Effective Date: December 1, 2025

French Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement (ā€œDPAā€) is incorporated into, and supplements, the J. J. Keller Terms of Use, as amended from time to time, or other agreement between J. J. Keller & Associates, Inc. (ā€œJ. J. Kellerā€) and Client governing J. J. Keller's provision and Clientā€™s receipt of the Services (collectively, the ā€œAgreement(s)ā€).

This DPA is an agreement between J. J. Keller and the entity who receives the Services from J. J. Keller pursuant to an Agreement that incorporates this DPA (ā€œClientā€) and is effective as of the date this DPA is incorporated into such Agreement (the ā€œDPA Effective Dateā€). J. J. Keller and Client are individually referred to herein as a ā€œPartyā€ and, collectively, as the ā€œPartiesā€.

1. Definitions
For purposes of this DPA, the following capitalized terms shall have the meanings ascribed herein. Other capitalized terms used in this DPA are defined in the context in which they are used and shall have the meanings indicated. Capitalized terms which are not defined herein shall have the meanings ascribed to them in the applicable Agreement(s).

1.1 ā€œClient Instructionsā€ means Clientā€™s instructions to J. J. Keller to Process Client Personal Data on Clientā€™s behalf: (1) as necessary to provide the Services to Client; (2) as documented in the Agreement(s) or this DPA; or (3) as otherwise instructed by Client in writing and acknowledged and agreed by J. J. Keller.

1.2 ā€œClient Personal Dataā€ means any Personal Data Processed by J. J. Keller for or on behalf of Client under or in connection with J. J. Keller's performance under the applicable Agreement(s) or this DPA or otherwise pursuant to the Client Instructions. Notwithstanding anything to the contrary herein, Client Personal Data does not include any Anonymized Data.

1.3 ā€œControllerā€ means the natural or legal person or entity who determines the purposes and means of the Processing of Personal Data and includes the term ā€œBusinessā€ as similarly defined under applicable Data Protection Laws.

1.4 ā€œData Protection Lawā€ means any applicable current and future laws, rules, regulations and guidance governing the privacy, security and protection of Client Personal Data Processed under the Agreement(s), which may include, without limitation: (1) the California Consumer Privacy Act, Cal. Civ. Code Ā§1798.100 et. seq. and its implementing regulations, each as amended from time to time, including, without limitation, as amended by the California Privacy Rights Act of 2020; (2) the Colorado Privacy Act; (3) the Connecticut Data Privacy Act; (4) the Delaware Personal Data Privacy Act; (5) the Iowa Consumer Data Protection Act; (6) the Montana Consumer Data Privacy Act; (7) the Nebraska Data Privacy Act; (8) the New Hampshire Data Privacy Act; (9) the New Jersey Data Protection Act; (10) the Oregon Consumer Privacy Act; (11) the Texas Data Privacy and Security Act; (12) the Utah Consumer Privacy Act; (13) the Virginia Consumer Data Protection Act; (14) any other state consumer privacy laws, in effect or that become effective during the term of the applicable Agreement(s); (15) the Federal Trade Commission Act, 15 U.S.C. Ā§45 and its implementing regulations; (16) the Family Educational Rights and Privacy Act (20 U.S.C. Ā§ 1232g) and the Family Educational Rights and Privacy Act Regulations (34 CFR Part 99) (ā€œFERPAā€); and/or (17) the Canadian Information Protection and Documents Act.

1.5 ā€œData Subjectā€ means the identified or identifiable natural person to whom Personal Data relates and includes the term ā€œConsumerā€ as similarly defined under applicable Data Protection Laws.

1.6 ā€œData Subject Requestā€ means a request from an individual seeking to exercise rights granted to individuals under the Data Protection Laws.

1.7 ā€œPersonal Dataā€ means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable Data Subject.

1.8 ā€œProcessingā€ (including corollary terms) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.9 ā€œProcessorā€ means the entity which Processes Personal Data on behalf of the Controller or, as applicable, a Processor and includes the term ā€œService Providerā€ as similarly defined under applicable Data Protection Laws.

1.10 ā€œSecurity Breachā€ means a breach of J. J. Keller's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data on systems managed or otherwise controlled by J. J. Keller.

