Skip to main content
Skip global navigation and go to main content

Effective Date: July 5, 2022

Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into, and supplements, the J. J. Keller Terms of Use, as amended from time to time, or other agreement between J. J. Keller & Associates, Inc. (“J. J. Keller”) and Client governing J. J. Keller's provision, and Client’s receipt of the Services (collectively, the “Agreements”).

This DPA is an agreement between J. J. Keller and the entity who receives the Services from J. J. Keller pursuant to an Agreement that incorporates this DPA (“Client”) and is effective as of the date this DPA is incorporated into such Agreement (the “DPA Effective Date”). J. J. Keller and Client are individually referred to herein as a “Party” and, collectively, as the “Parties”.

1. Definitions
For purposes of this DPA, the following capitalized terms shall have the meanings ascribed thereto. Other capitalized terms used in this DPA are defined in the context in which they are used and shall have the meanings indicated. Capitalized terms which are not defined herein shall have the meanings ascribed to them in the applicable Agreements.

1.1 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et. seq. and its implementing regulations.

1.2 “Client Instructions” means Client’s instructions to J. J. Keller to Process Client Personal Data on Client’s behalf: (1) as necessary to provide the Services to Client; (2) as documented in the Agreements and this DPA; and (3) as otherwise instructed by Client in writing and acknowledged and agreed by J. J. Keller.

1.3 “Client Personal Data” means any Personal Data Processed by J. J. Keller on behalf of Client via J. J. Keller's provision of the Services. Notwithstanding anything to the contrary herein, Client Personal Data does not include any Anonymized Data.

1.4 “Controller” means the natural or legal person or entity who determines the purposes and means of the Processing of Personal Data. For purposes of Data Protection Laws, the term “Controller” as used herein shall be interpreted to include applicable terms of similar import, as and to the extent applicable, used in the Data Protection Laws, including, without limitation, a “business” under the CCPA.

1.5 “Data Protection Law” means all laws, rules, regulations, and orders issued thereunder relating in any way to data protection, breach notification, privacy, or electronic marketing of any country, state, principality, or other territory that are applicable to the Processing of Client Personal Data under an Agreement, which may include, where applicable, the CCPA.

1.6 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates. For purposes of Data Protection Laws, the term “Data Subject” as used in this DPA shall be interpreted to include terms of similar import, as and to the extent applicable, used in the Data Protection Laws, including, but not limited to, a “consumer” under the CCPA.

1.7 “Data Subject Request” means a request from an individual seeking to exercise rights granted to individuals under the Data Protection Laws which may include, to the extent granted under applicable Data Protection Laws, right of access, right of rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, objection to the sale of the individual’s Personal Data or right not to be subject to automated individual decision making.

1.8 “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable Data Subject.

1.9 “Processing” (including corollary terms) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.10 “Processor” means the entity which Processes Personal Data on behalf of the Controller, or, as applicable, on behalf of a Processor. For purposes of the Data Protection Laws, the term “Processor” as used in this DPA shall be interpreted to include terms of similar import, as and to the extent applicable, used in the Data Protection Laws, including, without limitation, a “service provider” under the CCPA.

1.11 “Security Breach” means a breach of J. J. Keller's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data on systems managed or otherwise controlled by J. J. Keller.

1.12 “Security Documentation” means the security documents applicable to the specific Services provided to Client, as updated from time to time and as made reasonably available to Client by J. J. Keller.

1.13 “Services” means those services provided by J. J. Keller to Client pursuant to an Agreement where, in the performance of such services, J. J. Keller Processes Client Personal Data on behalf of Client and pursuant to the applicable Client Instructions.

1.14 “Sub-Processor” means a Processor engaged by J. J. Keller to Process Client Personal Data on Client’s behalf under this DPA. Sub-Processors may include third parties or Affiliates but will exclude any J. J. Keller employee or consultant. For clarity, any independent Processor Client instructs J. J. Keller to provide Client Personal Data to shall not be considered a Sub-Processor.

1.15 “Supervisory Authority” means any applicable federal, state, local, or foreign government or any provincial, departmental, or other political subdivision thereof, or any entity, body, or authority having or asserting executive, legislative, judicial, regulatory, administrative, or other governmental functions of any court, department, commission, board, bureau, agency, or instrumentality of any of the foregoing, responsible for or involved in the enforcement and/or oversight of the Data Protection Laws.

