Responsibility Works Terms of Service
Last Updated: March 21, 2023
Welcome, and thank you for your interest in Foundation for Advancing Alcohol Responsibility ("FAAR," "we," or "us,") and our website at www.responsibiilty.org, along with our related websites, and other services provided by us (collectively, the "Service"). These Terms of Service are a legally binding contract between you and FAAR regarding your use of the Service.
PLEASE READ THE FOLLOWING TERMS CAREFULLY:
BY CLICKING "I ACCEPT," OR OTHERWISE ACCESSING OR USING THE SERVICE, YOU AGREE THAT YOU HAVE READ AND UNDERSTOOD, AND, AS A CONDITION TO YOUR USE OF THE SERVICE, YOU AGREE TO BE BOUND BY, THE FOLLOWING TERMS AND CONDITIONS, INCLUDING RESPONSIBILITY WORKS PRIVACY POLICY AND DATA PROCESSING AGREEMENT (TOGETHER, THESE "TERMS"). IF YOU ARE NOT ELIGIBLE, OR DO NOT AGREE TO THE TERMS, THEN YOU DO NOT HAVE OUR PERMISSION TO USE THE SERVICE. YOUR USE OF THE SERVICE, AND FAAR'S PROVISION OF THE SERVICE TO YOU, CONSTITUTES AN AGREEMENT BY FAAR AND BY YOU TO BE BOUND BY THESE TERMS.
ARBITRATION NOTICE. Except for certain kinds of disputes described in Section 15 (Dispute Resolution and Arbitration), you agree that disputes arising under these Terms will be resolved by binding, individual arbitration, and BY ACCEPTING THESE TERMS, YOU AND FAAR ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY OR TO PARTICIPATE IN ANY CLASS ACTION OR REPRESENTATIVE PROCEEDING.
- FAAR Service Overview. Responsibility Works is a web-based alcohol education program that has content relating to alcohol moderation, safety, and making responsible decisions in connection with alcohol use.
- Employer-Users. Employer-users ("Employers") can use Responsibility Works as an internal training tool for their employee users ("Employees"). Employers can register Employees through a Responsibility Works program dashboard and select which units to share with Employees to complete.
- Employee-Users. Employees can interact with the Service by participating in assigned units, answering multiple choice quiz questions at the end of each section, and otherwise engaging with the Content.
- Eligibility. You must be at least 18 years old to use the Service. By agreeing to these Terms, you represent and warrant to us that: (a) you are at least 18 years old; (b) you have not previously been suspended or removed from the Service; and (c) your registration and your use of the Service is in compliance with any and all applicable laws and regulations. If you are an entity, organization, or company, the individual accepting these Terms on your behalf represents and warrants that they have authority to bind you to these Terms and you agree to be bound by these Terms.
- Accounts and Registration
- Employer-Users. To access most features of the Service, you must register for an account. When you register for an account, you may be required to provide us with some information about yourself, such as your organization name, type of company, address, email address, phone number, number of employees, membership status, full name of your designated contact, or other contact information. You agree that the information you provide to us is accurate, complete, and not misleading, and that you will keep it accurate and up to date at all times. Depending on your organization's subscription, you may be asked to create a password when you register. If a password is required, you are solely responsible for maintaining the confidentiality of your account and password, and you accept responsibility for all activities that occur under your account. If you believe that your account is no longer secure, then you should immediately notify us at [email protected]. If a password is not required upon registration, you will sign in using a third-party authentication service.
- Employee-Users. Your Employer will provide you with a registration link to access the Service, and you will be responsible for maintaining and keeping all information you provide to us during registration current, accurate, and secure, including your password. You are solely responsible for maintaining the confidentiality of your account and password, and you accept responsibility for all activities that occur under your account. If you believe that your account is no longer secure, then you should immediately notify us at [email protected].
- Licenses.
- Limited License. Subject to your complete and ongoing compliance with these Terms, FAAR grants you, solely for your personal, non-commercial use, a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Service.
- License Restrictions. Except and solely to the extent such a restriction is impermissible under applicable law, you may not: (a) reproduce, distribute, publicly display, publicly perform, or create derivative works of the Service; (b) make modifications to the Service; or (c) interfere with or circumvent any feature of the Service, including any security or access control mechanism. If you are prohibited under applicable law from using the Service, then you may not use it.
