Impel adds WhatsApp messaging to AI-Powered Customer Lifecycle Management Platform | Read More

Impel adds WhatsApp messaging to AI-Powered Customer Lifecycle Management Platform | Read More

Data Processing Agreement

Updated May 28, 2024

This Data Processing Agreement (Agreement) is made and entered by and between Client, as a controller/business, whose name and address are set forth on the signature page, and Augmented Reality Concepts, Inc. (d/b/a Impel), located at 344 S. Warren St., Suite 200, Syracuse, NY 13202, as a processor/service provider (collectively the Parties). The Agreement is effective as of the last signature date of both parties (Effective Date) and governs the processing of personal data when Client uses Impel’s products and services and when the European Laws and/or the Data Protection Laws apply.

SECTION I

Clause 1

Purpose and scope

Clause 2

Invariability

Clause 3

Interpretation

Clause 4

Hierarchy

In the event of a contradiction between the Agreement and the provisions of related agreements between the Parties existing at the time when the Agreement is agreed or entered into thereafter, the Agreement shall prevail. Impel’s processing of personal data is subject to the Agreement, its T&C, its Privacy Notice, and its Cookie Notice.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 5

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of Client, are specified in Annex II.

Clause 6

Obligations of the Parties

6.1.  Instructions

6.2.  Purpose limitation

Impel shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from Client.

6.3.  Duration of the processing of personal data

Processing by Impel shall only take place for the duration specified in Annex II.

6.4.  Security of processing

6.5.  Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), Impel shall apply specific restrictions and/or additional safeguards.

6.6.  Documentation and compliance

6.7.  Use of sub-processors/service providers

6.8.  International transfers

Clause 7

Assistance to the controller

Clause 8

Notification of personal data breach

In the event of a personal data breach, Impel shall cooperate with and assist Client for Client to comply with its obligations under the Data Protection Laws applicable to it, which may include Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to Impel.

8.1  Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by Client, Impel shall assist Client:

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

8.2  Data breach concerning data processed by Impel

In the event of a personal data breach concerning data processed by Impel, Impel shall notify Client without undue delay after Impel has become aware of the breach. Such notification shall contain, at least:

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by Impel when assisting Client in the compliance with Client’s obligations under the Data Protection Laws applicable to it, which may include Articles 33 and 34 of the GDPR.

SECTION III

FINAL PROVISIONS

Clause 9

Non-compliance and termination

Clause 10

Governing Law, Choice of Forum, and Jurisdiction

IN WITNESS WHEREOF, the Parties intending to be legally bound have signed the Agreement on the day and year below written.

CLIENT

Name/Date

AUGMENTED REALITY CONCEPTS, INC

Name/Date

ANNEX I

List of parties

Controller(s): Client

Processor(s): Augmented Reality Concepts, Inc. d/b/a Impel (f/k/a SpinCar)

ANNEX II

Description of the processing

Categories of Data Subjects whose personal data is processed

Categories of personal data processed

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
Nature of the processing
Collection, transfer, entry, storage, analysis, matching, sharing, retrieval, combination
Purpose(s) for which the personal data is processed on behalf of the controller/business
Provision of digital marketing services to Impel customers
Duration of the processing
The default retention period is 3 years, but there are exceptions for some data sources.
For processing by (sub-)processors/service providers, also specify subject matter, nature and duration of the processing
The same as described above in this Annex II.

ANNEX III

Technical and organizational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

For transfers to (sub-)processors/service providers, also describe the specific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the controller

Impel maintains a vendor management policy with criteria for identifying key vendors, including those who process personal data.

Impel maintains a list of key vendors and performs vendor risk management.

Sub-processors must adhere to SCCs, DPAs or similar agreements that require technical and organisational measures at least as effective as Impel’s own.

Description of the specific technical and organizational measures to be taken by the processor/service provider to be able to provide assistance to the controller/business.

Policies and procedures are in place which require Impel to provide assistance to Client as required by the Agreement and the Data Protection Laws.

ANNEX IV

List of sub-processors

The name, address, contact person’s name, position and contact details, and description of the processing (including a clear delimitation of responsibilities) for each sub-processor can be found at https://impel.ai/subprocessors/.