Data Processing Agreement

This Data Processing Agreement (Agreement) is made and entered by and between Augmented Reality Concepts, Inc. (d/b/a Impel), located at 344 S. Warren St., Suite 200, Syracuse, NY 13202, as a processor/service provider, and Vendor, whose name and address are set forth on the signature page, as a sub-processor/service provider (collectively the Parties). The Agreement is effective as of the last signature date of both parties (Effective Date) and governs the processing of personal data when Impel engages Vendor to carry out specific processing activities and when the European Laws and/or the Data Protection Laws apply.

SECTION I

Clause 1

Purpose and scope

• The purpose of the Agreement is to ensure that each Party is in compliance with the requirements of all laws and regulations applicable to it. These laws and regulations may include: Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), the Federal Data Protection Act of 19 June 1992 (Switzerland) and the revised Swiss Federal Data Protection Act effective September 1, 2023 (collectively Swiss FADP), the United Kingdom (UK) Data Protection Act 2018 and any replacement legislation implemented by the UK pursuant to the withdrawal of the UK from the EU (collectively UK GDPR), the Australian Privacy Act 1988, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, the Iowa Data Privacy Law, the Indiana Consumer Data Protection Act, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, and the Texas Data Privacy and Security Act and any subsequent privacy laws enacted in the United States requiring data processing agreements (collectively Data Protection Laws).
• Each Party has agreed to the Agreement in order to ensure that it is in compliance with the Data Protection Laws applicable to it.
• The Agreement applies to the processing of personal data as specified in Annex II only. Annexes I to IV are an integral part of the Agreement.
• The Agreement is without prejudice to obligations to which the Parties are subject by virtue of the Data Protection Laws applicable to them.
• The Agreement does not by itself ensure compliance with obligations related to international transfers in accordance with Chapter V of the GDPR.

Clause 2

Invariability

• The Parties undertake not to modify the Agreement, except for adding information to the Annexes or updating information in them.
• This does not prevent the Parties from including the standard contractual clauses laid down in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 in a broader contract or from adding other provisions or additional safeguards provided that they do not directly or indirectly contradict the Agreement or detract from the fundamental rights or freedoms of Data Subjects.

Clause 3

Interpretation

• Where the Agreement uses the terms defined in the GDPR, those terms shall have the same meaning as in the GDPR. The use of terms set forth in the GDPR does not mean that a Party has agreed to comply with the GDPR unless the GDPR is applicable to it. The term “European Laws” means (a) the GDPR, and (b) any other European Union (EU) or Member State data protection laws, regulations and secondary legislation implementing the GDPR, including the Swiss FADP and the UK GDPR.
• The Agreement shall be read and interpreted in the light of the provisions of the Data Protection Laws that require data processing agreements.
• The Agreement shall not be interpreted in a way that runs counter to the rights and obligations provided for in the Data Protection Laws or in a way that prejudices the fundamental rights or freedoms of the data subjects, consumers, and analogous entities under the Data Protection Laws (collectively Data Subjects).

Clause 4

Hierarchy

In the event of a contradiction between the Agreement and the provisions of related agreements between the Parties existing at the time when the Agreement is agreed or entered into thereafter, the Agreement shall prevail. Impel’s processing of personal data is subject to the Agreement, its T&C, its Privacy Notice, and its Cookie Notice.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 5

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller/business, Impel’s Client, are specified in Annex II.

Clause 6

Obligations of the Parties

6.1.  Instructions

• Impel has informed Vendor that it acts as processor under the instructions of its Client, which Impel must make available to Vendor prior to processing.
• Vendor must process personal data only on documented instructions from Impel’s Client as communicated to Vendor by Impel, and any additional documented instructions from Impel. Such additional instructions shall not conflict with the instructions from Impel’s Client. Impel’s Client or Impel may give further documented instructions regarding the data processing throughout the duration of the Agreement.
• Vendor shall immediately inform Impel if it is unable to follow those instructions. Where Vendor is unable to follow the instructions from Impel’s Client, Impel either will obtain a modification in the instructions from its Client or will terminate the Agreement.
• The Parties are prohibited from:
  • Selling or sharing the personal data collected pursuant to Impel’s written agreement with its Client
  • Retaining, using, or disclosing the personal data collected pursuant to Impel’s agreement with its Client for any commercial purpose other than the business purpose(s) specified in the Agreement unless permitted by the Data Protection Laws applicable to them
  • Retaining, using, or disclosing the personal data collected pursuant to Impel’s agreement with its Client outside the direct business relationship between Impel and its Client, unless expressly permitted by the Data Protection Laws applicable to them

6.2.  Purpose limitation

Vendor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless on further instructions from Impel’s Client, as communicated to Vendor by Impel, or from Impel.