1.11 ā€œSecurity Documentationā€ means the security documents applicable to the specific Services provided to Client, as updated from time to time and as made reasonably available to Client by J. J. Keller.

1.12 ā€œServicesā€ means those services provided by J. J. Keller to Client pursuant to an Agreement where, in the performance of such services, J. J. Keller Processes Client Personal Data on behalf of Client.

1.13 ā€œSub-Processorā€ means a Processor engaged by J. J. Keller or another Processor to assist in the provision of the Services who will Process Client Personal Data in connection therewith. For clarity, any third party to whom Client instructs J. J. Keller to provide Client Personal Data to shall not be considered a Sub-Processor under this DPA.

1.14 ā€œSupervisory Authorityā€ means any applicable federal, state, local or foreign government or any provincial, departmental or other political subdivision thereof, or any entity, body or authority having or asserting executive, legislative, judicial, regulatory, administrative or other governmental functions of any court, department, commission, board, bureau, agency or instrumentality of any of the foregoing responsible for or involved in the enforcement and/or oversight of the Data Protection Laws.

2. Scope of DPA

2.1 Role of the Parties. As between J. J. Keller and Client, Client shall be the Controller and J. J. Keller shall be the Processor with respect to Client Personal Data Processed by J. J. Keller on Clientā€™s behalf in connection with J. J. Keller's provision of the Services and pursuant to the Client instructions.

2.2 Purpose of Processing. The specific business purposes for which J. J. Keller Processes Client Personal Data pursuant to an Agreement and this DPA are: (1) J. J. Kellerā€™s performance of the Services; (2) Processing initiated by Data Subjects in their use, directly or indirectly, of the Services; and (3) Processing to comply with other Client Instructions (where such Client Instructions are consistent with the terms of the applicable Agreement(s) and this DPA). Clientā€™s disclosure of Client Personal Data to J. J. Keller is only for the foregoing and, if applicable, the other limited and specified business purpose(s) set forth in the applicable Agreement(s).

2.3 Limitation of Obligations. Notwithstanding anything to the contrary in this DPA, Client acknowledges and agrees that J. J. Keller has no obligation to assess Client Personal Data in order to identify information subject to any legal requirements. Client further acknowledges and agrees that this DPA and J. J. Kellerā€™s actions under this DPA do not, and shall not be interpreted to, relieve Client of its obligations under the Data Protection Laws and Client shall be solely responsible for its compliance therewith.

2.4 Anonymized Data. Notwithstanding anything to the contrary in the Agreement or this DPA, Client acknowledges and agrees that J. J. Keller may aggregate, anonymize, and/or de-identify the Client Personal Data in accordance with the Data Protection Laws (ā€œAnonymized Dataā€), and Client further acknowledges and agrees that Client shall not acquire any right, title, or interest in or to any Anonymized Data. In connection with J. J. Kellerā€™s creation and Processing of Anonymized Data, J. J. Keller shall utilize appropriate methodologies, and implement appropriate technical, organizational, and other reasonable measures to ensure that any Anonymized Data, including in connection with the creation and any Processing thereof, does not, and cannot reasonably be used to, infer information about, or otherwise be linked to or associated with, any Data Subject. J. J. Keller will maintain and use any Anonymized Data in an aggregated, anonymized, or otherwise deidentified form and shall not attempt to reidentify the Anonymized Data.

3. Client Obligations

3.1 Compliance. Client shall comply with the applicable Agreement(s), this DPA, and the Data Protection Laws in connection with the Processing of Personal Data applicable to Client as a Controller, including, without limitation:

  1. providing legally-compliant privacy notices to, and obtaining all necessary consents and permissions from, Data Subjects with respect to the Processing of such Data Subjectsā€™ Personal Data included within Client Personal Data;
  2. responding to and fulfilling Data Subject Requests in accordance with applicable Data Protection Laws; and
  3. ensuring Client has the right to disclose to J. J. Keller, or provide J. J. Keller with access to, Client Personal Data for the purpose of J. J. Keller Processing Client Personal Data on Clientā€™s behalf as contemplated under the applicable Agreement(s), this DPA, and the Client Instructions; and
  4. providing J. J. Keller with only the Client Personal Data reasonably necessary for J. J. Keller to perform the Services or comply with applicable Client Instructions.