- Content License. You hereby grant FAAR a worldwide, non-exclusive, irrevocable, royalty-free, fully paid right and license (with the right to sublicense through multiple tiers) to any content or materials you submit or otherwise upload to the Service in order to provide the Service or otherwise improve FAAR's products or services.
- Feedback. We respect and appreciate the thoughts and comments from our users If you choose to provide input and suggestions regarding existing functionalities, problems with or proposed modifications or improvements to the Service ("Feedback"), then you hereby grant FAAR an unrestricted, perpetual, irrevocable, non-exclusive, fully-paid, royalty-free right and license to exploit the Feedback in any manner and for any purpose, including to improve the Service and create other products and services. We will have no obligation to provide you with attribution for any Feedback you provide to us.
- Ownership; Proprietary Rights. The Service is owned and operated by FAAR. The educational and interactive content within the site, including any text, audio, videos, games, learning modules, surveys, questions, and quizzes (collectively, the "Content"), and the visual interfaces, graphics, design, compilation, information, data, computer code (including source code or object code), products, software, services, and all other elements of the Service provided by FAAR (together with the Content, "Materials") are protected by intellectual property and other laws. All Materials included in the Service are the property of FAAR or its third-party licensors. Except as expressly authorized by FAAR, you may not make use of the Materials. There are no implied licenses in these Terms and FAAR reserves all rights to the Materials not granted expressly in these Terms.
- Third-Party Terms
- Third-Party Services and Linked Websites. FAAR may provide tools through the Service that enable you to export information to third-party services, including through features that allow you to link your account on the Service with an account on the third-party service, or through our implementation of third-party buttons (such as "like" or "share" buttons). By using one of these tools, you hereby authorize that FAAR to transfer that information to the applicable third-party service. Third-party services are not under FAAR's control, and, to the fullest extent permitted by law, FAAR is not responsible for any third-party service's use of your exported information. The Service may also contain links to third-party websites. Linked websites are not under FAAR's control, and FAAR is not responsible for their content. Please be sure to review the terms of use and privacy policy of any third-party services before you share any information with such third-party services. Once sharing occurs, FAAR will have no control over the information that has been shared.
- Third-Party Software. The Service may include or incorporate third-party software components that are generally available free of charge under licenses granting recipients broad rights to copy, modify, and distribute those components ("Third-Party Components"). Although the Service is provided to you subject to these Terms, nothing in these Terms prevents, restricts, or is intended to prevent or restrict you from obtaining Third-Party Components under the applicable third-party licenses or to limit your use of Third-Party Components under those third-party
- Communications. We may send you emails concerning our products and services, as well as those of third parties. You may opt out of promotional emails by following the unsubscribe instructions in the promotional email itself.
- Prohibited Conduct. BY USING THE SERVICE, YOU AGREE NOT TO:
- use the Service for any illegal purpose or in violation of any local, state, national, or international law;
- allow or facilitate unauthorized users to use the Services;
- harass, threaten, demean, embarrass, bully, or otherwise harm any other user of the Service;
- violate, encourage others to violate, or provide instructions on how to violate, any right of a third party, including by infringing or misappropriating any third-party intellectual property right;
- attempt to capture, store or share any images, files or information accessed within the site using any form of storage, screen capture software or devices (including any type of image recording device), or screen sharing software or devices;
- access, search, or otherwise use any portion of the Service through the use of any engine, software, tool, agent, device, or mechanism (including spiders, robots, crawlers, and data mining tools) other than the software or search agents provided by FAAR;
- interfere with security-related features of the Service, including by: (i) disabling or circumventing features that prevent or limit use, printing or copying of any content; or (ii) reverse engineering or otherwise attempting to discover the source code of any portion of the Service except to the extent that the activity is expressly permitted by applicable law;
- interfere with the operation of the Service or any user's enjoyment of the Service, including by: (i) uploading or otherwise disseminating any virus, adware, spyware, worm, or other malicious code; (ii) making any unsolicited offer or advertisement to another user of the Service; (iii) collecting personal information about another user or third party without consent; or (iv) interfering with or disrupting any network, equipment, or server connected to or used to provide the Service;
- perform any fraudulent activity including impersonating any person or entity, claiming a false affiliation or identity, or accessing any other Service account without permission;
- sell or otherwise transfer the access granted under these Terms or any Materials (as defined in Section 4.5 Ownership; Proprietary Rights) or any right or ability to view, access, or use any Materials; or
- attempt to do any of the acts described in this Section 7 (Prohibited Conduct) or assist or permit any person in engaging in any of the acts described in this Section 7 (Prohibited Conduct)
- Monitor Usage. FAAR reserves the right to take any reasonable steps to monitor your access to and use of the Service for compliance with these Terms.
