Former Cox Automotive and LivePerson Executive Skip Dowd Joins Impel as Senior Director, Partnerships | Read More

Former Cox Automotive and LivePerson Executive Skip Dowd Joins Impel as Senior Director, Partnerships | Read More

Data Processing Agreement

Updated May 2, 2023

This Data Processing Agreement (Agreement) is made and entered by and between Client, as a controller/business, whose name and address are set forth on the signature page, and Augmented Reality Concepts, Inc. (d/b/a Impel), located at 344 S. Warren St., Suite 200, Syracuse, NY 13202, as a processor/service provider (collectively the Parties). The Agreement is effective as of the last signature date of both parties (Effective Date) and governs the processing of personal data when Client uses Impel’s products and services and when the European Laws and/or the Data Protection Laws apply.

SECTION I

Clause 1

Purpose and scope

Clause 2

Invariability

Clause 3

Interpretation

Clause 4

Hierarchy

In the event of a contradiction between the Agreement and the provisions of related agreements between the Parties existing at the time when the Agreement is agreed or entered into thereafter, the Agreement shall prevail. Impel’s processing of personal data is subject to the Agreement, its T&C, its Privacy Notice, and its Cookie Notice.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 5

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of Client, are specified in Annex II.

Clause 6

Obligations of the Parties

6.1.  Instructions

6.2.  Purpose limitation

Impel shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from Client.

6.3.  Duration of the processing of personal data

Processing by Impel shall only take place for the duration specified in Annex II.

6.4.  Security of processing

6.5.  Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), Impel shall apply specific restrictions and/or additional safeguards.

6.6.  Documentation and compliance

6.7.  Use of sub-processors

6.8.  International transfers

Clause 7

Assistance to the controller

    Clause 8

    Notification of personal data breach

    In the event of a personal data breach, Impel shall cooperate with and assist Client for Client to comply with its obligations under the Data Protection Laws, including Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to Impel.

    8.1  Data breach concerning data processed by the controller

    In the event of a personal data breach concerning data processed by Client, Impel shall assist Client:

    Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

    8.2  Data breach concerning data processed by the processor

    In the event of a personal data breach concerning data processed by Impel, Impel shall notify Client without undue delay after Impel has become aware of the breach. Such notification shall contain, at least:

    Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

    The Parties shall set out in Annex III all other elements to be provided by Impel when assisting Client in the compliance with Client’s obligations under the Data Protection Laws, including Articles 33 and 34 of the GDPR.

    SECTION III

    FINAL PROVISIONS

    Clause 9

    Non-compliance and termination

    Clause 10

    Governing Law, Choice of Forum, and Jurisdiction

    IN WITNESS WHEREOF, the Parties intending to be legally bound have signed the Agreement on the day and year below written.

    CLIENT

    Name/Date

    AUGMENTED REALITY CONCEPTS, INC

    Name/Date

    ANNEX I

    List of parties

    Controller(s): Client

    Processor(s): Augmented Reality Concepts, Inc. d/b/a Impel (f/k/a SpinCar)

    ANNEX II

    Description of the processing

    Categories of Data Subjects whose personal data is processed

    Categories of personal data processed

    Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    None

    Nature of the processing

    Collection, transfer, entry, storage, analysis, matching, sharing, retrieval, combination

    Purpose(s) for which the personal data is processed on behalf of the controller/business

    Provision of digital marketing services to Impel customers

    Duration of the processing

    The default retention period is 3 years, but there are exceptions for some data sources.

    For processing by (sub-)processors/service providers, also specify subject matter, nature and duration of the processing

    The same as described above in this Annex II.

    ANNEX III

    Technical and organizational measures including technical and organizational measures to ensure the security of the data

    Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

    For transfers to (sub-)processors/service providers, also describe the specific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the controller

    Impel maintains a vendor management policy with criteria for identifying key vendors, including those who process personal data.

    Impel maintains a list of key vendors and performs vendor risk management.

    Sub-processors must adhere to SCCs, DPAs or similar agreements that require technical and organizational measures at least as effective as Impel’s own.

    Description of the specific technical and organizational measures to be taken by the processor/service provider to be able to provide assistance to the controller/business.

    Policies and procedures are in place which require Impel to provide assistance to Client as required by the Agreement and the Data Protection Laws.

    ANNEX IV

    List of sub-processors

    The name, address, contact person’s name, position and contact details, and description of the processing (including a clear delimitation of responsibilities) for each sub-processor can be found at https://impel.ai/subprocessors/.