3.2 Accuracy and Quality of Client Personal Data. Client shall have the sole responsibility for the accuracy and quality of Client Personal Data provided by Client to J. J. Keller for Processing for the applicable business purposes, and complying with all applicable laws, including, without limitation, the Data Protection Laws, with respect to the means by which Client acquired such Client Personal Data.

3.3 Client Instructions. Client shall be solely responsible for ensuring that all Client Instructions comply with all applicable laws, including, without limitation, the Data Protection Laws.

3.4 Data Localization Requirements. Without limiting anything set forth in the Agreement(s) or this DPA, Client shall notify J. J. Keller of any data localization requirement or restriction on the transfer of Client Personal Data to the extent that such requirement or restriction may affect J. J. Kellerā€™s Processing of such Client Personal Data in accordance with the applicable Agreement or this DPA.

3.5 Restrictions on Client Personal Data. For the avoidance of doubt and without limiting anything set forth in the applicable Agreement(s) or this DPA, Client shall not provide or otherwise instruct J. J. Keller to Process any Personal Data subject to the data protection laws and regulations applicable to any country, state, principality, territory, or other jurisdiction outside the United States of America or, if applicable to the Services provided to Client pursuant to the applicable Agreement, Canada. For clarity and without limitation, Client shall not provide or otherwise instruct J. J. Keller to Process any Personal Data subject to the European Union General Data Protection Regulation (Regulation (EU) 2016/679).

3.6 Additional Obligations for Student Information. Without limiting anything otherwise set forth in the applicable Agreement(s) or this DPA, in the event Client Personal Data includes information that is protected under, or otherwise subject to, FERPA and/or other similar federal or state laws pertaining to the privacy and security of student information (such information is collectively referred to herein as ā€œStudent Informationā€ and such laws are collectively referred to herein as ā€œStudent Privacy Lawsā€), Client shall notify J. J. Keller thereof. Further, in addition to, and not in lieu of, any other applicable obligations or requirements under the applicable Agreement(s) or this DPA, Client has the following obligations with respect to the Processing of any such Student Information:

  1. Client shall comply with all applicable Student Privacy Laws. Without limiting the foregoing, Client represents, warrants, and covenants to J. J. Keller that, as applicable, Client has:
    1. complied with the Directory Information exemption (as defined under FERPA) or similar exemption under the applicable Student Privacy Laws, including, without limitation, informing, as applicable, students or parents what information Client deems to be Directory Information and that such Directory Information may be disclosed, and allowing, as applicable, students or parents a reasonable amount of time to request Client not disclose Directory Information about such student if applicable, Client shall not provide J. J. Keller any Directory Information for any student that has opted out of the disclosure of such studentā€™s Directory Information;
    2. complied with the School Official (as defined under FERPA) exemption or similar exemption under the applicable Student Privacy Laws, including, without limitation, in Clientā€™s annual notification of FERPA rights, defining ā€œschool officialā€ to include service providers and defining ā€œlegitimate educational interestā€ to include services such as the type provided by J. J. Keller; and
    3. obtained all necessary written consents from students or parents to enable Client to provide Student Information to J. J. Keller.
  2. Client shall employ administrative, physical and technical safeguards consistent with industry standards designed to protect usernames, passwords, and any other means of gaining access to the Services and/or hosted data from unauthorized access, disclosure, or acquisition by an unauthorized person.
  3. Without limiting anything set forth in the applicable Agreement(s) or this DPA, except as otherwise agreed by the Parties, Client will only provide Student Information to J. J. Keller where, and solely to the extent, necessary to enable J. J. Keller to provide the applicable Services.

4. J. J. Keller Obligations

4.1 Compliance.

  1. J. J. Keller shall comply with the applicable Agreement(s), this DPA, and applicable Data Protection Laws, including, with respect to any Client Personal Data collected by J. J. Keller pursuant to an Agreement or this DPA, providing the same level of privacy protection required of Client as a Controller under applicable Data Protection Laws.
  2. J. J. Keller shall only Process Client Personal Data for the limited and specified business purposes set forth in the applicable Agreement(s) and this DPA, or as otherwise permitted under applicable Data Protection Laws. In the event applicable law to which J. J. Keller is subject requires J. J. Keller to undertake other Processing of Client Personal Data, J. J. Keller will notify Client (unless otherwise prohibited by such applicable law) before undertaking such other processing.