- Modification of Terms. We may, from time to time, change these Terms. Please check these Terms periodically for changes. Revisions will be effective immediately except that, for existing users, material revisions will be effective 30 days after posting or notice to you of the revisions unless otherwise stated. We may require that you accept modified Terms in order to continue to use the Service. If you do not agree to the modified Terms, then you should discontinue your use of the Service. Except as expressly permitted in this Section 9 (Modification of Terms), these Terms may be amended only by a written agreement signed by authorized representatives of the parties to these Terms.
- Term, Termination, and Modification of the Service
- Term. These Terms are effective beginning when you accept the Terms or first access or use the Service and ending when terminated as described in Section 10.2 (Termination).
- Termination. If you violate any provision of these Terms, then your authorization to access the Service and these Terms automatically terminate. In addition, FAAR may, at its sole discretion, terminate these Terms or your account on the Service, or suspend or terminate your access to the Service, at any time for any reason or no reason, with or without notice, and without any liability to you arising from such termination. You may terminate your account and these Terms at any time by contacting customer service at [email protected].
- Effect of Termination. Upon termination of these Terms: (a) your license rights will terminate and you must immediately cease all use of the Service; (b) you will no longer be authorized to access your account or the Service; and (d) Sections 4.5 (Ownership; Proprietary Rights), 10.3 (Effect of Termination), 12 (Indemnity), 13 (Disclaimers; No warranties by FAAR), 14(Limitation of Liability), 15 (Dispute Resolution and Arbitration), and 16 (Miscellaneous) will survive. If your account has been terminated for a breach of these Terms, then you are prohibited from creating a new account on the Service using a different name, email address or other forms of account verification.
- Modification of the Service. FAAR reserves the right to modify or discontinue all or any portion of the Service at any time (including by limiting or discontinuing certain features of the Service), temporarily or permanently, without notice to you. FAAR will have no liability for any change to the Service, including any paid-for functionalities of the Service, or any suspension or termination of your access to or use of the Service.
- Indemnity. To the fullest extent permitted by law, you are responsible for your use of the Service, and you will defend and indemnify FAAR, its affiliates and their respective shareholders, directors, managers, members, officers, employees, consultants, and agents (together, the "FAAR Entities") from and against every claim brought by a third party, and any related liability, damage, loss, and expense, including attorneys' fees and costs, arising out of or connected with: (1) your unauthorized use of, or misuse of, the Service; (2) your violation of any portion of these Terms, any representation, warranty, or agreement referenced in these Terms, or any applicable law or regulation; (3) your violation of any third-party right, including any intellectual property right or publicity, confidentiality, other property, or privacy right; or (4) any dispute or issue between you and any third party. We reserve the right, at our own expense, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you (without limiting your indemnification obligations with respect to that matter), and in that case, you agree to cooperate with our defense of those claims.
- Disclaimers; No warranties by FAAR
- THE SERVICE AND ALL MATERIALS AND CONTENT AVAILABLE THROUGH THE SERVICE ARE PROVIDED "AS IS" AND ON AN "AS AVAILABLE" BASIS. FAAR DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, RELATING TO THE SERVICE AND ALL MATERIALS AND CONTENT AVAILABLE THROUGH THE SERVICE, INCLUDING: (a) ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, OR NON-INFRINGEMENT; AND (b) ANY WARRANTY ARISING OUT OF COURSE OF DEALING, USAGE, OR TRADE. FAAR DOES NOT WARRANT THAT THE SERVICE OR ANY PORTION OF THE SERVICE, OR ANY MATERIALS OR CONTENT OFFERED THROUGH THE SERVICE, WILL BE UNINTERRUPTED, SECURE, OR FREE OF ERRORS, VIRUSES, OR OTHER HARMFUL COMPONENTS, AND FAAR DOES NOT WARRANT THAT ANY OF THOSE ISSUES WILL BE CORRECTED.
- NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE SERVICE OR FAAR ENTITIES OR ANY MATERIALS OR CONTENT AVAILABLE THROUGH THE SERVICE WILL CREATE ANY WARRANTY REGARDING ANY OF THE FAAR ENTITIES OR THE SERVICE THAT IS NOT EXPRESSLY STATED IN THESE TERMS. WE ARE NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY RESULT FROM THE SERVICE AND YOUR DEALING WITH ANY OTHER SERVICE USER. YOU UNDERSTAND AND AGREE THAT YOU USE ANY PORTION OF THE SERVICE AT YOUR OWN DISCRETION AND RISK, AND THAT WE ARE NOT RESPONSIBLE FOR ANY DAMAGE TO YOUR PROPERTY (INCLUDING YOUR COMPUTER SYSTEM OR MOBILE DEVICE USED IN CONNECTION WITH THE SERVICE) OR ANY LOSS OF DATA.
- THE LIMITATIONS, EXCLUSIONS AND DISCLAIMERS IN THIS SECTION 13 (DISCLAIMERS; NO WARRANTIES BY FAAR) APPLY TO THE FULLEST EXTENT PERMITTED BY LAW. FAAR does not disclaim any warranty or other right that FAAR is prohibited from disclaiming under applicable law.
- Limitation of Liability
- TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL THE FAAR ENTITIES BE LIABLE TO YOU FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, OR ANY OTHER INTANGIBLE LOSS) ARISING OUT OF OR RELATING TO YOUR ACCESS TO OR USE OF, OR YOUR INABILITY TO ACCESS OR USE, THE SERVICE OR ANY MATERIALS OR CONTENT ON THE SERVICE, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STATUTE, OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT ANY FAAR ENTITY HAS BEEN INFORMED OF THE POSSIBILITY OF DAMAGE.
- EXCEPT AS PROVIDED IN SECTIONS 15.5 (COMMENCING ARBITRATION) AND 15.7 (ARBITRATION RELIEF) AND TO THE FULLEST EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF THE FAAR ENTITIES TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THE USE OF OR ANY INABILITY TO USE ANY PORTION OF THE SERVICE OR OTHERWISE UNDER THESE TERMS, WHETHER IN CONTRACT, TORT, OR OTHERWISE, IS LIMITED TO THE GREATER OF: (a) THE AMOUNT YOU HAVE PAID TO FAAR FOR ACCESS TO AND USE OF THE SERVICE IN THE 12 MONTHS PRIOR TO THE EVENT OR CIRCUMSTANCE GIVING RISE TO THE CLAIM AND (b) US $100.
- EACH PROVISION OF THESE TERMS THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS INTENDED TO AND DOES ALLOCATE THE RISKS BETWEEN THE PARTIES UNDER THESE TERMS. THIS ALLOCATION IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THESE TERMS. THE LIMITATIONS IN THIS SECTION 14.3 (LIMITATION OF LIABILITY) WILL APPLY EVEN IF ANY LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
- Dispute Resolution and Arbitration
- Generally. Except as described in Section 15.2 (Exceptions) and 15.3 (Opt-Out), you and FAAR agree that every dispute arising in connection with these Terms, the Service, or communications from us will be resolved through binding arbitration. Arbitration uses a neutral arbitrator instead of a judge or jury, is less formal than a court proceeding, may allow for more limited discovery than in court, and is subject to very limited review by courts. This agreement to arbitrate disputes includes all claims whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory, and regardless of whether a claim arises during or after the termination of these Terms. Any dispute relating to the interpretation, applicability, or enforceability of this binding arbitration agreement will be resolved by the arbitrator.
YOU UNDERSTAND AND AGREE THAT, BY ENTERING INTO THESE TERMS, YOU AND FAAR ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY OR TO PARTICIPATE IN A CLASS ACTION. - Exceptions. Although we are agreeing to arbitrate most disputes between us, nothing in these Terms will be deemed to waive, preclude, or otherwise limit the right of either party to: (a) bring an individual action in small claims court; (b) pursue an enforcement action through the applicable federal, state, or local agency if that action is available; (c) seek injunctive relief in a court of law in aid of arbitration; or (d) to file suit in a court of law to address an intellectual property infringement claim.
- Opt-Out. If you do not wish to resolve disputes by binding arbitration, you may opt out of the provisions of this Section 15 (Dispute Resolution and Arbitration) within 30 days after the date that you agree to these Terms by sending a letter to Foundation for Advancing Alcohol Responsibility, Attention: Legal Department - Arbitration Opt-Out, 1250 I Street NW #400, Washington, DC 20005 that specifies: your full legal name, the email address associated with your account on the Service, and a statement that you wish to opt out of arbitration"Opt-Out Notice". Once FAAR receives your Opt-Out Notice, this Section 15 (Dispute Resolution and Arbitration) will be void and any action arising out of these Terms will be resolved as set forth in Section 16.2 (Governing Law). The remaining provisions of these Terms will not be affected by your Opt-Out Notice.
