Data Processing Addendum

Updated February 13, 2025

This Data Processing Addendum (DPA) is made and entered by and between Customer, whose name and address are set forth in the Agreement, and the Impel Affiliate whose name is set forth in the Agreement (“Impel”) (collectively, the “Parties”). The DPA governs the processing of Personal Data when Customer uses Impel’s products and services and when Data Protection Laws apply.

1. Definitions. Defined terms used but not defined herein shall have the same meaning as the Agreement. Where the DPA uses other terms defined in GDPR, those terms shall have the same meaning as in GDPR. The use of terms set forth in GDPR does not mean that a Party has agreed to comply with GDPR unless the GDPR is applicable to it. The DPA shall be read and interpreted in the light of the provisions of the Data Protection Laws that require data processing agreements. The DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the Data Protection Laws or in a way that prejudices the fundamental rights or freedoms of the data subjects, consumers, and analogous entities under Data Protection Laws (“Data Subjects”).

“Affiliate” of a party means any entity that is controlled by a party to this Agreement, so long as the control exists.

“Control” means direct or indirect control of more than 50% of the shares or other equity interests of the subject entity entitled to vote in the election of directors (or, in the case of an entity that is not a corporation, for the election or appointment of the corresponding managing authority). As to Customer, any reference to “Affiliate” herein is strictly limited to those Affiliates of Customer that qualify as a data controller with respect to the Personal Data and are permitted to use the Services pursuant to the Agreement but have not signed their own order form and are not a “Customer” as defined under the Agreement.

“Agreement” means the agreement for the provision of the Services.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data, which for the purposes of this DPA is the Customer.

“Data Protection Laws” means the data protection laws applicable to the Personal Data in scope of this DPA including, but not limited to,: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the Federal Data Protection Act of 19 June 1992 (Switzerland) and the revised Swiss Federal Data Protection Act effective September 1, 2023 (“Swiss FADP”), the United Kingdom (UK) Data Protection Act 2018 and any replacement legislation implemented by the UK pursuant to the withdrawal of the UK from the EU ( “UK GDPR”), the Australian Privacy Act 1988, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, the Iowa Data Privacy Act, the Indiana Consumer Data Protection Act, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, and the Texas Data Privacy and Security Act and any subsequent privacy laws enacted in the United States requiring data processing agreements.

“Personal Data” means all data relating to individuals which is processed by Impel on behalf of the Customer under this DPA.

“Processor” means an entity that Processes Personal Data on behalf of the Controller, which for the purposes of this DPA is the Impel Affiliate identified in the Agreement.

2. Scope and hierarchy. Each Party has agreed to the DPA in order to ensure that it is in compliance with the Data Protection Laws applicable to it. The DPA applies to the processing of Personal Data as specified in Annex II only. Annex V applies to any Personal Data of United States Data Subjects. Annexes I to V are an integral part of the DPA. The DPA is without prejudice to obligations to which Customer is subject by virtue of the Data Protection Laws. In the event of a contradiction between the DPA and the provisions of related agreements between the Parties existing at the time when the DPA is agreed or entered into thereafter, the DPA shall prevail.

3. Description of processing. The details of the processing operations, in particular the categories of Personal Data and the purposes of processing for which the Personal Data is processed on behalf of Customer, are specified in Annex II.

4. Impel’s Obligations

4.1. Instructions. Impel shall process Personal Data only on documented instructions from Customer and for the specific purpose(s) of processing, as set out in Annex II, unless it receives further instructions from Customer, or is required to do so by Data Protection Laws to which Impel is subject. In this case, Impel shall inform Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by Customer throughout the duration of the processing of Personal Data. These instructions shall always be documented. Impel shall immediately inform Customer if, in Impel’s opinion, instructions given by Customer infringe the Data Protection Laws applicable to it.

4.2. Duration of the processing of Personal Data. Processing by Impel shall only take place for the duration specified in Annex II.

4.3. Security of processing. Impel shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks involved for the Data Subjects. Impel shall grant access to the Personal Data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the Agreement. Impel shall ensure that persons authorized to process the Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4. Documentation and compliance. The Parties shall be able to demonstrate compliance with the DPA Impel shall deal promptly and adequately with inquiries from Customer about the processing of Personal Data in accordance with the DPA and make available to Customer all information necessary to demonstrate compliance with the obligations that are set out in the DPA and stem directly from the Data Protection Laws applicable to it.

