Research for Good Terms and Conditions

Last Updated:  20 June 2024

Research For Good Inc (“RFG” or “our”) provides a unique, efficient and cost-effective sample source for our clients (“Client,” “you,” or “your”). By accessing or using RFG’s services (“Services”) and/or www.researchforgood.com (the “Site”) for any of your projects (each, a “Project”), you agree to these terms and conditions (“Agreement” or “Terms and Conditions”). Specifically, and without limitation, you acknowledge and agree that: 

A. Projects involving the use or collection of Personal Data (as defined in the Agreement) may be commissioned and administered through an RFG representative, but not unless expressly approved by RFG and conducted in accordance with this Agreement. YOU ACCEPT ALL TERMS AND CONDITIONS IN THIS AGREEMENT RELATED TO THE USE OR COLLECTION OF PERSONAL DATA, AND INDEMNIFY AND HOLD HARMLESS RFG AND ITS AFFILIATES, TOGETHER WITH THEIR OFFICERS, DIRECTORS, EMPLOYEES, AND RESPECTIVE SUCCESSORS AND ASSIGNS, AGAINST ANY LOSS, LIABILITY, CLAIM, DAMAGE OR EXPENSE ARISING DIRECTLY OR INDIRECTLY OUT OF YOUR BREACH OF THIS AGREEMENT (COLLECTIVELY, “CLAIMS”), REGARDLESS OF WHETHER SUCH CLAIMS ARE BASED ON CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY, OR ANY OTHER THEORY, WITHOUT LIMITATION. 

B. Use and collection of Personal Data is also governed by RFG’s Privacy Policy, which is incorporated into these Terms and Conditions by this reference.

C. You have read and accept all other terms and conditions in this Agreement.

WHEREAS Client wishes to retain RFG to provide Services, it is hereby agreed as follows:

1. DEFINITIONS. In this Agreement, the following words shall have the following meanings:

1.1. “Affiliate” means any entity owned, controlled by, or under common control of either Party.

1.2. “Agreement” means these Terms and Conditions and any schedules, addenda, insertion orders, riders, amendments, and similar attachments, together forming one complete agreement.

1.3. “Applicable Laws and Codes” refers all applicable international, national, federal, state and/or local laws, rules, regulations, requirements, statutes, codes, decisions and opinions, including but not limited to the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), other applicable US State privacy laws and regulations (including applicable laws and regulations in Virginia, Connecticut, Colorado and Utah), the German Federal Data Protection Act, U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the United States CAN-SPAM Act, the Gramm-Leach-Bliley Act (“GLBA”), the Children’s Online Privacy Protection Act (“COPPA”), the United States Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”), the ethical codes of the Insights Association (available at www.insightsassociation.org) and ESOMAR (available at www.esomar.org), and any amendments thereto.

1.4. “California Data” means Personal Data of California residents.

1.5. “Completes” are Surveys which a respondent has completed and have been accepted as such by RFG.

1.6. “Confidential Information” means technical information, business/financial information, management information, documentation, RFG pricing and related information, and any other information which (i) is stamped or otherwise marked as being confidential or proprietary, whether in written or electronic form; (ii) pertains in any way to either Party’s (or its Affiliates’) business plans, methods, or trade secrets; or (iii) otherwise is not generally known by any third parties, and which, considering the circumstances of the disclosure, the Receiving Party should reasonably understand as confidential or proprietary.

1.7. As they relate to the collection and Processing of Personal Data, the terms “Controller”, “Processor”, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.8. “Data Subject” shall have the same meaning as in GDPR. As it relates to California Data, it shall have the same meaning as “consumer” in CCPA.

1.9 “Deliverables” means all goods, items, equipment, and materials to be supplied as part of the Services which are supplied or created specifically for Client, including but not limited to Surveys, the results of Services required to conduct those Surveys, and samples required to enable those Surveys, but not including any goods, items, equipment, and/or materials that were not created specifically for Client.