2. Scope of DPA

2.1 Role of the Parties. As between J. J. Keller and Client, Client shall be the Controller and J. J. Keller shall be the Processor with respect to Client Personal Data Processed by J. J. Keller on Client’s behalf in connection with J. J. Keller's provision of the Services to Client.

2.2 Scope of Processing. This DPA shall apply to all Processing of Client Personal Data by J. J. Keller on behalf of Client pursuant to the terms of the applicable Agreement and this DPA and in accordance with the Client Instructions.

2.3 Limitation of Obligations. Notwithstanding anything to the contrary in this DPA, Client acknowledges and agrees that J. J. Keller has no obligation to assess Client Personal Data in order to identify information subject to any legal requirements. Client further acknowledges and agrees that this DPA and J. J. Keller’s actions under this DPA do not, and shall not be interpreted to, relieve Client of its obligations under the Data Protection Laws and Client shall be solely responsible for its compliance therewith.

2.4 Excluded Processing. Notwithstanding anything to the contrary in the Agreements or this DPA, Client acknowledges and agrees that due to the nature of J. J. Keller’s operations and the services J. J. Keller provides, J. J. Keller acts as a Controller with respect to certain Personal Data Processed in connection with those operations and services (“J. J. Keller Personal Data”) and that such J. J. Keller Personal Data may include Client Personal Data. Client expressly agrees that any J. J. Keller Personal Data Processed by or on behalf of J. J. Keller in its role as a Controller is not subject to this DPA. Further, the Parties agree that with respect to any Personal Data to which either Party is a Controller, the Parties are independent Controllers with respect to such Personal Data.

2.5 Anonymized Data. Notwithstanding anything to the contrary in the Agreement or this DPA, Client acknowledges and agrees that J. J. Keller may aggregate, anonymize, and/or de-identify the Client Personal Data in accordance with the Data Protection Laws (“Anonymized Data”), and Client further acknowledges and agrees that Client shall not acquire any right, title, or interest in or to any Anonymized Data.

3. Client Obligations

3.1 Compliance. Client shall comply with the Agreements, including this DPA, and the Data Protection Laws in connection with the Processing of Personal Data applicable to Client as a Controller, including, without limitation:

  1. providing legally-compliant privacy notices to, and obtaining all necessary consents and permissions from, Data Subjects with respect to the Processing of such Data Subjects’ Personal Data included within the Client Personal Data;
  2. complying with Data Subject Requests;
  3. providing notice to Data Subjects of Client’s use of J. J. Keller as a Processor;
  4. ensuring Client has the right to transfer, or provide access to, the Client Personal Data to J. J. Keller for the purpose of J. J. Keller Processing the Client Personal Data on Client’s behalf pursuant to the Agreements and this DPA; and
  5. complying with all other obligations applicable to a Controller.

3.2 Accuracy and Quality of Client Personal Data. Client shall have the sole responsibility for the accuracy and quality of the Client Personal Data provided by Client to J. J. Keller for Processing through or in connection with the Services and complying with all applicable laws, including, without limitation, the Data Protection Laws, with respect to the means by which Client acquired such Client Personal Data.

3.3 Client Instructions. Client shall be solely responsible for ensuring that all Client Instructions comply with all applicable laws, including, without limitation, the Data Protection Laws.

3.4 Data Localization Requirements. Without limiting anything set forth in the Agreements or this DPA, Client shall notify J. J. Keller of any data localization requirement or restriction on the transfer of Client Personal Data to the extent that such requirement or restriction may affect J. J. Keller’s Processing of such Client Personal Data in accordance with the applicable Agreement or this DPA.

3.5 Restrictions on Client Personal Data. For the avoidance of doubt and without limiting anything set forth in the Agreements or this DPA, Client shall not provide or otherwise instruct J. J. Keller to Process any Personal Data subject to the data protection laws and regulations applicable to any country, state, principality, or other territory outside the United States of America or, if applicable to the Services provided to Client pursuant to the applicable Agreement, Canada, including, without limitation the European Union General Data Protection Regulation (Regulation (EU) 2016/679 ).

4. J. J. Keller Obligations

4.1 Compliance. With respect to J. J. Keller’s Processing of Client Personal Data on behalf of Client in its provision of Services as a Processor, J. J. Keller shall perform such Processing in accordance with the applicable Agreement, the Data Protection Laws, and this DPA. J. J. Keller shall comply with the Client Instructions with respect to J. J. Keller’s Processing of Client Personal Data unless applicable law to which J. J. Keller is subject requires J. J. Keller to undertake other Processing of Client Personal Data, in which case J. J. Keller will notify Client (unless otherwise prohibited by such applicable law) before undertaking such other Processing.