At Customer’s request, Impel shall also permit and contribute to audits of the processing activities covered by the DPA, once every calendar year or more frequently if there has been a data breach involving the Personal Data. Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of Impel and shall be subject to 30 days written notice. Customer acknowledges that Impel’s obligations may be satisfied in whole or part by the provision to Customer of appropriate information; records; and certifications and audit reports issued by reputable independent third parties provided that there have been no material changes to the controls used by Impel since the certification or audit report was issued. If Impel chooses to conduct an independent audit, with Customer’s consent, then the audit is at Impel’s expense and occurs at least once a year. The Parties shall make the information referred to in this DPA, including the results of any audits, available to the competent regulators and supervisory authority/ies on request.

5. Use of sub-processors/service providers

5.1. Impel is authorized to engage (and to permit each sub-processor/service provider engaged in accordance with this DPA and set out in the list in the link in Appendix IV to engage) sub-processors/service providers (“Sub-processor”) in accordance with this DPA. and set out in the list in the link in Appendix IV. If a new Sub-processor is engaged or an existing Sub-processor is removed, the list in the link in Appendix IV shall be updated. In order to receive alerts regarding such list updates, an email should be sent to support@impel.ai with “Subscribe to sub-processor updates” as the subject. If there is an objection to the engagement or removal of a Sub-processor, the objection with reasonable grounds based on Data Protection Laws must be expressed within thirty (30) days of receipt of such an alert email in writing. Should Impel not be able to adjust its services and continue the provision of the services without the appointed Sub-processor, Customer may close its account. Termination is Customer’s sole and exclusive remedy if Customer objects to the appointment of any new or the removal of any existing Sub-processor, and any previously accrued rights and obligations will survive such termination. If objection is not made within such time-period, then the addition of the new or the removal of the existing Sub-processor shall be deemed accepted. The list of Sub-processors, which shall be kept up to date, can be found in the link in Appendix IV.

5.2. Where Impel engages a Sub-processor for carrying out specific processing activities on behalf of Customer, it shall do so by way of a contract which imposes on the Sub-processor, in substance, the same data protection obligations as the ones imposed on Impel in accordance with the Agreement. Impel shall ensure that the Sub-processor complies with the obligations to which Impel is subject pursuant to the Agreement and the Data Protection Laws applicable to it.

5.3. At Customer’s request, Impel shall provide a copy of such a Sub-processor agreement and any subsequent amendments to Customer. To the extent necessary to protect business secret or other confidential information, including personal data, Impel may redact the text of such agreement prior to sharing the copy.

5.4. Impel shall remain fully responsible to Customer for the performance of the Sub-processor’s obligations in accordance with the Agreement.

6. International transfers. Any transfer of data to a third country or an international organization by Impel shall be done only on the basis of documented instructions from Customer, including this DPA, or in order to fulfill a specific requirement under the Data Protection Laws to which Impel is subject, which may include Chapter V of the GDPR.

Customer agrees that where Impel engages a Sub-processor for carrying out specific processing activities on behalf of Customer and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, Impel and the Sub-processor can ensure compliance with Chapter V of the GDPR. One method of ensuring such compliance is standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

To the extent Personal Data includes personal data from the EU and EEA by entering into the Agreement and this DPA, the Parties are deemed to have signed the EU Standard Contractual Clauses from June 4, 2021 (“SCCs”), including their annexes, attached hereto. To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:

Clause 7. The optional docking does not apply.
Clause 9. Use of sub-processors Option 2: General written authorization is selected and the minimum time period for prior notice of sub-processor changes and the notification method have been agreed in section 6.5 of the DPA
Clause 11. The optional language does not apply.
Clause 17. Option 2 is selected and the Parties agree that this shall be Irish law.
Clause 18 (b). The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of Ireland.
Clause 13. All square brackets in are hereby removed;
Annex I to this DPA contains the information required in Annex I of the SCCs;
Annex II to this DPA contains the information required in Annex II of the SCCs; and
Annex III to this DPA contains the information required in Annex III of the SCCs.