1.10 “European Data” means Personal Data originating in the European Economic Area (“EEA”) or Switzerland, or other countries or jurisdictions recognizing GDPR (such locations collectively, the “EU Covered Areas”).

1.11 “Intellectual Property” means all patents, rights to inventions, copyright and related rights, moral rights, database rights, utility models, rights in designs, trademarks, service marks, trade names, domain names, rights in goodwill, rights in undisclosed or confidential information (such as know-how, trade secrets and inventions, whether patentable or not), trade secrets, and other similar or equivalent rights or forms of protection (whether registered or unregistered) and all applications (or rights to apply) for, and for renewals and extensions of, such rights as may now or in the future exist anywhere in the world.

1.12 “Party” means Client or RFG; “Parties” means both Client and RFG.

1.13 “Personal Data” shall have the same meaning as in the GDPR. As it relates to California residents, it shall have the same meaning as “personal information” in CCPA.

1.14 “Subprocessor” means any third party (including any Affiliate) appointed by or on behalf of a Party or its Affiliate to process Personal Data in connection with this Agreement.

1.15 “Surveys” means market research surveys that are conducted, whether online or via other methods, by RFG, its suppliers, or its clients, in which respondents are given the opportunity to participate.

 2. This Agreement commences upon the commission of the Services, and continues until a Project is completed or either Party terminates the Agreement. 

 3. SERVICE, PRICING, PRODUCT, QUALITY, RESTRICTIONS. 

3.1 Bidding and project management coverage by RFG will be as follows, and coverage outside of these hours is only available with advance request by Client and RFG’s express written consent: 

  • Pricing: 7am-11pm EST Monday-Friday
  • Project support: 24-hour coverage Monday-Friday and 8am-7pm EST on weekends.
  • For urgent assistance outside these hours please call (425) 610-7294

3.2 Estimates for sample and research services are valid for sixty (60) days from the date sent to the requestor. Projects commissioned more than sixty (60) days after estimate are subject to a re-quote which could result in a change of cost, feasibility or timing.

3.3. RFG has implemented the following data quality measures and will update as technology advancements require:

  • Digital fingerprinting
  • Google Recaptcha 
  • “I Agree” validation
  • Filter questions
  • IP blocking of known proxy servers
  • Active detection of connections from proxy servers
  • IP filtering
  • Additional de-duplication and quality controls are the responsibility of the client/survey hosting company

3.4 Targeting and pre-screening are often utilized in addition to our targeting for basic demographic attributes. Unless otherwise discussed prior to project launch, Client agrees that RFG can use appropriate pre-screening questions to target respondents for individual Surveys.

3.5 RFG does not re-price Completes after delivery. Re-pricing can occur during or before, and will only apply to Completes on a go forward basis, not retroactively, unless mutually agreed by the Parties.

3.6 If Client’s Survey contains Confidential Information, Client agrees to include a non-disclosure agreement at the beginning of the Survey requiring Survey respondents to keep such Confidential Information, including but not limited to any Personal Data, strictly confidential, in accordance with the provisions of these Terms and Conditions.

3.7 RFG is not able to run re-contact studies unless they are discussed during the estimating process and approved in writing by RFG. RFG is unable, in any event, to contact respondents after delivery for the purpose of disputing security breaches.

3.8 RFG has no control over, and no liability for, any third party websites or materials. RFG may, from time to time, work with a number of partners and Affiliates (each, a “Partner”) whose Internet sites may be linked with the Site. Because neither RFG nor its Site has control over the content and performance of these Partner sites, RFG makes no guarantees about the accuracy, currency, content, or quality of the information provided by such sites, and RFG assumes no responsibility for unintended, objectionable, inaccurate, misleading, or unlawful content that may reside on those sites. Similarly, from time to time in connection with Client’s use of the Site, Client may have access to content items (including, but not limited to, websites) that are owned by third parties. Client acknowledges and agrees that RFG makes no guarantees for, and assumes no responsibility for, the accuracy, currency, content, or quality of this third party content, and that Client’s use of any and all third party content is governed by such third party’s terms and conditions. 