4.2 Restrictions. Without limiting anything set forth in the Agreements or this DPA, J. J. Keller shall not:

  1. sell (as and to the extent such term is defined in the Data Protection Laws) Client Personal Data;
  2. retain, use, or disclose the Client Personal Data for any purpose other than the business purposes specified in the applicable Agreement or this DPA, including, retaining, using, or disclosing Client Personal Data for a commercial purpose other than the applicable business purposes or as otherwise permitted under the Data Protection Laws;
  3. retain, use, or disclose Client Personal Data outside of the direct relationship between J. J. Keller and Client except as necessary to perform the Services under the applicable Agreement or otherwise pursuant to the Client Instructions; and/or
  4. combine the Client Personal Data which J. J. Keller receives from or on behalf of Client, with Personal Data J. J. Keller receives from or on behalf of any third party or collects through J. J. Keller’s own interactions with Data Subjects.

4.3 Certification. J. J. Keller certifies to Client that it understands and will comply with the foregoing restrictions placed on its Processing of Client Personal Data. Further, J. J. Keller shall notify Client without undue delay if J. J. Keller is or is likely to become unable to substantially comply with any of its material obligations under this DPA.

5. Rights of Data Subjects

5.1 Notification of Requests. In the event J. J. Keller receives a Data Subject Request in relation to Client Personal Data and the request identifies Client as the Controller, J. J. Keller will advise the Data Subject to submit their request to Client. Client will be responsible for responding to any Data Subject Request.

5.2 J. J. Keller’s Assistance. Taking into account the nature of the Processing of Client Personal Data undertaken by J. J. Keller, J. J. Keller shall provide reasonable assistance to Client, through J. J. Keller’s appropriate technical and organizational measures, insofar as this is possible, in fulfilling J. J. Keller’s obligations under the Data Protection Laws as a Processor to respond to Data Subject Requests.

6. Disclosures of Personal Data by J. J. Keller

6.1 J. J. Keller Personnel. J. J. Keller shall take reasonable steps to ensure the reliability and confidentiality of any employee, agent, or contractor who J. J. Keller provides access to the Client Personal Data, ensuring that access is strictly limited to those individuals who need to access the relevant Client Personal Data for the purposes of providing the Services and as otherwise necessary to comply with J. J. Keller’s obligations under the Agreements, this DPA, and applicable laws.

6.2 Third Parties. J. J. Keller may disclose and Process the Client Personal Data: (1) as permitted under the applicable Agreement and this DPA; (2) to the extent required by applicable law (subject to compliance with the Data Protection Laws); (3) to a Supervisory Authority and/or otherwise as required by the Data Protection Laws; and (4) on a “need-to-know” basis under an obligation of confidentiality or professional secrecy to its legal counsel(s), data protection advisor(s), and accountant(s).

7. Sub-Processors

7.1 Engagement. Client acknowledges and agrees that J. J. Keller may engage Sub-Processors to Process Client Personal Data on Client’s behalf. Where J. J. Keller engages any such Sub-Processor, J. J. Keller will impose data protection terms on such Sub-Processor that provide at least the same level of protection for Client Personal Data as those specified in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor. J. J. Keller will remain responsible for all obligations assigned to, and all acts and omissions, of each Sub-Processor with respect to each such Sub-Processor’s Processing of Client Personal Data on behalf of Client.

7.2 Notification of Sub-Processors. To the extent required under the Data Protection Laws, J. J. Keller shall make available to Client information about any Sub-Processor engaged by J. J. Keller to Process Client Personal Data on Client’s behalf.

8. Security and Additional Assistance

8.1 Security Measures. Taking into account the nature of the Processing of Client Personal Data undertaken by J. J. Keller on behalf of Client, J. J. Keller shall, in relation to its Processing of Client Data, implement and maintain appropriate technical, physical, and organizational measures described in the Security Documentation, provided that such measures shall provide appropriate protections for the Client Personal Data and include appropriate and commercially reasonable technical and organizational security controls designed to prevent reasonably foreseeable accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to the Client Personal Data and other security controls required under the Data Protection Laws (the “Security Measures”).