7. Customer Representations and Warranties. Customer hereby represents and warrants that it: (a) will comply with all Data Protection Laws applicable to Customer and any Personal Data provided to Impel for processing pursuant to the Agreement; (b) will ensure that its instructions to Impel for processing Personal Data comply with applicable Data Protection Laws; (c) will maintain appropriate disclosures and privacy policies, notice and consent mechanisms, and methods for handling Data Subject requests pursuant to applicable Data Protection Laws, in each case, that are consistent with applicable Data Protection Laws; (d) has all consents, authorizations, and rights required to transfer or disclose, and permit Impel to process, any and all Personal Data in connection with the Agreement; and (e) has and will have sole responsibility for the accuracy, quality, and legality of any and all Personal Data Processed by Impel. For the avoidance of doubt, to the extent Customer requests that Impel transfer Personal Data to any third parties on Customer’s behalf, Customer is solely responsible (x) for ensuring such data transfers comply with applicable Data Protection Laws, including that Customer has all necessary consents and rights to transfers such Personal Data and (y) ensuring that the third parties receiving such data comply with applicable Data Protection Laws and have implemented reasonable and appropriate safeguards for their processing of Personal Data. Customer will promptly notify Impel if it is unable to comply with any of its obligations under Section 7 or any Data Protection Laws.

8. Assistance to the controller

8.1. Impel shall promptly, and at latest within ten (10) business days, notify Customer of any request it has received from a Data Subject. It shall not respond to the request itself, unless authorized to do so by Customer.

8.2. Impel shall assist Customer in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), Impel shall comply with Customer’s instructions.

8.3. Impel shall furthermore assist Customer in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to Impel:

8.3.1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (data protection impact assessment) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

8.3.2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by Customer to mitigate the risk;

8.3.3. the obligation to ensure that personal data is accurate and up to date, by informing Customer without delay if Impel becomes aware that the personal data it is processing is inaccurate or has become outdated;

8.3.4. the obligations in the Data Protection Laws applicable to the Impel, which may include Article 32 of the GDPR.

8.4. The Parties shall set out in Annex III the appropriate technical and organizational measures by which Impel is required to assist Customer in the application of the Agreement as well as the scope and the extent of the assistance required.

9. Notification of personal data breach. In the event of a personal data breach, Impel shall cooperate with and assist Customer to comply with its obligations under the Data Protection Laws applicable to it, which may include Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to Impel.

10. Data breach concerning data processed by the controller.

10.1. In the event of a personal data breach concerning data processed by Customer, Impel shall reasonably assist Customer:

10.1.1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after Customer has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

10.1.2. in obtaining the following information which, pursuant to the Data Protection Laws applicable to it, which may include Article 33(3) of the GDPR, shall be stated in Customer’s notification, and must at least include:

10.1.3. in obtaining the following information which, pursuant to the Data Protection Laws applicable to it, which may include Article 33(3) of the GDPR, shall be stated in Customer’s notification, and must at least include:

10.1.4. the likely consequences of the personal data breach;

10.1.5. the measures taken or proposed to be taken by Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.2 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay in complying, pursuant to the Data Protection Laws applicable to it, which may include Article 34 of the GDPR, with the obligation to communicate without undue delay the personal data breach to the Data Subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

11. Data breach concerning data processed by Impel

11.1 In the event of a personal data breach concerning data processed by Impel, Impel shall notify Customer without undue delay after Impel has become aware of the breach. Such notification shall contain, at least:

11.1.1. a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);

11.1.2. the details of a contact point where more information concerning the personal data breach can be obtained;

11.1.3. the likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

11.2 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

11.3 The Parties shall set out in Annex III all other elements to be provided by Impel when assisting Customer in the compliance with Customer’s obligations under the Data Protection Laws applicable to it, which may include Articles 33 and 34 of the GDPR.

12. Non-compliance, termination and expiration

12.1. Customer has the right to stop and remediate the unauthorized use of the Personal Data by Impel.

12.2. Without prejudice to any provisions of the Data Protection Laws applicable to the Impel, in the event that Impel is in breach of its obligations under the DPA, Customer may instruct Impel to suspend the processing of Personal Data until the latter complies with the DPA or the DPA is terminated. Impel shall promptly inform Customer in case it is unable to comply with the DPA, for whatever reason.

