View all services →
HR & Payroll
Senior Care
AI Consulting
Industries
Results
Resources
Blog
About

Get in touch

hello@kingandco.consulting

Legal

Data Processing Addendum

This Data Processing Addendum ("DPA") governs how we process and protect personal data on behalf of our clients.

Last Updated: March 6, 2026

Terms of ServicePrivacy PolicyAcceptable UseCookie NoticeDPASub-processorsAI Services TermsLaw Enforcement

This Data Processing Addendum ("DPA") is part of the King & Company Consulting Master Services Agreement (the "Agreement") and is incorporated by reference into the Terms of Service. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. King & Company Consulting ("Provider," "we," "us") and the Client ("Client," "you," "your") are each a "Party" and together the "Parties."

1. Definitions

"Client Personal Data" means any personal data that Client provides to, or that is collected by, Provider in connection with the performance of services under the Agreement, including employee records, payroll data, benefits information, and any other personally identifiable information relating to Client's workforce, residents, patients, or other individuals.

"Data Protection Laws" means all applicable federal, state, and local laws, regulations, and binding obligations relating to the processing, privacy, and security of personal data, including without limitation the Massachusetts Data Privacy Law (M.G.L. c. 93H), HIPAA (where applicable), state breach notification laws, and any other applicable data protection regulations.

"Processing" (and its cognates "process," "processed," etc.) means any operation performed on Client Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.

"Security Breach" means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data.

"Sub-processor" means any third party that Provider engages to process Client Personal Data. A current list is maintained on our Sub-processors page.

2. Data Processing

2.1 Scope

This DPA applies when and to the extent Client Personal Data is processed by Provider in connection with the services provided under the Agreement. This includes, but is not limited to, payroll administration, HR operations, onboarding/offboarding, benefits management, compliance support, PBJ submissions, background checks, and AI workspace services.

2.2 Role of the Parties

With regard to the processing of Client Personal Data, Client acts as the data controller (or "business" under applicable state laws) and Provider acts as the data processor (or "service provider"). Provider will process Client Personal Data only on behalf of and in accordance with Client's documented instructions.

2.3 Compliance with Laws

Each Party will comply with all Data Protection Laws applicable to it in the performance of this DPA. Provider will not process Client Personal Data in a manner that would violate applicable Data Protection Laws.

2.4 Provider Obligations

Provider will: (a) process Client Personal Data only as necessary to perform the services under the Agreement and in accordance with Client's instructions; (b) not sell, share, or disclose Client Personal Data for any purpose other than the direct business relationship between the Parties; (c) not retain, use, or disclose Client Personal Data outside the scope of the Agreement; (d) treat Client Personal Data as confidential information under the Agreement; and (e) inform Client if, in Provider's opinion, an instruction from Client violates applicable Data Protection Laws.

3. Personnel and Security

Provider will ensure that all personnel engaged in the processing of Client Personal Data are informed of the confidential nature of such data, have received appropriate training on their responsibilities, and are bound by enforceable confidentiality obligations. Access to Client Personal Data is limited to those personnel who require such access to perform the services.

4. Client Responsibilities

Client will, in its use of the services: (a) process Client Personal Data in accordance with applicable Data Protection Laws; (b) ensure it has all necessary rights, consents, and legal bases to provide Client Personal Data to Provider for processing; (c) be responsible for the accuracy, quality, and legality of Client Personal Data; and (d) promptly notify Provider of any changes to applicable Data Protection Laws that may affect Provider's processing obligations.

5. Sub-processors

5.1 Use of Sub-processors

Client acknowledges and agrees that Provider may engage sub-processors to assist in the provision of services. Provider maintains a current list of sub-processors on our Sub-processors page. Provider will impose data protection obligations on each sub-processor that are no less protective than those set forth in this DPA.