4. USE OF THE SITE BY CLIENT.

4.1 RFG imposes certain restrictions on the permissible use of the Site and related Services. Client is prohibited from violating or attempting to violate any security features of the Site or the related Services, including without limitation: (a) accessing content or data not intended for Client, collecting any personally identifiable information of or about any other user of the Site or the related Services, or logging onto a server or account that Client is not authorized to access; (b) using spiders, robots or other automated data mining techniques to catalogue, download, store or otherwise reproduce or distribute data or content available in connection with the Site or the related Services, or to manipulate the results of any Survey, prize draw or contest, or attempting to probe, scan, or test the vulnerability of the Site, or any associated system or network, or to breach security or authentication measures without proper authorization; (c) interfering or attempting to interfere with service to any user, host, or network, including, without limitation, by means of submitting a virus, corrupted data or any other harmful, disruptive or destructive code, file or information, including, but not limited to, spyware to the Site, overloading, “flooding,” “spamming,” “mail bombing,” or “crashing;” (d) using the Site to send unsolicited e-mail, including, without limitation, promotions, or advertisements for products or services; (e) opening, using, or maintaining more than one (1) membership account with the RFG; (f) forging or masking your true identity; (g) framing a portion(s) of the Site within another website or altering the appearance of the Site; (h) establishing links from any other website to any page of, on or located within the Site, without the prior express written permission of RFG; (i) posting or transmitting any threatening, libelous, defamatory, obscene, pornographic, lewd, scandalous or inflammatory material or content or any material or content that could otherwise violate applicable laws; (j) forging any TCP/IP packet header or any part of the header information in any e-mail or in any posting; (k) attempting to modify, reverse-engineer, decompile, disassemble, reveal, disclose, or otherwise reduce or attempt to reduce to a human-perceivable form any of the source code used by RFG in providing the Site; (l) engaging in any criminal or illegal act(s); or (m) encouraging and/or advising any individual, including, but not limited to, any RFG employee, to commit any act(s) prohibited hereunder.

4.2 RFG reserves the right to terminate Client’s use of the Site at any time, for any reason. To ensure that RFG provides a high quality experience for Client and for other users of the Site, Client agrees that RFG or its representatives may access Client’s usage records on a case-by-case basis to investigate complaints or allegations of abuse, infringement of third party rights, or other unauthorized uses of the Site. RFG does not intend to disclose the existence or occurrence of such an investigation unless required by law, but RFG reserves the right to terminate Client’s account or access to the Site immediately, with or without notice, and without liability to Client, if RFG believes that Client has violated any of these Terms and Conditions, furnished RFG with false or misleading information, or interfered with use of the Site by others. 

4.3 Nothing contained in the Site should be understood as granting a license to use any of the trademarks, service marks, or logos owned by RFG or by any third party.

4.4 All contents of the Site are: Copyright © 2019 Research For Good Inc All rights reserved. Client may use the Site’s or a partner’s content, service or software only as expressly authorized by RFG or its partner.

 5. PERSONAL, RESTRICTED, OR SENSITIVE DATA.

5.1 Per our Participant Privacy Policy, RFG does not collect, and cannot provide any third party with, a respondent’s Personal Data in a manner that is not compliant with Applicable Laws and Codes or with Research For Good’s Privacy Policy. 

5.2 Furthermore, Client agrees that it will not collect Personal Data without RFG’s express approval in advance of delivery.

5.3 Client understands that feasibility may be reduced, and ability to achieve targets negatively impacted, if Personal Data is requested or required.

5.4 If Client wishes to field a study with RFG which requires collection of Personal Data, Client assumes responsibility for collecting and verifying any necessary personal and/or contact information from the respondent within the fielding of the Survey itself.

5.5 Notwithstanding the foregoing, RFG prohibits delivery to Surveys which request or require Adverse Event reporting or disclosure of Personal Data after the close of fielding. RFG cannot be held liable in any manner for any Survey or data gathered therein pertaining to Adverse Event reporting. Use of RFG sample for such studies is at Client’s sole discretion, and full responsibility lies with Client regarding compliance with Adverse Event reporting and protocol. For the purposes of this section, the term “Adverse Event” shall have the meaning given to such term in 21 C.F.R. 312.32.