4.2 Restrictions. Without limiting anything set forth in the Agreement(s) or this DPA, J. J. Keller shall not:

  1. sell or share (as and to the extent such terms are defined in the Data Protection Laws) Client Personal Data;
  2. retain, use, or disclose Client Personal Data for any purpose other than the business purposes specified in the applicable Agreement(s) or this DPA, including, retaining, using, or disclosing Client Personal Data for a commercial purpose other than the applicable business purposes or as otherwise permitted under the Data Protection Laws;
  3. retain, use, or disclose Client Personal Data outside of the direct relationship between J. J. Keller and Client except as necessary for the business purposes specified in the applicable Agreement(s) or this DPA; and/or
  4. combine Client Personal Data J. J. Keller receives from or on behalf of Client, with Personal Data J. J. Keller receives from or on behalf of any third party or collects through J. J. Kellerā€™s own interactions with Data Subjects, provided that J. J. Keller may combine Client Personal Data with other Personal Data to perform any business purpose permitted under the Data Protection Laws.

4.3 Certification. J. J. Keller certifies to Client that J. J. Keller:

  1. understands and will comply with the foregoing restrictions placed on J. J. Keller's Processing of Client Personal Data, including complying with applicable obligations under the Data Protection Laws; and
  2. will notify Client without undue delay if J. J. Keller is, or is likely to become, unable to substantially comply with any of J. J. Keller's material obligations under this DPA or applicable Data Protection Laws.

4.4 Data Protection Impact Assessments. J. J. Keller will assist Client in preparing a data protection impact assessment or assist with inquiries from government agencies or regulatory authorities where required by applicable Data Protection Laws.

4.5 Student Information. In addition to, and not in lieu of, any other applicable obligations or requirements under the applicable Agreement(s) or this DPA, J. J. Kellerā€™s obligations with respect to any Processing of Student Information undertaken by J. J. Keller through or in connection with the Services shall include the following:

  1. J. J. Keller will comply with all applicable Student Privacy Laws.
  2. J. J. Keller will not:
    1. collect, retain, use, or disclose Student Information for any purpose other than the specific purpose of performing the Services specified in the applicable Agreement(s), provided that, subject to J. J. Kellerā€™s compliance with applicable Student Privacy Laws, J. J. Keller may aggregate, de-identify or otherwise anonymize any Student Information (ā€œOperational Student Informationā€) and shall own any such Operational Student Information;
    2. engage in targeted advertising or retargeting to students or parents using the Student Information;
    3. use Student Information, including persistent unique identifiers, created or gathered by the Services to amass a profile about a student;
    4. sell Student Information; or
    5. disclose Student Information, unless required by law, for legitimate research purposes, or as part of the maintenance, development, support, operation or improvement of the Services in accordance with applicable law.

    For clarity, the foregoing shall not prohibit J. J. Keller from using Student Information to provide the Services or as otherwise permitted under the applicable Agreement(s) or this DPA.

