TDPSA — Tex. Bus. & Com. Code ch. 542, eff. Sept. 1, 2025
Texas Safe Harbor
Track the work required to implement and keep current with a recognized framework. The TDPSA provides an affirmative defense for businesses that maintain a comprehensive cybersecurity program — we help you organize and document yours.
Overview
What Is the Texas Safe Harbor?
Under the TDPSA, businesses that create, maintain, and comply with a written cybersecurity program that reasonably conforms to a recognized framework can invoke the safe harbor as an affirmative defense against data breach claims.
The Law
The TDPSA, effective September 1, 2025, grants Texas businesses a powerful legal tool: if you maintain a compliant cybersecurity program and a breach still occurs, you have an affirmative defense against resulting lawsuits and enforcement actions.
Recognized Frameworks
- NIST Cybersecurity Framework (CSF)
- NIST SP 800-171
- CIS Critical Security Controls
- ISO/IEC 27001
- SOC 2
- FTC Safeguards Rule
- PCI-DSS
- CMMC (Levels 1–3)
Why It Matters
The Business Case for Safe Harbor
Qualifying for the Texas Safe Harbor isn't just about legal protection — it's a strategic advantage.
Affirmative Defense
Gain a legally recognized defense against data breach lawsuits under the TDPSA.
Due Diligence
Demonstrate to regulators, customers, and partners that security is a top priority.
Reduced Legal Exposure
Significantly reduce potential damages from breach-related claims and enforcement actions.
Market Confidence
Signal to the market that your organization takes data security seriously.
National Benchmark
Texas is a major business hub — compliance here sets a standard that resonates nationwide.
Requirements
What You Need to Qualify
The TDPSA sets clear criteria. Meet all five to invoke the safe harbor defense.
Written Cybersecurity Program
You must have a documented, formalized cybersecurity program — not just informal practices.
Recognized Framework Alignment
Your program must reasonably conform to a recognized industry framework such as NIST CSF, NIST 800-171, CIS Controls, ISO 27001, or the FTC Safeguards Rule. Note: this applies to organizations with fewer than 250 employees.
Personal Information Protection
The program must be designed to protect the personal information of Texas residents that your business collects or processes.
Ongoing Maintenance
The cybersecurity program must be actively maintained and updated to address evolving threats.
Appropriate Scale
The program must scale to your organization's size, scope, complexity, and risk profile.
Our Platform
How Relevant Compliance Gets You Safe Harbor Ready
Survey-Driven Assessments
Guided assessments mapped directly to recognized frameworks like FTC Safeguards and NIST 800-171.
AI-Powered Gap Analysis
Our AI engine identifies gaps in your security posture and generates actionable remediation steps.
Task Management
Built-in task assignment and tracking ensures your team addresses every requirement on time.
Evidence Collection
Centralized evidence collection ensures you have the documentation needed for legal defensibility.
Framework Alignment
Supported Frameworks That Qualify
Relevant Compliance maps your cybersecurity program to recognized frameworks accepted under the TDPSA.
FTC Safeguards Rule
Required for financial institutions; maps directly to TDPSA safe harbor qualification.
CMMC / NIST 800-171
Defense-grade cybersecurity standard widely recognized by Texas courts and regulators.
HIPAA Security Rule
Healthcare-specific framework that satisfies safe harbor requirements for covered entities.
PCI-DSS
Payment card industry standard providing an additional layer of recognized compliance.
Protect your business with the Texas Safe Harbor defense
Don't wait for a breach — you need to prove you were qualified before that happens. Start building your written cybersecurity program today.