6.3.  Duration of the processing of personal data

Processing by Vendor shall only take place for the duration specified in Annex II. After the end of the provision of the processing services, Vendor shall, at the choice of Impel, delete all the personal data processed on behalf of Impel’s Client and certify to Impel that it has done so, or return to Impel all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, Vendor shall continue to ensure compliance with the Agreement. In case of local laws applicable to Vendor that prohibit return or deletion of the personal data, Vendor warrants that it will continue to ensure compliance with the Agreement and will only process the personal data to the extent and for as long as required under that local law.

6.4.  Security of processing

• Vendor shall implement appropriate technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context, and purpose(s) of the processing, and the risks involved in the processing for the Data Subjects. The Parties shall, in particular, consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific Data Subject shall, where possible, remain under the exclusive control of Impel or Impel’s Client. In complying with its obligations under this paragraph, Vendor shall at least implement the technical and organizational measures specified in Annex III. Vendor shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
• Vendor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the Agreement. Vendor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

• In the event of a personal data breach concerning the personal data processed by Vendor under the Agreement, Vendor shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. Vendor shall also notify, without undue delay, Impel after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

• Vendor shall cooperate with and assist Impel to enable Impel to comply with its obligations under the Data Protection Laws applicable to it, in particular Impel’s obligation to notify its Client so that the latter may in turn notify the competent supervisory authority, and the affected Data Subjects, taking into account the nature of the processing and the information available to the Parties.

6.5.  Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), Vendor shall apply the specific restrictions and/or additional safeguards set out in Annex III.

6.6.  Documentation and compliance

• The Parties shall be able to demonstrate compliance with the Agreement. In particular, Vendor shall keep appropriate documentation on the processing activities carried out on Impel’s behalf.
• Vendor shall deal promptly and adequately with inquiries from Impel or Impel’s Client that relate to the processing of data in accordance with the Agreement.
• Vendor shall make all information necessary to demonstrate compliance with the obligations set out in the Agreement available to Impel, which may provide the information to its Client.
• Vendor shall allow for and contribute to the audits by Impel of the processing activities covered by the Agreement, at reasonable intervals or if there are indications of non-compliance.
• Impel may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of Vendor and shall, where appropriate, be carried out with reasonable notice.
• Where the audit is carried out on the instruction of Impel’s Client, Vendor shall make the results available to Impel.

• The Parties shall make the information referred to in Section 6.6, including the results of any audits, available to the competent regulators and supervisory authority/ies on request.

6.7.  Use of sub-processors/service providers

• Vendor has Impel’s general authorization to engage sub-processors/service providers. Vendor shall maintain on its website a list of the sub-processors/service providers it engages, shall in Annex IV inform Impel in writing of the address where that list is maintained, and shall alert Impel of any changes in that list through the addition or replacement of sub-processors/service providers.
• Since Impel is engaging Vendor to carry out specific processing activities (on behalf of Impel’s Client), any sub-processor/service provider engaged by Vendor shall be required to render its services by way of a contract which imposes on such sub-processor/service provider, in substance, the same data protection obligations as the ones binding on Vendor in accordance with the Agreement.
• Vendor agrees that at the request of Impel’s Client, Impel may provide a copy of the Agreement and any subsequent amendments to Impel’s Client. At Vendor’s request, to the extent necessary to protect business secret or other confidential information, including personal data, Impel may redact the text of the Agreement prior to sharing the copy.
• The Vendor agrees to a third-party beneficiary clause whereby – in the event Vendor has factually disappeared, ceased to exist in law or has become insolvent – Impel shall have the right to terminate the Agreement and to instruct the sub-processor/service provider to erase or return Impel’s Client’s personal data.