  3. As soon as reasonably practicable, and in any event, except as otherwise required under applicable laws or as otherwise provided under the applicable Agreement(s), within one hundred eighty (180) days, after the expiration or termination of an Agreement or any applicable Service provided under an Agreement, J. J. Keller will delete all applicable Student Information (including existing copies) in J. J. Kellerā€™s possession or under its reasonable control in accordance with applicable law. For clarity, the foregoing shall not apply, without limitation, to Operational Student Information.
  4. For parent or eligible student requests regarding Student Information:
    1. J. J. Keller will provide commercially reasonable assistance to Client for the fulfillment of Clientā€™s obligations to respond to student requests regarding Student Information, including requests related to access, correction, or deletion of such Student Information. For clarity, Client acknowledges that J. J. Keller may, but is not required to, comply with its obligations to provide such commercially reasonable assistance to Client by making appropriate features and functionalities available to Client through the Services that enable Client to engage in or facilitate Clientā€™s response to the foregoing requests. Without limiting the foregoing: (1) Client shall establish reasonable procedures by which a parent or eligible student may access, correct, or delete Student Information; and (2) J. J. Keller may, but has no obligation to, enable parents or eligible students to access (but not correct or delete) Student Information based on a direct request received by J. J. Keller from a parent or eligible student, provided, with respect to any requests provided by a parent, the foregoing shall only apply to a verified parent.
    2. Except as otherwise provided herein, should a third party (other than a Sub-Processor), including, but not limited to, law enforcement or other government entities (a ā€œRequesting Partyā€) contact J. J. Keller with a request for Student Information, J. J. Keller will advise the Requesting Party to request the Student Information directly from Client and will not provide the requested Student Information to the Requesting Party, unless and to the extent that J. J. Keller reasonably believes it is compelled to grant such access to the Requesting Party because the disclosure is necessary: (1) pursuant to a court order or legal process; (2) to comply with statutes or regulations; (3) to enforce the applicable Agreement(s); or (4) to protect the rights, property, or personal safety of J. J. Kellerā€™s users, employees or others. J. J. Keller will notify Client in advance of a compelled disclosure to a Requesting Party unless J. J. Keller is lawfully directed by the Requesting Party not to inform Client of the request or as otherwise prohibited under applicable laws.
  5. J. J. Keller agrees to utilize administrative, physical, and technical safeguards designed to protect Student Information from unauthorized access, disclosure, acquisition, destruction, use, or modification.
  6. Where required by law, Student Information shall be stored within the United States. Upon Clientā€™s request, J. J. Keller will provide a list of the locations where Student Information is stored.
  7. Client acknowledges and agrees that J. J. Keller may engage Sub-Processors to perform the Services. Where J. J. Keller engages any such Sub-Processor, J. J. Keller will:
    1. impose data protection obligations on such Sub-Processor that provide the same level of protection for Student Information as those specified in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor;
    2. J. J. Keller will remain responsible for all obligations assigned to, and all acts and omissions of, each Sub-Processor with respect to such Sub-Processorā€™s Processing of Student Information; and
    3. upon Clientā€™s reasonable written request, provide relevant information to Client about each such Sub-Processorā€™s Processing of Student Information.

5. Rights of Data Subjects

5.1 Notification of Requests. In the event J. J. Keller receives a Data Subject Request related to Client Personal Data and the request identifies Client as the Controller, to the extent reasonably possible, J. J. Keller will, subject to compliance with applicable Data Protection Laws, at its option and in its discretion, advise the Data Subject to submit their request to Client or notify Client of such Data Subject Request. Client will be responsible for responding to and fulfilling any Data Subject Request.

5.2 J. J. Kellerā€™s Assistance. Taking into account the nature of the Processing of Client Personal Data undertaken by J. J. Keller, J. J. Keller will provide reasonable assistance to Client through appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of Client's obligations to respond to a Data Subject Request under the Data Protection Laws as a Controller.

5.3 Data Subject Requests Seeking Deletion. Except as otherwise provided in the applicable Agreement(s) or this DPA, J. J. Keller will promptly delete, or subject to J. J. Kellerā€™s compliance with applicable Data Protection Laws, aggregate, anonymize, or de-identify applicable Client Personal Data upon Clientā€™s request in connection with an applicable Data Subect Request, unless applicable law, including, without limitation, any applicable Data Protection Laws, requires J. J. Keller to retain such Client Personal Data. If applicable, J. J, Keller shall direct any Sub-Processors with access to Client Personal Data to delete the applicable information.

6. Disclosures of Client Personal Data by J. J. Keller

6.1 J. J. Keller Personnel. J. J. Keller shall take reasonable steps to ensure the reliability of, and appropriate confidentiality obligations are imposed on, any employee, agent, or contractor to whom J. J. Keller provides access to Client Personal Data, ensuring that access is strictly limited to those individuals who need to access the relevant Client Data for the applicable business purposes specified in the applicable Agreement(s) or this DPA and as otherwise necessary to comply with J. J. Kellerā€™s obligations under the applicable Agreement(s), this DPA, the Client Instructions, and applicable laws.