5.2 Notification of Changes

Provider will notify Client of any intended changes to sub-processors by updating the Sub-processors page and, where practicable, by providing direct written notice at least 30 days before the new sub-processor begins processing Client Personal Data. Client may object to a new sub-processor by providing written notice within 15 days of notification, including reasonable grounds for the objection. The Parties will work in good faith to resolve any objection.

5.3 Liability

Provider will be liable for the acts and omissions of its sub-processors to the same extent Provider would be liable under this DPA if performing the services directly, to the extent permitted by applicable law.

6. Security Measures

Provider has implemented and will maintain appropriate technical and organizational security measures designed to protect Client Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

(a) Encryption of Client Personal Data in transit and at rest; (b) Access controls and authentication measures to prevent unauthorized access; (c) Regular security assessments and monitoring; (d) Secure data storage through vetted cloud infrastructure providers (see our Sub-processors page); (e) Incident detection and response procedures; and (f) Employee training on data protection and security practices.

7. Security Incident Management

7.1 Notification

Provider will notify Client without undue delay (and in no event later than 72 hours) after becoming aware of a Security Breach affecting Client Personal Data. Provider's notification will include, to the extent available: (a) the nature of the breach, including the categories and approximate number of records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact details of Provider's designated point of contact.

7.2 Assistance

Provider will cooperate with Client and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of a Security Breach, including providing information necessary for Client to comply with its notification obligations under applicable Data Protection Laws, including Massachusetts General Laws Chapter 93H (breach notification).

8. Data Subject Requests

Provider will promptly notify Client of any request received directly from an individual (employee, resident, patient, or other data subject) regarding their personal data, including requests for access, correction, deletion, or portability. Provider will not respond to such requests directly unless authorized by Client in writing. Provider will assist Client in fulfilling its obligations to respond to such requests in accordance with applicable Data Protection Laws.

9. Return and Deletion of Client Personal Data

Upon termination or expiration of the Agreement, or upon Client's written request, Provider will: (a) return all Client Personal Data to Client in a commonly used, machine-readable format; or (b) securely delete or destroy all Client Personal Data in Provider's possession or control, except where retention is required by applicable law or regulation. Provider will confirm deletion in writing upon Client's request. Provider will ensure its sub-processors comply with the same return and deletion obligations.

10. Service-Specific Data Processing

10.1 HR, Payroll & Compliance Services

When providing fractional HR, payroll administration, and compliance services, Provider may process the following categories of Client Personal Data: employee names, addresses, Social Security numbers, dates of birth, employment records, compensation and benefits data, tax withholding information, banking details for direct deposit, I-9 verification documents, workers' compensation records, and other data necessary for payroll processing and HR operations. This data is processed through the Client's designated HRIS/payroll platform (such as Rippling, iSolved, or Paragon) under the Client's account and authorization.

10.2 Senior Care / SNF Consulting Services

When providing senior care and skilled nursing facility consulting services, Provider may process: staff employment records, Payroll Based Journal (PBJ) submission data, background check information, staffing schedules, training and certification records, CMS compliance documentation, and survey readiness materials. Where Provider handles data that may be subject to HIPAA, a separate Business Associate Agreement (BAA) will govern such processing.

10.3 AI Consulting & Training Services

When providing AI consulting services, including custom AI workspace builds and workflow automation, Provider may process: Client SOPs, operational documents, policies, procedures, and other business content provided by Client for AI workspace configuration. Client is solely responsible for ensuring that any data uploaded to AI workspaces does not include personal data unless explicitly agreed upon in writing. See our AI Services Terms for additional terms governing AI data processing.

11. Limitation of Liability

Each Party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either Party's liability for willful misconduct, gross negligence, or violations of applicable Data Protection Laws that cannot be limited by contract.

12. General Provisions

This DPA is governed by the laws of the Commonwealth of Massachusetts. In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Client Personal Data. This DPA will remain in effect for as long as Provider processes Client Personal Data on behalf of Client.

For questions about this DPA or our data processing practices, contact us at hello@kingandco.consulting.