5.6 RFG reserves the right to suspend fielding for any study which is found to be collecting Personal Data from respondents if this was not discussed during the bidding or set-up of the Project.

6. CONFIDENTIALITY. 

6.1 Each Party shall receive in confidence (“Receiving Party”) from the other Party (“Disclosing Party”) and treat as confidential all Confidential Information. A Receiving Party shall use such information only for the purpose of and in accordance with this Agreement, and shall not further disclose such information to any third party, unless the prior written approval of the original Disclosing Party is granted at such Disclosing Party’s sole discretion. 

6.2 The restrictions of this Section shall not apply to any information that is: (i) lawfully received from another source free of restriction and without breach of this Agreement; (ii) published or generally available to the public without breach of this Agreement; (iii) known by the Receiving Party prior to the time of disclosure; (iv) independently developed by the Receiving Party without resort or access to the Confidential Information; or (v) has been expressly approved in writing by the Disclosing Party for further release by the Receiving Party.

6.3 Confidential Information shall remain the property of the Disclosing Party and shall be returned or destroyed upon written request.

7. FEES AND PAYMENT.

7.1 RFG will invoice fees in US Dollars to Client for Services that RFG has delivered in relation to a Project. 

7.2 Client will pay invoices within thirty (30) days of the date of Client’s receipt of such invoices.

7.3 Completes need to be confirmed and confirmed IDs provided to RFG within ten (10) days of the close of field.

7.4 Invoices not disputed within three (3) days of the invoice date are considered valid and are no longer open to review.

7.5 RFG accepts payments via wire or check payments in US Dollars only.

8. REPRESENTATIONS AND WARRANTIES, DISCLAIMERS.

8.1 Each Party represents, warrants, and during the Term of this Agreement covenants that it has full capacity and authority to enter into and perform its obligations under this Agreement, and that this Agreement shall constitute legal, valid and binding obligations. 

8.2 RFG HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, RELATING TO THE SERVICES. RFG IS MAKING ALL SERVICES AVAILABLE “AS IS”, AND CLIENT ASSUMES THE RISK OF ANY AND ALL DAMAGE OR LOSS FROM USE OF, OR INABILITY TO USE, THE SERVICES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, RFG EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. RFG DOES NOT WARRANT THAT THE SERVICES WILL MEET YOUR REQUIREMENTS OR THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE.

8.3 Client represents, warrants, and during the Term of this Agreement covenants that: 

8.3.1 it holds all rights necessary to grant to RFG the rights granted hereunder;

8.3.2 any screener (“Screener”) or Survey used in connection with a Project, all content contained therein, and all elements thereof, do not, and when used, exploited and promoted by RFG hereunder, will not, infringe any applicable Intellectual Property rights (including without limitation copyrights, trademarks, trade secrets, moral rights, contract and licensing rights) of any third party;

8.3.3 the Screener or Survey, all content contained therein and all elements thereof, are in compliance with all Applicable Laws and Codes, do not contain defamatory or libelous material or violate the privacy or publicity rights of any person, and are not obscene;

8.3.4 the Screener or Survey is not fraudulent, misleading or deceptive;

8.3.5 the Screener or Survey, and the media on which any Screener or Survey is furnished to RFG, contain no virus, worm, contaminated file, Trojan horse, or the like;

8.3.6 the use of the data produced by the Project will not violate a respondent’s rights under any applicable law, ordinance or regulation, including those related to Intellectual Property and data privacy;

8.3.7 if the Project involves a product or device test, Client or other appropriate party has obtained all requisite approvals from the applicable governmental and/or regulatory authority and applicable provincial, state and local agencies for each consumer good, product or device sent to any person, and such consumer good, product or device complies with all applicable federal, state and local regulations, and the use of the Services and/or the Deliverables in accordance with this Agreement will not infringe the Intellectual Property rights of any third party; 

8.3.8 it is and will remain in compliance with all Applicable Laws and Codes; and

8.3.9 it has put in place, and shall maintain, reasonable physical and electronic security to prevent, and shall not permit, unauthorized access, destruction, use, modification or disclosure of Personal Data and/or Confidential Information.

