Data Processing Agreement

Updated May 2, 2023

This Data Processing Agreement (Agreement) is made and entered by and between Client, as a controller/business, whose name and address are set forth on the signature page, and Augmented Reality Concepts, Inc. (d/b/a Impel), located at 344 S. Warren St., Suite 200, Syracuse, NY 13202, as a processor/service provider (collectively the Parties). The Agreement is effective as of the last signature date of both parties (Effective Date) and governs the processing of personal data when Client uses Impel’s products and services and when the European Laws and/or the Data Protection Laws apply.

SECTION I

Clause 1

Purpose and scope

The purpose of the Agreement is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), the Federal Data Protection Act of 19 June 1992 (Switzerland) and the revised Swiss Federal Data Protection Act effective September 1, 2023 (collectively Swiss FADP), the United Kingdom (UK) Data Protection Act 2018 and any replacement legislation implemented by the UK pursuant to the withdrawal of the UK from the EU (collectively UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, the Iowa Data Privacy Act, and any subsequent privacy laws enacted in the United States requiring data processing agreements (collectively Data Protection Laws).
The Parties have agreed to the Agreement in order to ensure compliance with the Data Protection Laws.
The Agreement applies to the processing of personal data as specified in Annex II only. Annexes I to IV are an integral part of the Agreement.
The Agreement is without prejudice to obligations to which Client is subject by virtue of the Data Protection Laws.
The Agreement does not by itself ensure compliance with obligations related to international transfers in accordance with Chapter V of the GDPR.

Clause 2

Invariability

The Parties undertake not to modify the Agreement, except for adding information to the Annexes or updating information in them.
This does not prevent the Parties from including the standard contractual clauses laid down in Commission Implementing Decision (EU) 2021/914 of 4 June 2021in a broader contract or from adding other provisions or additional safeguards provided that they do not directly or indirectly contradict the Agreement or detract from the fundamental rights or freedoms of Data Subjects.

Clause 3

Interpretation

Where the Agreement uses the terms defined in the GDPR, those terms shall have the same meaning as in the GDPR. The term “European Laws” means (a) the GDPR, and (b) any other European Union (EU) or Member State data protection laws, regulations and secondary legislation implementing the GDPR, including the Swiss FADP and the UK GDPR.
The Agreement shall be read and interpreted in the light of the provisions of the Data Protection Laws.
The Agreement shall not be interpreted in a way that runs counter to the rights and obligations provided for in the Data Protection Laws or in a way that prejudices the fundamental rights or freedoms of the data subjects, consumers, and analogous entities under Data Protection Laws (collectively Data Subjects).

Clause 4

Hierarchy

In the event of a contradiction between the Agreement and the provisions of related agreements between the Parties existing at the time when the Agreement is agreed or entered into thereafter, the Agreement shall prevail. Impel’s processing of personal data is subject to the Agreement, its T&C, its Privacy Notice, and its Cookie Notice.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 5

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of Client, are specified in Annex II.

Clause 6

Obligations of the Parties

6.1. Instructions

Impel shall process personal data only on documented instructions from Client, unless required to do so by Data Protection Laws to which Impel is subject. In this case, Impel shall inform Client of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by Client throughout the duration of the processing of personal data. These instructions shall always be documented.
Impel shall comply with the Agreement and the Data Protection Laws and shall notify Client of any inability to comply with the Data Protection Laws.
Impel shall immediately inform Client if, in Impels opinion, instructions given by Client infringe the Data Protection Laws.
Impel is prohibited from:
- Selling or sharing the personal data it collects pursuant to the Agreement
- Retaining, using, or disclosing the personal data it collects pursuant to the Agreement for any commercial purpose other than the business purpose(s) specified in the Agreement unless expressly permitted by the Data Protection Laws
- Retaining, using, or disclosing the personal data it collects pursuant to the Agreement outside the direct business relationship between the Parties unless expressly permitted by the Data Protection Laws

6.2. Purpose limitation

Impel shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from Client.

6.3. Duration of the processing of personal data

Processing by Impel shall only take place for the duration specified in Annex II.

6.4. Security of processing

Impel shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks involved for the Data Subjects.
Impel shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the Agreement. Impel shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), Impel shall apply specific restrictions and/or additional safeguards.

6.6. Documentation and compliance

The Parties shall be able to demonstrate compliance with the Agreement.
Impel shall deal promptly and adequately with inquiries from Client about the processing of data in accordance with the Agreement.
Impel shall make available to Client all information necessary to demonstrate compliance with the obligations that are set out in the Agreement and stem directly from the Data Protection Laws. At Client’s request, Impel shall also permit and contribute to audits of the processing activities covered by the Agreement, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, Client may take into account relevant certifications held by Impel.
Client may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of Impel and shall, where appropriate, be carried out with reasonable notice.
If Impel chooses to conduct an independent audit, with Client’s consent, then the audit is at Impel’s expense and occurs at least once a year.
The Parties shall make the information referred to in Section 6.6, including the results of any audits, available to the competent regulators and supervisory authority/ies on request.