12.3. Customer shall be entitled to terminate the DPA insofar as it concerns processing of Personal Data in accordance with the Agreement if:

12.3.1. the processing of personal data by Impel has been suspended by Customer pursuant to point (a) and if compliance with the Agreement is not restored within a reasonable time and in any event within one month following suspension;

12.3.2. Impel is in substantial or persistent breach of the Agreement or its obligations under the Data Protection Laws applicable to it;

12.3.3. Impel fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to the Agreement or to the Data Protection Laws applicable to it.

12.4. Impel shall be entitled to terminate the Agreement insofar as it concerns processing of Personal Data under the Agreement where, after having informed Customer that its instructions infringe applicable legal requirements, Customer insists on compliance with the instructions

12.5 Following termination or expiration of the DPA, Impel shall, at the choice of Customer, delete all Personal data processed on behalf of Customer or, return all the personal data to Customer and delete existing copies unless Data Protection Laws applicable to it require storage of the personal data. Until the data is deleted or returned, Impel shall continue to ensure compliance with the DPA. In absence of the Customer’s instructions the Personal Data will be deleted according to Annex II.

13. Changes to the DPA. Any changes to the DPA shall be made in writing and signed by both Parties. Impel reserves the right to update the DPA if required by Data Protection Laws or in order to comply with its obligations related to transfers of Personal Data to third countries such as the EU Standard Contractual Clauses.

14. Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and the DPA together. For the avoidance of doubt, Impel, its Affiliates, and its Sub-processor’s total liability for all claims from Customer and all of its Controller Affiliates arising out of or related to the Agreement and the DPA shall apply in the aggregate for all claims under both the Agreement and the DPA.

15. Governing Law, Choice of Forum, and Jurisdiction. The Agreement shall be governed by and construed in accordance with the laws of the Agreement.

ANNEX I

List of parties

Controller(s): Customer

Processor(s): Augmented Reality Concepts, Inc. d/b/a Impel (f/k/a SpinCar)

ANNEX II

Description of the processing

Categories of Data Subjects whose personal data is processed

Consumers who visit the websites of Impel customers
Consumers who submit inquiries to Impel customers
Business contacts at customers and prospective customers of Impel

Categories of personal data processed

IP address, unique identifier, browsing history
For users of Impel’s communication products: name, email address, phone number, any personal data that a consumer may disclose via web form, web chat, email or text message
For customers and prospective customers of Impel: business contact details

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

Nature of the processing

Collection, transfer, entry, storage, analysis, matching, sharing, retrieval, combination

Purpose(s) for which the personal data is processed on behalf of the controller/business

Provision of digital marketing services to Impel customers

Duration of the processing

The default retention period is 3 years, but there are exceptions for some data sources.

For processing by (sub-)processors/service providers, also specify subject matter, nature and duration of the processing

The same as described above in this Annex II.

ANNEX III

Technical and organizational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

Impel has attained SOC 2 Type I certification.
Impel’s engineering team is trained on and follows secure software development life cycle practices.
Code developed by one engineer is reviewed by another before deployment.
Code undergoes testing before deployment.
Automated monitoring detects unexpected conditions that could indicate denial of service or similar attacks.
Customer-facing applications are hosted in major cloud providers’ secure data centers.
Impel conducts periodic network scans and remediates vulnerabilities.
Impel undergoes application penetration tests and remediates vulnerabilities.
Impel defines policies to secure office networks, computers and mobile devices.
New hires undergo background checks.
Employees receive initial and ongoing information security training.
Impel encrypts personal data at rest and in transit.

For transfers to (sub-)processors/service providers, also describe the specific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the controller

Impel maintains a vendor management policy with criteria for identifying key vendors, including those who process personal data.

Impel maintains a list of key vendors and performs vendor risk management.

Sub-processors must adhere to SCCs, DPAs or similar agreements that require technical and organizational measures at least as effective as Impel’s own.

Description of the specific technical and organizational measures to be taken by the processor/service provider to be able to provide assistance to the controller/business.