6.2 Third Parties. J. J. Keller may disclose Client Personal Data to third parties: (1) as permitted under the applicable Agreement(s), this DPA, and in accordance with the Client Instructions or as otherwise necessary for the business purposes specified in the applicable Agreement(s) or this DPA; (2) to the extent required by applicable law (subject to compliance with applicable Data Protection Laws); (3) to a Supervisory Authority and/or as otherwise required by applicable Data Protection Laws; or (4) on a ā€œneed-to-knowā€ basis under an obligation of confidentiality or professional secrecy to its legal counsel(s), data protection advisor(s), and accountant(s).

7. Sub-Processors

7.1 Engagement. Client acknowledges and agrees that J. J. Keller may engage Sub-Processors to Process Client Personal Data for or on behalf of Client for the business purposes specified in the applicable Agreement(s) or this DPA. Where J. J. Keller engages any such Sub-Processor, J. J. Keller will impose data protection terms on such Sub-Processor that provide at least the same level of protection for Client Personal Data as those specified in this DPA, to the extent applicable to the nature of the Processing of Client Personal Data undertaken by such Sub-Processor. J. J. Keller will remain responsible for all obligations assigned to, and all acts and omissions of, each Sub-Processor with respect to each such Sub-Processorā€™s Processing of Client Personal Data for or on behalf of Client.

7.2 Notification of Sub-Processors. To the extent required under applicable Data Protection Laws, in the event J. J. Keller engages any Sub-Processor to Process Client Personal Data for or on behalf of Client, J. J. Keller will notify Client of such engagement. View Sub-Processors List.

8. Security and Additional Assistance

8.1 Security Measures. Taking into account the nature of the Processing of Client Personal Data undertaken by J. J. Keller on behalf of Client, J. J. Keller shall, in relation to its Processing of Client Personal Data, implement and maintain appropriate and commercially reasonable technical, physical, and organizational measures as described in the Security Documentation, provided that such measures shall provide appropriate protections for Client Personal Data and include appropriate and commercially reasonable technical and organizational security controls designed to prevent the reasonably foreseeable accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to Client Personal Data in J. J. Keller's possession or otherwise under J. J. Keller's reasonable control and other security controls required under the Data Protection Laws.

8.2 Review of Security Documentation. Upon Clientā€™s written request at reasonable intervals, but no more frequently than annually, and subject to the confidentiality obligations set forth in the applicable Agreement(s) and this DPA, J. J. Keller will make available to Client a copy of the applicable Security Documentation, which may include, based on the Services provided under the applicable Agreement(s), J. J. Kellerā€™s most recent third party audits or certifications; provided, however, that such Security Documentation shall only be used by Client to assess J. J. Kellerā€™s compliance with this DPA and/or the Data Protection Laws, and Client shall not use such Security Documentation for any other purpose or disclose such Security Documentation to any third party without J. J. Kellerā€™s prior written approval and, upon J. J. Kellerā€™s request, Client shall return all such Security Documentation in Clientā€™s possession or under its control.