6.7. Use of sub-processors

Impel is authorized to engage (and to permit each sub-processor/service provider engaged in accordance with this Clause 6.7 and set out in the list in the link in Appendix IV to engage) sub-processors/service providers in accordance with this Clause 6.7. and set out in the list in the link in Appendix IV. If a new sub-processor/service provider is engaged or an existing sub-processor/service provider is removed, the list in the link in Appendix IV shall be updated. In order to receive alerts regarding such list updates, an email should be sent to support@impel.io with “Subscribe to sub-processor updates” as the subject. If there is an objection to the engagement or removal of a sub-processor/service provider, the objection must be expressed within thirty (30) days of receipt of such an alert email by the closing of Client’s account. Termination is Client’s sole and exclusive remedy if Client objects to the appointment of any new or the removal of any existing sub-processor/service provider, and any previously accrued rights and obligations will survive such termination. If objection is not made within such time period, then the addition of the new or the removal of the existing sub-processor/service provider shall be deemed accepted. The list of sub-processors/service providers, which shall be kept up to date, can be found in the link in Appendix IV.
Where Impel engages a sub-processor/service provider for carrying out specific processing activities (on behalf of Client), it shall do so by way of a contract which imposes on the sub-processor/service provider, in substance, the same data protection obligations as the ones imposed on Impel in accordance with the Agreement. Impel shall ensure that the sub-processor/service provider complies with the obligations to which Impel is subject pursuant to the Agreement and the Data Protection Laws.
At Client’s request, Impel shall provide a copy of such a sub-processor/service provider agreement and any subsequent amendments to Client. To the extent necessary to protect business secret or other confidential information, including personal data, Impel may redact the text of such agreement prior to sharing the copy.
Impel shall remain fully responsible to Client for the performance of the sub-processor’s/service provider’s obligations in accordance with the Agreement. Impel shall notify Client of any failure by the sub-processor/service provider to fulfill its contractual obligations.
Impel shall agree to a third-party beneficiary clause with the sub-processor/service provider whereby – in the event Impel has factually disappeared, ceased to exist in law or has become insolvent – Client shall have the right to terminate the sub-processor/service provider contract and to instruct the sub-processor/service provider to erase or return the personal data.

6.8. International transfers

Any transfer of data to a third country or an international organization by Impel shall be done only on the basis of documented instructions from Client or in order to fulfill a specific requirement under European Laws to which Impel is subject, including Chapter V of the GDPR.
Client agrees that where Impel engages a sub-processor/service-provider in accordance with Clause 6.7. for carrying out specific processing activities (on behalf of Client) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, Impel and the sub-processor/service provider can ensure compliance with Chapter V of the GDPR. One method of ensuring such compliance is standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

Clause 7

Assistance to the controller

Impel shall promptly notify Client of any request it has received from a Data Subject. It shall not respond to the request itself, unless authorized to do so by Client.
Impel shall assist Client in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), Impel shall comply with Client’s instructions.

In addition to Impel’s obligation to assist Client pursuant to Clause 7(b), Impel shall furthermore assist Client in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to Impel:
- the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (data protection impact assessment) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
- the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by Client to mitigate the risk;
- the obligation to ensure that personal data is accurate and up to date, by informing Client without delay if Impel becomes aware that the personal data it is processing is inaccurate or has become outdated;
- the obligations in the Data Protection Laws, including Article 32 of the GDPR.

The Parties shall set out in Annex III the appropriate technical and organizational measures by which Impel is required to assist Client in the application of the Agreement as well as the scope and the extent of the assistance required.

Clause 8

Notification of personal data breach

In the event of a personal data breach, Impel shall cooperate with and assist Client for Client to comply with its obligations under the Data Protection Laws, including Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to Impel.

8.1 Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by Client, Impel shall assist Client:

in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after Client has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

in obtaining the following information which, pursuant to the Data Protection Laws, including Article 33(3) of the GDPR, shall be stated in Client’s notification, and must at least include:

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

in complying, pursuant to the Data Protection Laws, including Article 34 of the GDPR, with the obligation to communicate without undue delay the personal data breach to the Data Subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

8.2 Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by Impel, Impel shall notify Client without undue delay after Impel has become aware of the breach. Such notification shall contain, at least:

a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);

the details of a contact point where more information concerning the personal data breach can be obtained;
its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

The Parties shall set out in Annex III all other elements to be provided by Impel when assisting Client in the compliance with Client’s obligations under the Data Protection Laws, including Articles 33 and 34 of the GDPR.

