.
The core challenges:
- Knowing which DUAs are active and which have expired
- Tracking what data each recipient may access
- Monitoring compliance with security and use restrictions
- Managing renewals before relationships lapse
- Retrieving specific DUA terms when questions arise
Organizations handling significant data sharing need systematic obligation management. According to Gartner, “84% of general counsel agree it is important to collect and store all contracts in a central repository, and 74% prioritize extracting as much metadata as possible. Yet, despite recognizing this need, only 7% of legal departments actually find it easy to access all their essential contract data.” Most CLM platforms include dedicated features for exactly this—agreement templates, obligation tracking, and automated renewal alerts. The Ironclad Repository automatically tags key dates, permitted uses, and security requirements across all your DUAs, while the Workflow Designer routes renewals and compliance reviews to the right stakeholders before deadlines hit.
The alternative—scrambling to find agreements in email threads or shared drives when regulators ask questions—creates unnecessary exposure. Most CLM platforms offer basic repository functions to help organize these files, but our platform actively extracts and monitors your DUA obligations so you never miss a compliance deadline. Request a demo today to see how contract lifecycle management eliminates DUA tracking chaos.
Test your contract maturity
Frequently asked questions about data use agreements
An example of a data use agreement is a university medical center executing a contract with a pharmaceutical company to share de-identified clinical trial data for drug development. The DUA specifies that the pharmaceutical company cannot sell the data, combine it with other datasets, or use it to re-identify participants.
A data processing agreement (DPA) is a GDPR-required contract for any service provider processing personal data on your behalf, while a business associate agreement (BAA) is the HIPAA-specific version required when vendors handle protected health information.
You need both when a business associate receives a limited data set—the BAA covers their role as a HIPAA business associate, while the DUA governs the specific permitted uses of the limited data set they receive.
Most DUAs last one to five years, though research-focused agreements may extend longer to cover the full study period, and recipients typically must destroy data within 30-90 days of termination unless the agreement specifies otherwise.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.
Sources
- Gartner, Most GC Pursue a Costly & Ineffective Contract Analytics Strategy, James Crocker, Rachel Pakianathan, and Rithika Lanka, 24 February 2026.