9. INDEMNITY, LIMITATION OF LIABILITY.

9.1 Without limiting the foregoing, each Party (the “Indemnifying Party”) agrees to indemnify, defend and hold harmless the other Party (the “Indemnified Party”), its officers, agents, and employees from any and all liability, loss (including reasonable attorney’s fees), or damage they may suffer as the result of claims by third parties against them arising out of (a) the negligence, recklessness, or willful misconduct on the part of the Indemnifying Party, its officers, agents, employees, contractors or consultants in connection with this Agreement; or (b) a breach of Applicable Laws and Codes by the Indemnifying Party, its officers, agents, employees, contractors or consultants. RFG shall not be liable for any indirect, special, or consequential damages, including but not limited to any loss of profits (whether direct or indirect), loss of goodwill, loss of business, loss of revenue, loss of data, loss of anticipated savings, lost business opportunities, or any other speculative economic loss, regardless of the legal theories under which such damages are sought, and even if advised in advance of the possibility of such damages, arising out of any claim whatsoever, including without limitation the following:

9.1.1 Claims arising out of Client’s use of, or inability to use, any content, Services, Survey, documentation, instructions, technical specifications, or links provided by RFG or a Client under this Agreement; or

9.1.2 Claims arising out of Client’s use of, inability to use, connection with, or linking to any RFG or sponsor server.

9.2 Notwithstanding the foregoing, nothing in this Agreement shall exclude or limit RFG’s liability in respect of any claims for or from (a) any fraud, including but not limited to fraudulent misrepresentation; (b) liability which may not otherwise lawfully be limited or excluded; (c) any breach of terms related to Data Protection or third party Intellectual Property rights; provided, however, that liability shall be limited to fines and administrative fees arising from such breach. For the avoidance of doubt, nothing in this Agreement shall exclude or limit Client’s liability in respect of any claims.

9.3 Without limiting the foregoing, RFG’s maximum aggregate liability for a claim related in any way to and permitted by this Agreement, under any contract, negligence, tort, strict liability, or other theory, will be limited to the total amount paid by Client to RFG in the twelve (12) months prior to the occurrence of such claim.

10. INTELLECTUAL PROPERTY.

10.1 Client shall own the Intellectual Property rights in the Deliverables.

10.2 Nothing in this Agreement is intended to affect either Party’s ownership of materials developed by it independently of the Services. Where such materials are incorporated into the Deliverables, or are required to use or exploit the Services, RFG grants to Client a worldwide, non-exclusive, royalty-free license to use such materials, but only as necessary to obtain full benefit of the Services.

10.3 Neither Party shall, nor directly or indirectly encourage or knowingly permit any third party to, (a) modify, reverse engineer, decompile, disassemble, or attempt to derive the source code from any products or Services, software or documentation; (b) alter, modify, remove or obscure content served by the other Party in any way, including without limitation legal or proprietary rights notices associated with such content; or (c) create or attempt to create, through use of the other Party’s Confidential Information shared hereunder, any services similar to services provided by the other Party.  Additionally, it is agreed (a) that each Party owns all right, title, and interest in and to its own Intellectual Property and all information related to it, including without limitation serving technologies, program design, content, websites, software, computer code, and business processes; and (b) that neither Party acquires any rights or title to, interest in, or ownership of the Intellectual Property and related information of the other except for the explicit and limited rights expressly set forth in this Agreement. A Party’s ownership does not extend to materials licensed from third parties.

11. DATA PROTECTION. The following provisions shall apply to any and all Personal Data Processing activities carried out by each Party under this Agreement.