SECTION III

FINAL PROVISIONS

Clause 9

Non-compliance and termination

Client has the right to stop and remediate the unauthorized use of the personal data by Impel.
Without prejudice to any provisions of the Data Protection Laws, in the event that Impel is in breach of its obligations under the Agreement, Client may instruct Impel to suspend the processing of personal data until the latter complies with the Agreement or the Agreement is terminated. Impel shall promptly inform Client in case it is unable to comply with the Agreement, for whatever reason.
Client shall be entitled to terminate the Agreement insofar as it concerns processing of personal data in accordance with the Agreement if:
- the processing of personal data by Impel has been suspended by Client pursuant to point (a) and if compliance with the Agreement is not restored within a reasonable time and in any event within one month following suspension;
- Impel is in substantial or persistent breach of the Agreement or its obligations under the Data Protection Laws;
- Impel fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to the Agreement or to the Data Protection Laws.

Impel shall be entitled to terminate the Agreement insofar as it concerns processing of personal data under the Agreement where, after having informed Client that its instructions infringe applicable legal requirements in accordance with Clause 6.1 (b), Client insists on compliance with the instructions.
Following termination of the Agreement, Impel shall, at the choice of Client, delete all personal data processed on behalf of Client and certify to Client that it has done so, or, return all the personal data to Client and delete existing copies unless Data Protection Laws require storage of the personal data. Until the data is deleted or returned, Impel shall continue to ensure compliance with the Agreement.

Clause 10

Governing Law, Choice of Forum, and Jurisdiction

The Agreement shall be governed by and construed in accordance with the laws of the State of New York, without regard to the conflicts of laws rules of such state.
Client hereby submits to the nonexclusive jurisdiction of the United States District Court for the Southern District of New York and of any New York State court sitting in New York City for purposes of all legal proceedings arising out of or relating to the Agreement or the processing contemplated hereby. Client irrevocably waives, to the fullest extent permitted by law, any objection which it may now or hereafter have to the laying of the venue of any such proceeding brought in such a court and any claim that any such proceeding brought in such a court has been brought in an inconvenient forum.

IN WITNESS WHEREOF, the Parties intending to be legally bound have signed the Agreement on the day and year below written.

CLIENT

Name/Date

AUGMENTED REALITY CONCEPTS, INC

Name/Date

ANNEX I

List of parties

Controller(s): Client

Processor(s): Augmented Reality Concepts, Inc. d/b/a Impel (f/k/a SpinCar)

ANNEX II

Description of the processing

Categories of Data Subjects whose personal data is processed

Consumers who visit the websites of Impel customers
Consumers who submit inquiries to Impel customers
Business contacts at customers and prospective customers of Impel

Categories of personal data processed

IP address, unique identifier, browsing history
For users of Impel’s communication products: name, email address, phone number, any personal data that a consumer may disclose via web form, web chat, email or text message
For customers and prospective customers of Impel: business contact details

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

Nature of the processing

Collection, transfer, entry, storage, analysis, matching, sharing, retrieval, combination

Purpose(s) for which the personal data is processed on behalf of the controller/business

Provision of digital marketing services to Impel customers

Duration of the processing

The default retention period is 3 years, but there are exceptions for some data sources.

For processing by (sub-)processors/service providers, also specify subject matter, nature and duration of the processing

The same as described above in this Annex II.

ANNEX III

Technical and organizational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

Impel has attained SOC 2 Type I certification.
Impel’s engineering team is trained on and follows secure software development life cycle practices.
Code developed by one engineer is reviewed by another before deployment.
Code undergoes testing before deployment.
Automated monitoring detects unexpected conditions that could indicate denial of service or similar attacks.
Customer-facing applications are hosted in major cloud providers’ secure data centers.
Impel conducts periodic network scans and remediates vulnerabilities.
Impel undergoes application penetration tests and remediates vulnerabilities.
Impel defines policies to secure office networks, computers and mobile devices.
New hires undergo background checks.
Employees receive initial and ongoing information security training.
Impel encrypts personal data at rest and in transit.

For transfers to (sub-)processors/service providers, also describe the specific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the controller

Impel maintains a vendor management policy with criteria for identifying key vendors, including those who process personal data.

Impel maintains a list of key vendors and performs vendor risk management.

Sub-processors must adhere to SCCs, DPAs or similar agreements that require technical and organizational measures at least as effective as Impel’s own.

Description of the specific technical and organizational measures to be taken by the processor/service provider to be able to provide assistance to the controller/business.

Policies and procedures are in place which require Impel to provide assistance to Client as required by the Agreement and the Data Protection Laws.

ANNEX IV

List of sub-processors

The name, address, contact person’s name, position and contact details, and description of the processing (including a clear delimitation of responsibilities) for each sub-processor can be found at https://impel.io/subprocessors/.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.