8.2 Review of Security Documents. Upon Client’s written request at reasonable intervals, but no more frequently than annually, and subject to the confidentiality obligations set forth in the Agreements and this DPA, J. J. Keller will make available to Client a copy of J. J. Keller’s applicable Security Documents, which may include, based on the Services provided under the applicable Agreement, J. J. Keller’s most recent third party audits or certifications; provided, however, that such Security Documents, including, without limitation, any audits, certifications, and the results therefrom, and the documents reflecting the outcome of the audit and/or certifications contained therein, shall only be used by Client to assess J. J. Keller’s compliance with this DPA and/or the Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without J. J. Keller’s prior written approval and, upon J. J. Keller’s request, Client shall return all such Security Documents in Client’s possession or under its control.

8.3 Audits.

  1. Solely to the extent required under the Data Protection Laws and subject to this Section 8.3, J. J. Keller will allow Client, no more frequently than annually, to conduct audits (including inspections) to verify J. J. Keller’s compliance with its obligations under this DPA (“Client Audit”); provided, however, any such Client Audit, including, without limitation, any observations, conclusions, or other results of any such Client Audit and any documents reflecting the foregoing (collectively, “Client Audit Results”), shall only be used by Client to assess J. J. Keller’s compliance with this DPA and/or the Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without J. J. Keller’s prior written approval and, subject to express requirements under the Data Protection Laws to the contrary, upon J. J. Keller’s request, Client shall return all such Client Audit Results in Client’s possession or under its control.
  2. Client must send any requests to conduct a Client Audit of J. J. Keller to compliance@jjkeller.com. Following J. J. Keller’s receipt of such request, J. J. Keller and Client will discuss and agree in advance on the reasonable start date and duration of such Client Audit and the scope of J. J. Keller’s technical and organization measures in scope for such Client Audit. Notwithstanding the foregoing, unless otherwise agreed by J. J. Keller in writing, any Client Audit: (1) involving inspection of J. J. Keller business offices or data centers shall be limited to such J. J. Keller business offices or data centers where J. J. Keller Processes Client Personal Data on behalf of Client and shall expressly exclude inspection of or access to any premises and systems containing Personal Data J. J. Keller Processes on behalf of itself or any third party that is logically but not physically separated from Client Personal Data; (2) shall only occur during J. J. Keller’s normal business hours; (3) shall be conducted in a manner in a manner that minimizes any disruptions to J. J. Keller’s business operations; and (4) shall be subject to all confidentiality obligations set forth in the Agreements and security measures in effect at the applicable J. J. Keller business office or data center.
  3. Except as otherwise expressly prohibited under the Data Protection Laws, J. J. Keller may charge a fee (based on J. J. Keller’s reasonable costs) for any Client Audit conducted pursuant to this Section 8.3. Upon Client’s written request, J. J. Keller will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of the applicable Client Audit. Without limiting the foregoing, Client will be responsible for any fees charged by and auditor appointed by Client to execute any such Client Audit.
  4. J. J. Keller may object in writing to any auditor appointed by Client to conduct any Client Audit under this Section 8.3 if the auditor is, in J. J. Keller’s reasonable opinion, not suitably qualified or independent, a competitor of J. J. Keller, or otherwise manifestly unsuitable. Any such objection by J. J. Keller will require Client to appoint another auditor or conduct the Client Audit itself.
  5. Without limiting the foregoing, prior to conducting any Client Audit, Client shall undertake reasonable efforts to conduct any such Client Audit through a review of the Security Documents in accordance with the procedures described in Section 8.2.

8.4 Security Breach. In the event of a Security Breach, J. J. Keller will notify Client promptly and without undue delay after J. J. Keller discovers such Security Breach. Such notification of a Security Breach will be delivered to the notice address for Client provided in the applicable Agreement, or, at J. J. Keller’s discretion, by telephone or other direct communication. J. J. Keller will provide reasonable assistance to Client to investigate, remediate, and mitigate the effects of a Security Breach and to comply with any requirements to notify affected Data Subjects, applicable Supervisory Authorities, or other third parties, all as and to the extent required under the Data Protection Laws.