11.1 DEFINITIONS.

11.1.1 “Approved Transfer Mechanism” means that the recipient (a) receives European Data pursuant to a binding corporate rules authorization in accordance with applicable Data Protection Laws; (b) is located in the United States and has certified compliance to the EU-US or Swiss-US Privacy Shield (as applicable); or (c) transfers the data pursuant to another approved transfer mechanism, including but not limited to standard contractual clauses promulgated by the European authorities.

11.1.2 “Data Protection Laws” means all applicable data privacy laws, including without limitation GDPR and CCPA (as defined in Section 1.3).

11.1.3 “Restricted Transfer” means (a) a transfer of European Data from any Controller to a Processor; or (b) an onward transfer of European Data from a Processor to a Subprocessor, or between two establishments of a Processor, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of an Approved Transfer Mechanism.

11.2 DATA PROTECTION RESPONSIBILITIES

11.2.1 When Processing European Data, either Party may be a Controller with the meaning of GDPR Art. 4(7) and hence responsible for complying with Data Protection Laws applicable to Controllers, or a Processor within the meaning of GDPR Art. 4(8) and hence responsible for complying with Data Protection Laws applicable to Processors. The Parties agree that the data Processing activities carried out by each Party under this Agreement do not constitute a joint controllership pursuant to GDPR Art. 26.

11.2.2 Each Party shall collect, process, store, and transfer Personal Data in accordance with this Agreement and all Data Protection Laws, including without limitation by obtaining any consents required by GDPR and delivering all notices and privacy policy content required by CCPA. 

11.2.3 The Parties shall not process the Personal Data for secondary purposes which are incompatible with the purpose for which the Personal Data were initially collected.

11.2.4 A Party shall not share any Personal Data with the other Party that allows Data Subjects to be directly identified (for example by reference to their name and e-mail address) and/or that contains any special categories of European Data as such categories are contemplated by GDPR Art. 9(1).

11.2.5 A Party shall not share any Personal Data except as necessary to fulfill its obligations in connection with a Project.

11.2.6 The Parties shall not process European Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws and Codes to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws and Codes inform the Controller of that legal requirement before the relevant Processing of that European Data.

11.2.7 A Processor shall immediately inform the Controller if, in its opinion, an instruction from a Controller pursuant to this Section 11 infringes the GDPR or other data privacy law.

11.3 MEASURES TO ENSURE THE SECURITY OF PROCESSING. 

11.3.1 Each Party undertakes to observe the principles of data Processing and security of Processing in accordance with GDPR Articles 5 and 32. 

11.3.2 Each Party shall take all reasonably necessary measures to safeguard the Personal Data and the security of the Processing, in particular taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and to reduce possible adverse consequences for the affected parties. Measures to be taken include, but may not be limited to, measures to protect the confidentiality, integrity, availability and resilience of systems and measures to ensure continuity of Processing after incidents. In order to ensure an appropriate level of Processing security at all times, each Party shall regularly evaluate the measures implemented and make any necessary adjustments. In assessing the appropriate level of security, each Party shall take account of the risks that are presented by Processing, in particular from a Personal Data breach.

11.3.3 Each Party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the relevant Party, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

11.4 SUBPROCESSING.

11.4.1 Each Party may appoint Subprocessors in accordance with any restrictions in this Agreement, and shall promptly identify such Subprocessors to the other Party and in any event at least twenty-four (24) hours before Processing commences.

11.4.2 Each Party may continue to use those Subprocessors already engaged as of the date this Agreement is signed by such Party, subject to such Party as soon as practicable meeting the obligations set out in Section 11.4.4. 

11.4.3 Any objection to a Subprocessor shall be made promptly. If there is an objection (on reasonable grounds) to the appointment, neither Party nor an Affiliate shall appoint (nor disclose any Personal Data to) the proposed Subprocessor except with the prior written consent of the other Party. In the event consent is not granted, the Parties shall discuss in good faith commercially reasonably alternative solutions. If the Parties cannot reach resolution within a reasonable period of time, which shall not exceed thirty (30) days, the requesting Party will either not appoint or replace the Subprocessor or, if this is not possible, the applicable work may be cancelled.