8.3 Audits.

  1. Solely to the extent required under the Data Protection Laws and subject to this Section 8.3, J. J. Keller will allow Client, no more frequently than annually, to conduct audits (including inspections) to verify J. J. Kellerā€™s compliance with its obligations under this DPA and/or applicable Data Protection Laws (ā€œClient Auditā€); provided, however, any such Client Audit, including, without limitation, any observations, conclusions, or other results of any such Client Audit and any documents reflecting the foregoing (collectively, ā€œClient Audit Resultsā€), shall only be used by Client to assess J. J. Kellerā€™s compliance with this DPA and/or the Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without J. J. Kellerā€™s prior written approval and, subject to express requirements under the Data Protection Laws to the contrary, upon J. J. Kellerā€™s request, Client shall return to J. J. Keller all such Client Audit Results in Clientā€™s possession or under its control.
  2. Client must send any requests to conduct a Client Audit of J. J. Keller to Compliance@jjkeller.com. Following J. J. Kellerā€™s receipt of such request, J. J. Keller and Client will discuss and agree in advance on the reasonable start date and duration of such Client Audit and the scope of J. J. Kellerā€™s technical and organizational measures in scope for such Client Audit. Notwithstanding the foregoing, unless otherwise agreed by J. J. Keller in writing, any Client Audit: (1) involving inspection of J. J. Keller's business offices or data centers shall be limited to such business offices or data centers where J. J. Keller Processes Client Personal Data for or on behalf of Client and shall expressly exclude inspection of or access to any premises and systems containing Personal Data J. J. Keller Processes on behalf of itself or any third party that is logically but not physically separated from Client Personal Data; (2) shall only occur during J. J. Kellerā€™s normal business hours; (3) shall be conducted in a manner that minimizes any disruptions to J. J. Kellerā€™s business operations; and (4) shall be subject to all confidentiality obligations set forth in the applicable Agreement(s) and this DPA and security measures in effect at the applicable business office or data center. For the avoidance of doubt, Client shall not have access to any information, including, without limitation, any Personal Data, of or relating to any other J. J. Keller customer or client.
  3. Except as otherwise expressly prohibited under the Data Protection Laws, J. J. Keller may charge a fee (based on J. J. Kellerā€™s reasonable costs) for any Client Audit conducted pursuant to this Section 8.3. Upon Clientā€™s written request, J. J. Keller will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of the applicable Client Audit. Without limiting the foregoing, Client will be responsible for any fees charged by and auditor appointed by Client to perform any such Client Audit.
  4. J. J. Keller may object in writing to any auditor appointed by Client to conduct any Client Audit if the auditor is, in J. J. Kellerā€™s reasonable opinion, not suitably qualified or independent, a competitor of J. J. Keller, or otherwise manifestly unsuitable. Any such objection by J. J. Keller will require Client to appoint another auditor or conduct the Client Audit itself.
  5. Without limiting anything set forth in this Section 8.3, prior to conducting any Client Audit, Client shall undertake reasonable efforts to conduct any such Client Audit through a review of the Security Documentation in accordance with the procedures described in Section 8.2.

8.4 Additional Reviews Under CCPA.

  1. Soley to the extent required under the CCPA and solely with respect to J. J. Keller's Processing of Client Personal Data subject to the CCPA ("CCPA Data"):
    1. J. J. Keller grants Client the right, upon 14 daysā€™ prior written notice, to: (1) take reasonable and appropriate steps to help ensure that J. J. Keller uses CCPA Data it receives from the Client in a manner consistent with Clientā€™s obligations under the CCPA; and (2) take reasonable and appropriate steps to stop and remediate J. J. Kellerā€™s unauthorized use of CCPA Data; and
    2. subject to J. J. Kellerā€™s agreement, in J. J. Kellerā€™s sole and absolute discretion, no more frequently than annually, Client may monitor J. J. Kellerā€™s compliance with this DPA with respect to J. J. Kellerā€™s Processing of CCPA Data through additional measures that may include, without limitation, ongoing manual reviews, automated scans or other technical and operational testing.
  2. For clarity, except where prohibited under the CCPA:
    1. the rights set forth in Section 8.4.A shall be subject to any applicable limitations or requirements set forth in the applicable Agreement(s) or this DPA, including, without limitation, all confidentiality obligations set forth in the applicable Agreement(s) and, if applicable, exceptions to J. J. Kellerā€™s obligations to provide the Services in accordance with any service level agreement or other service level commitment; and
    2. under no circumstances shall Section 8.4.A.2 prohibit or otherwise preclude J. J. Keller from: (1) declining to agree to permit Client to perform any particular additional measure; or (2) conditioning J. J. Kellerā€™s agreement to permit Client to perform any particular additional measure on Clientā€™s agreement to comply with any restrictions or requirements specified by J. J. Keller.

8.5 Security Breach. In the event of a Security Breach, J. J. Keller will notify Client promptly and without undue delay after J. J. Keller discovers such Security Breach. Such notification of a Security Breach will be delivered to the notice address for Client provided in the applicable Agreement, or, at J. J. Kellerā€™s discretion, by telephone or other direct communication. J. J. Keller will provide reasonable assistance to Client to investigate, remediate, and mitigate the effects of a Security Breach and to comply with any requirements to notify affected Data Subjects, applicable Supervisory Authorities, or other third parties, all as and to the extent required under the Data Protection Laws.