9. Retention and Destruction of Client Personal Data

9.1 Deletion During DPA Term. During the DPA Term, except in connection with the expiration or earlier termination of a Service, J. J. Keller will delete applicable Client Personal Data upon J. J. Keller’s receipt of an applicable Client Instruction during the DPA Term to do so in accordance with the procedures set forth in this Section 9.1. Without limiting the generality of the foregoing, in the event Client uses functionalities available via the Services (if any) to delete any Client Personal Data during the DPA Term and such Client Personal Data cannot be recovered by Client, this will constitute a Client Instruction to J. J. Keller to delete the relevant Client Personal Data from the applicable J. J. Keller systems in accordance with applicable law, including, without limitation, the Data Protection Laws. J. J. Keller will comply with such Client Instruction as soon as reasonably practicable and, in any event, unless applicable law requires J. J. Keller to retain such Client Personal Data for a longer period, within 180 days (or, if shorter, the maximum period permitted under the Data Protection Laws).

9.2 Deletion Upon Expiration or Termination of Applicable Agreement or Service(s). Client hereby provides J. J. Keller a Client Instruction to delete all applicable Client Personal Data (including existing copies) from the applicable J. J. Keller systems in accordance with applicable law upon the expiration or termination of the applicable Agreement or any Service provided under an Agreement. J. J. Keller will comply with such Client Instruction as soon as reasonably practicable and, in any event, unless applicable law requires J. J. Keller to retain such Client Personal Data for a longer period, within 30 days (or, if shorter, the maximum period permitted under the Data Protection Laws) after the expiration or earlier termination of the applicable Agreement or any Service, as applicable. For clarity, except as expressly required under applicable law or the applicable Agreement, in no event shall J. J. Keller be required or otherwise obligated to retain any applicable Client Personal Data more than thirty (30) days after the expiration or termination of the applicable Agreement or the applicable Service(s).

10. Additional Terms

10.1 Liability and Indemnification. With respect to any claim, loss, or liability based upon, arising out of, resulting from, or in any way connected with a Party’s performance or breach of this DPA: (1) such Party shall only be obligated to indemnify, defend, and hold the other Party harmless to the extent such obligation exists pursuant to such Party’s indemnification, defense, and hold harmless obligations set forth in the applicable Agreement; and (2) each Party’s total liability to the other Party is limited in accordance with the applicable limitations of liability set forth in the applicable Agreement.

10.2 Term. This DPA shall be effective as of the DPA Effective Date and continue in full force and effect until J. J. Keller ceases providing all Services to Client under and in accordance with the Agreements (the “DPA Term”). The provisions of this DPA which by their nature are intended to survive the expiration or earlier termination of this DPA shall continue as valid and enforceable obligations of the Parties notwithstanding any such termination or expiration. Without limitation, the provisions regarding confidentiality, compliance with the Data Protection Laws, and restrictions on the Processing of Client Personal Data shall survive the expiration or earlier termination of this DPA.

10.3 Relationship to Agreement. This DPA shall be governed by and construed in accordance with the terms set out in the applicable Agreement as if fully set forth herein. Without limiting anything set forth herein, the Parties acknowledge and agree that they have taken all actions (if any) required under each Agreement to incorporate this DPA into such Agreement. Any dispute arising out of this DPA shall be resolved as set out in the applicable Agreement. The requirements set forth in this DPA are in addition to, and not in lieu of, any similar requirements set forth in the applicable Agreement. Notwithstanding anything to the contrary in the applicable Agreement, to the extent of any conflict or inconsistency between the terms of this DPA and such Agreement, this DPA shall control. Except as set forth in this DPA, the Agreements remain in full force and effect, as amended, and is hereby ratified and confirmed in all respects.

10.4 Invalidity. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as completely as possible; or (2) if (1) is not possible, construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.

10.5 Amendments. J. J. Keller may update or modify this DPA from time to time by, without limitation, posting a revised version of this DPA on J. J. Keller’s website and publishing a general notice of such changes via the J. J. Keller website or, as applicable and feasible, through the Services. Subject to compliance with applicable laws, Client’s access to or use of the Services after receiving notice of changes to this DPA, whether by general notice or direct notice provided by J. J. Keller to Client, shall constitute Client’s acceptance of such updates or modifications.

10.6 Changes to Data Protection Laws. J. J. Keller and Client acknowledge that the Data Protection Laws as of the DPA Effective Date may change during the DPA Term, including, without limitation, the California Privacy Rights Act (effective January 1, 2023), the Virginia Consumer Data Protection Act (effective January 1, 2023), and the Colorado Privacy Act (effective July 1, 2023). J. J. Keller and Client shall comply with any and all such changes to the extent applicable to the Processing Client Personal Data under the Agreement and this DPA, including, without limitation, entering into any necessary amendments to this DPA and/or separate agreements to the extent necessary to comply with such changes.