11.4.4 With respect to each Subprocessor, each Party shall:

11.4.4.1 before the Subprocessor first processes Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by the Agreement;

11.4.4.2 ensure that the arrangement between the Processor and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Agreement and, if the Personal Data is European Data, meet the requirements of Article 28(3) of the GDPR;

11.4.4.3 if that arrangement involves a Restricted Transfer ensure that any transfers of European Data are subject to an Approved Transfer Mechanism; and

11.4.4.4 provide to Controller for review such copies of the Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as Controller may request from time to time.

11.4.5 Each Party shall ensure that each appointed Subprocessor performs its obligations as they apply to Processing of Personal Data, as if it were party to this Agreement.

11.5 RIGHTS OF DATA SUBJECTS.

11.5.1 Taking into account the nature of the Processing, each Party shall assist the other Party by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by the Processor, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

11.5.2 Each Party shall:

11.5.2.1 promptly notify the other Party if it receives a request from a Data Subject in respect of Personal Data; and

11.5.2.2 ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws and Codes to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws and Codes inform Controller of that legal requirement before the Processor responds to the request.

11.6 TRANSFER, RETURN AND DELETION OF PERSONAL DATA.

11.6.1 Each Party agrees that European Data shall not be transferred to a jurisdiction outside the EU Covered Areas unless the transfer is subject to an Approved Transfer Mechanism. 

11.6.2 Each Party, when they act as a Controller, has the sole and independent obligation (as between the Parties) to receive and manage Data Subject requests regarding their respective Personal Data, including without limitation any request to access, correct, amend, restrict Processing of, port, object to the Processing of, opt out of the sale of, block or delete Personal Data in a manner consistent with accepted standards. If applicable, and to the extent legally permitted, each Party will provide the other with reasonable cooperation and assistance in relation to handling of a Data Subject’s request.

11.6.3 Subject to Sections 11.6.4, 11.6.5, and 11.8.2, Processor shall promptly and in any event within ninety (90) days of the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Personal Data.

11.6.4 Subject to Section 11.6.5 and 11.8.2, Controller may in its absolute discretion by written notice to Processor within ten (10) days of the Cessation Date require Processor to (a) return a complete copy of all Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (b) delete and procure the deletion of all other copies of Personal Data processed by any Processor or Subprocessor. Processor shall comply with any such written request within thirty (30) days of the Cessation Date.

11.6.5 A Processor may retain Personal Data to the extent required by Data Protection Laws and only to the extent and for such period as required by Data Protection Laws and always provided that Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Laws requiring its storage and for no other purpose. 

11.6.6 Processor shall provide written certification to Controller that it has fully complied with this Section 11.6 within thirty (30) days of the Cessation Date.

11.7 SECURITY INCIDENT.

11.7.1 A Party shall promptly (within 24 hours of becoming aware) notify the other in writing of: (a) any actual or reasonably suspected breach of security, which when reasonably suspected poses a risk to the security, confidentiality or integrity of Personal Data; (b) any actual or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, alteration, compromise or disclosure of any Personal Data; or (c) any circumstance pursuant to which Data Protection Law requires any notification of such breach to be given to affected parties or other activity in response to such circumstance (each, a “Security Incident” ). 

11.7.2 In any notification required under this Section, the notifying Party shall (at its own expense): (i) provide sufficient information to allow each the other Party to meet any obligations to report or inform Data Subjects of the Security Incident under the Data Protection Laws, the measures taken or proposed to be taken to address the Security Incident and such other information as may be requested concerning the Security Incident; (ii) assist in investigating, remedying and taking any other action reasonably deemed necessary regarding any Security Incident and any dispute, inquiry or claim that concerns the Security Incident; (iii) take any other prompt actions to remediate and ensure that such Security Incident or potential Security Incident will not recur; and (iv) cooperate with any investigation of such Security Incident and execute all documents as may be reasonably requested to assist it to comply with obligations under Data Protection Laws insofar as they relate to any Personal Data and co-operate and comply with the directions or decisions of any competent Supervisory Authority (as defined in GDPR) in relation to such data. 