6.8.  International transfers

• Any transfer of data to a third country or an international organization by Impel shall be done only on the basis of documented instructions from its Client or in order to fulfill a specific requirement under the Data Protection Laws to which Impel is subject, including Chapter V of the GDPR.
• Where Impel engages Vendor in accordance with Clause 6.7 for carrying out specific processing activities (on behalf of Impel’s Client) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, Impel and Vendor agree to ensure compliance with Chapter V of the GDPR. One method of ensuring such compliance is by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

Clause 7

Assistance to the controller

• Vendor shall promptly notify Impel of any request it has received from a Data Subject. Vendor shall not respond to the request itself, unless authorized to do so by Impel.
• Vendor shall assist Impel in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights under the Data Protection Laws. In this regard, the Parties shall set out in Annex III the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

• In fulfilling its obligations in accordance with (a) and (b), Vendor shall comply with the instructions of Impel’s Client as communicated by Impel.

SECTION III

FINAL PROVISIONS

Clause 8

Non-compliance and termination

• Vendor shall promptly inform Impel if it is unable to comply with the Agreement, for whatever reason

• Without prejudice to any provisions of the Data Protection Laws applicable to it, in the event that Vendor is in breach of its obligations under the Agreement or unable to comply with the Agreement, Impel shall suspend the processing of personal data by Vendor until Vendor complies with the Agreement or the Agreement is terminated.

• Impel shall be entitled to terminate the Agreement insofar as it concerns processing of personal data in accordance with the Agreement where:
• the processing of personal data by Vendor has been suspended by Impel pursuant to point (b) and if compliance with the Agreement is not restored within a reasonable time and in any event within one month following suspension;
• Vendor is in substantial or persistent breach of the Agreement or its obligations under the Data Protection Laws applicable to it;
• Vendor fails to comply with a binding decision of a competent court or the competent regulator or supervisory authority/ies regarding its obligations pursuant to the Agreement or to the Data Protection Laws applicable to it.

In these cases, where required, Impel shall inform the competent regulator or supervisory authority and its Client of such non-compliance.

Clause 9

Governing Law, Choice of Forum, and Jurisdiction

• The Agreement shall be governed by and construed in accordance with the laws of the State of New York, without regard to the conflicts of laws rules of such state.
• Vendor hereby submits to the nonexclusive jurisdiction of the United States District Court for the Southern District of New York and of any New York State court sitting in New York City for purposes of all legal proceedings arising out of or relating to the Agreement or the processing contemplated hereby. Vendor irrevocably waives, to the fullest extent permitted by law, any objection which it may now or hereafter have to the laying of the venue of any such proceeding brought in such a court and any claim that any such proceeding brought in such a court has been brought in an inconvenient forum.

IN WITNESS WHEREOF, the Parties, intending to be legally bound, have signed the Agreement on the day and year below written.

ANNEX I

List of parties

Processor/Service Provider: Augmented Reality Concepts, Inc. d/b/a Impel

Sub-Processor/Service Provider: Vendor

ANNEX II

Description of the processing

Categories of Data Subjects whose personal data is processed
Individuals who use Impel’s Products and Services
Categories of personal data processed
[TO BE COMPLETED]
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data are processed.
Nature of the processing
[TO BE COMPLETED]
Purpose(s) for which the personal data is processed on behalf of the processor/service-provider on behalf of the controller/business
[TO BE COMPLETED]
Duration of the processing
[TO BE COMPLETED]

ANNEX III

Technical and organizational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational security measures implemented by the (sub)processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
[TO BE COMPLETED]
For transfers to (sub-)processors/service providers, also describe the specific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the controller
[TO BE COMPLETED]
Description of the specific technical and organizational measures to be taken by the (sub)processor/service provider to be able to provide assistance to the processor/service provider
[TO BE COMPLETED]

ANNEX IV

Address of Vendor’s list of sub-processors/service providers

The name, address, contact person’s name, position and contact details, and description of the processing (including a clear delimitation of responsibilities) for each sub-processor can be found at [TO BE COMPLETED].