Policies and procedures are in place which require Impel to provide assistance to Customer as required by the Agreement and the Data Protection Laws.

ANNEX IV

List of sub-processors

The name, address, contact person’s name, position and contact details, and description of the processing (including a clear delimitation of responsibilities) for each sub-processor can be found at https://impel.ai/subprocessors/.

ANNEX V

US States Data Laws Addendum

This US States Data Laws Addendum is entered into as of the date below, and is incorporated into and forms a part of the DPA

This US States Data Laws Addendum sets forth the terms and conditions relating to compliance with the following US States Privacy Laws and any regulations, amendments and/or updates thereto:

The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act
The Virginia Consumer Data Privacy Act
The Colorado Data Privacy Act
The Connecticut Data Privacy Act
Utah Consumer Privacy Act
Oregon Consumer Privacy Act
Texas Data Privacy and Security Act
Delaware Personal Data Privacy Act
New Jersey Data Protection Act

In the event of a conflict between this US States Data Laws Addendum and the DPA, this US States Data Laws Addendum will prevail. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the US States Privacy Laws.

California

A. To the extent that Impel is Processing on behalf of Customer any personal information in scope of the CCPA:

Impel is prohibited from selling or sharing personal information it collects (as those terms are defined in the CCPA) pursuant to the Agreement;
The specific business purpose (as that term is defined in the CCPA) for which Impel is processing personal information pursuant to the Agreement is to provide, manage, operate and secure the Services, and Customer is disclosing the personal information to Impel only for the limited and specified business purpose set forth in the Agreement;
Impel is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CCPA;
Impel is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose (as that term is defined in the CCPA) other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA;
Impel is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between Impel and Customer, unless expressly permitted by the CCPA;
Impel is required to comply with all applicable sections of the CCPA, including – with respect to the personal information that Impel collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CCPA;
Impel grants Customer the right to take reasonable and appropriate steps to ensure that Impel uses the personal information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA;
Impel is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA;
Impel grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Impel’s unauthorized use of personal information; and
Impel is required to enable Customer to comply with consumer requests made pursuant to the CCPA or Customer is required to inform Impel of any consumer request made pursuant to the CCPA that they must comply with and provide the necessary information to Impel to comply with the request.

B. To the extent that either party sells to or shares with the other any personal information in scope of the CCPA:

The purposes for which the personal information is made available to and by Impel is to provide, manage, operate and secure the Services under the Agreement subject to the applicable party’s applicable privacy policy;
The personal information is made available to the receiving party only for the limited and specified purposes set forth in the Agreement and is required to be used only for those limited and specified purposes;
The receiving party is required to comply with applicable sections of the CCPA, including – with respect to the personal information that is made available to the receiving party – providing the same level of privacy protection as required of businesses by the CCPA;
The disclosing party is granted the right – with respect to the personal information that is made available to Impel – to take reasonable and appropriate steps to ensure that the receiving party uses the personal information in a manner consistent with the disclosing party’s obligations under the CCPA;
The disclosing party is granted the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to the receiving party; and
The receiving party is required to notify the other party after it makes a determination that it can no longer meet its obligations under the CCPA.

Other US States

To the extent that Impel is processing on behalf of Customer any personal data in scope of Virginia Consumer Data Privacy Act, Colorado Data Privacy Act, the Connecticut Data Privacy Act, Utah Consumer Privacy Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act, Delaware Personal Data Privacy Act or New Jersey Data Protection Act, the following provisions shall apply:

Instruction. Customer hereby instructs Service Provider to process Personal Information solely for purposes of performing the Processing Services during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
Confidentiality Agreements. All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing Services including but not limited to regarding the Personal Information and the processing thereof.
Service Provider Obligations. Upon Customer’s reasonable request, Service Provider shall cooperate with Customer and provide information in a timely manner to Customer to (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor; (ii) demonstrate Service Provider’s compliance with its obligations under the applicable US State Act; (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
De-Identified Information. If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
Sub-Processors. If Service Provider engages any sub-processors of Personal Information then Service Provider shall notify Customer of such engagement in writing and ensure (and confirm to Customer) that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider.
Return and Delete. Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.