11.7.3 Unless required under applicable law, the notifying Party shall not notify any Supervisory Authority or law enforcement agency directly of any breach and will not communicate with any Supervisory Authority or law enforcement agency directly about any actual or suspected Security Incident and shall allow the notified Party to manage all such communications. Unless prohibited by applicable law, the notifying Party shall also notify the other Party of any third party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity (foreign or domestic). 

11.7.4 Without limiting the foregoing, the notified Party shall make the final decision on notifying (including the contents of such notice) the notified Party’s client’s, employees, service providers, Data Subjects and/or the general public of such Security Incident, and the implementation of the remediation plan.

11.8 CALIFORNIA DATA.

11.8.1 Without limiting the foregoing, if a Party is collecting or transferring California Data to the other Party, that Party represents, warrants, and covenants that it has and/or shall provide Data Subjects with a CCPA-compliant notice at or before the point of collection which includes, or which links to a privacy policy which includes: (i) a list of the categories of Personal Data about Data Subjects to be collected; (ii) the business or commercial purpose(s) for which such Personal Data will be used; (iii) the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” required by CCPA, or in the case of offline notices, the web address for the webpage to which it links; and (iv) a link to that Party’s privacy policy, or in the case of offline notices, the web address of that Party’s privacy policy. The Parties shall not collect categories of Personal Data, and shall not use a Data Subject’s Personal Data, for any purpose other than those disclosed in the notice.

11.8.2 The Parties will record and retain, for a minimum of two (2) years after the expiration or termination of this Agreement, records of any notice to, and consent or request from, Data Subjects regarding the collection, disclosure, retention and use of California Data. Upon the other Party’s request, each Party shall make all records, appropriate personnel, and/or any location from which California Data can be accessed available for inspection to demonstrate compliance hereunder, provided that such inspection shall be carried out with reasonable notice during regular business hours and under a duty of confidentiality.

12. MISCELLANEOUS.

12.1 The relationship of the Parties under this Agreement is one of independent contractors, and no agency, partnership, joint venture, or similar relationship is created or may be construed.

12.2 This Agreement sets forth the entire agreement of the Parties and supersedes any and all prior oral or written agreements or understandings between the Parties as to the subject matter hereof. Only a writing signed by both Parties may change this Agreement.

12.3 If any provision of this Agreement shall be held to be invalid or unenforceable, such provision shall be stricken and the remainder of the Agreement shall remain in full force and effect to accomplish the intent and purpose of the Parties.  The Parties agree to negotiate the severed provision to bring it within the applicable legal requirements to the extent possible.

12.4 Any failure or delay by either Party to exercise any right, power or privilege hereunder or to insist upon observance or performance by the other Party of the provisions of this Agreement shall not operate or be construed as a waiver thereof.  No waiver shall be binding on either Party unless it is in writing and signed by an authorized representative of the Party to be bound.

12.5 RFG may, in its sole discretion and without prior notice, (a) revise these Terms and Conditions; (b) modify the Site and/or the related Services provided by RFG; and (c) discontinue the Site and/or such related Services at any time. RFG shall post any revision to these Terms and Conditions to the Site or elsewhere at RFG’s discretion, and the revision shall be effective immediately on such posting. Client agrees to review periodically these Terms and Conditions and other online policies posted on the Site or elsewhere in connection with the Services. Client agrees that, by continuing to use or access the Site or the Services following notice of any revision, Client shall abide by any such revision.

12.6 This Agreement and any disputes between the Parties shall be governed by and construed according to the laws of United States and the State of Washington, without reference to their rules regarding conflicts of law.

12.7 Neither Party may make public statements about this Agreement or the Services provided hereunder without the written consent of the other. This notwithstanding, Client agrees that RFG may include Client’s name, logo, and/or URL in lists of representative suppliers (including website lists), marketing materials, investor or other presentations, financial reports and any materials prepared for RFG’s current or potential clients. 

12.8 To be effective, any notice or demand under this Agreement is required to be in writing and given by priority mail, confirmed email, or in-person delivery.