9. Retention and Destruction of Client Personal Data

9.1 Return or Destruction. Without limitation, upon J. J. Kellerā€™s receipt of an applicable Client Instruction, the cessation of J. J. Kellerā€™s provision of the applicable portion of the Services under the applicable Agreement(s), or the expiration or earlier termination of the applicable Agreement(s), J. J. Keller will promptly, and in any event within one hundred eighty (180) days (or, if shorter, the maximum period permitted under the Data Protection Laws), at the election of the Client, return and/or delete, and procure for the deletion of, the applicable Client Personal Data (including any and all copies thereof), unless, subject to Section 9.2 below, J. J. Keller is required to retain such Client Personal Data pursuant to J. J. Kellerā€™s obligations under applicable laws; provided, however, Client acknowledges and agrees that J. J. Keller will securely erase or destroy any applicable Client Personal Data stored on J. J. Kellerā€™s backup or archive systems within twelve (12) months after the obligation to securely erase or destroy such Client Personal Data arose.

9.2 Retained Client Personal Data.

  1. In the event J. J. Keller is required or permitted to retain any Client Personal Data: (1) J. J. Keller shall Process the retained Client Personal Data solely to the extent necessary to comply with the applicable requirement or engage in the permitted activity; and (2) all such retained Client Personal Data shall remain subject to the terms of this DPA.
  2. Notwithstanding anything to the contrary in the applicable Agreement(s) or this DPA and without limiting any rights provided to J. J. Keller under the applicable Agreement(s), this DPA, or applicable Data Protection Laws, to the extent authorized or required by applicable law, J. J. Keller may retain one copy of Client Personal Data for: (1) evidentiary purposes; (2) the establishment, exercise, or defense of legal claims; and/or (3) compliance with legal obligations

10. Additional Terms

10.1 Liability and Indemnification. With respect to any claim, loss, or liability based upon, arising out of, resulting from, or in any way connected with a Partyā€™s performance or breach of this DPA: (1) such Party shall only be obligated to indemnify, defend, and hold the other Party harmless to the extent such obligation is set forth in the applicable Agreement(s); and (2) each Partyā€™s total liability to the other Party is limited in accordance with the applicable limitations of liability set forth in the applicable Agreement(s).

10.2 Term. This DPA shall be effective as of the DPA Effective Date and continue in full force and effect until J. J. Keller ceases providing all Services to Client under and in accordance with the Agreement(s) (the ā€œDPA Termā€). The provisions of this DPA which by their nature are intended to survive the expiration or earlier termination of this DPA shall continue as valid and enforceable obligations of the Parties notwithstanding any such termination or expiration. Without limitation, the provisions regarding confidentiality, compliance with applicable laws, and restrictions on the Processing of Client Personal Data shall survive the expiration or earlier termination of this DPA.

10.3 Relationship to Agreement. This DPA shall be governed by and construed in accordance with the terms set out in the applicable Agreement(s) as if fully set forth herein. Without limiting anything set forth herein, the Parties acknowledge and agree that they have taken all actions (if any) required under each Agreement to incorporate this DPA into such Agreement. Any dispute arising out of this DPA shall be resolved as set out in the applicable Agreement(s). The requirements set forth in this DPA are in addition to, and not in lieu of, any similar requirements set forth in the applicable Agreement. Notwithstanding anything to the contrary in the applicable Agreement(s), to the extent of any conflict or inconsistency between the terms of this DPA and any Agreement, this DPA shall control. Except as set forth in this DPA, each and every Agreement remains in full force and effect, as amended, and are hereby ratified and confirmed in all respects.

10.4 Invalidity. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the Partiesā€™ intentions as completely as possible; or (2) if (1) is not possible, construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.

10.5 Amendments. J. J. Keller may update or modify this DPA from time to time by, without limitation, posting a revised version of this DPA on J. J. Kellerā€™s website and publishing a general notice of such changes via the J. J. Keller website or, as applicable and feasible, through the Services. Subject to compliance with applicable laws, Clientā€™s access to or use of the Services after receiving notice of changes to this DPA, whether by general notice or direct notice provided by J. J. Keller to Client, shall constitute Clientā€™s acceptance of such updates or modifications.

10.6 Changes to Data Protection Laws. J. J. Keller and Client acknowledge that the Data Protection Laws as of the DPA Effective Date may change during the DPA Term. J. J. Keller and Client shall comply with any and all such changes to the extent applicable to the Processing Client Personal Data under the Agreement and this DPA, including, without limitation, entering into any necessary amendments to this DPA and/or separate agreements to the extent necessary to comply with such changes.