- Arbitrator. This arbitration agreement, and any arbitration between us, is subject the Federal Arbitration Act and will be administered by the JAMS under the rules applicable to consumer disputes (collectively, "JAMS Rules") as modified by these Terms. The JAMS Rules and filing forms are available online at www.jamsadr.org, by calling the JAMS at +1-800-352-5267 or by contacting FAAR.
- Commencing Arbitration. Before initiating arbitration, a party must first send a written notice of the dispute to the other party by certified U.S. Mail or by Federal Express (signature required) or, only if that other party has not provided a current physical address, then by electronic mail ("Notice of Arbitration"). FAAR's address for Notice is: Foundation for Advancing Alcohol Responsibility, 1250 I Street NW #400, Washington, DC 20005. The Notice of Arbitration must: (a) identify the name or account number of the party making the claim; (b) describe the nature and basis of the claim or dispute; and (c) set forth the specific relief sought ("Demand"). The parties will make good faith efforts to resolve the claim directly, but if the parties do not reach an agreement to do so within 30 days after the Notice of Arbitration is received, you or FAAR may commence an arbitration proceeding. If you commence arbitration in accordance with these Terms, FAAR will reimburse you for your payment of the filing fee, unless your claim is for more than US$10,000 or if FAAR has received 25 or more similar demands for arbitration, in which case the payment of any fees will be decided by the JAMS Rules. If the arbitrator finds that either the substance of the claim or the relief sought in the Demand is frivolous or brought for an improper purpose (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b)), then the payment of all fees will be governed by the JAMS Rules and the other party may seek reimbursement for any fees paid to JAMS.
- Arbitation Proceedings. Any arbitration hearing will take place in the county and state of your billing address unless we agree otherwise or, if the claim is for US$10,000 or less (and does not seek injunctive relief), you may choose whether the arbitration will be conducted: (a) solely on the basis of documents submitted to the arbitrator; (b) through a telephonic or video hearing; or (c) by an in-person hearing as established by the AAA Rules in the county (or parish) of your billing address. During the arbitration, the amount of any settlement offer made by you or FAAR must not be disclosed to the arbitrator until after the arbitrator makes a final decision and award, if any. Regardless of the manner in which the arbitration is conducted, the arbitrator must issue a reasoned written decision sufficient to explain the essential findings and conclusions on which the decision and award, if any, are based.
- Arbitation Relief. Except as provided in Section 15.8 (No Class Actions), the arbitrator can award any relief that would be available if the claims had been brough in a court of competent jurisdiction. If the arbitrator awards you an amount higher than the last written settlement amount offered by FAAR before an arbitrator was selected, FAAR will pay to you the higher of: (a) the amount awarded by the arbitrator and (b) US$10,000. The arbitrator's award shall be final and binding on all parties, except (1) for judicial review expressly permitted by law or (2) if the arbitrator's award includes an award of injunctive relief against a party, in which case that party shall have the right to seek judicial review of the injunctive relief in a court of competent jurisdiction that shall not be bound by the arbitrator's application or conclusions of law. Judgment on the award may be entered in any court having jurisdiction.
- No Class Actions. YOU AND FAAR AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. Further, unless both you and FAAR agree otherwise, the arbitrator may not consolidate more than one person's claims, and may not otherwise preside over any form of a representative or class proceeding.
- Modifications to this Arbitration Provision. If FAAR makes any substantive change to this arbitration provision, you may reject the change by sending us written notice within 30 days of the change to FAAR's address for Notice of Arbitration, in which case your account with FAAR will be immediately terminated and this arbitration provision, as in effect immediately prior to the changes you rejected will survive.
- Enforceability. If Section 15.8 (No Class Actions) or the entirety of this Section 15 (Dispute Resolution and Arbitration) is found to be unenforceable, or if FAAR receives an Opt-Out Notice from you, then the entirety of this Section 15 (Dispute Resolution and Arbitration) will be null and void and, in that case, the exclusive jurisdiction and venue described in Section 16.2 (Governing Law) will govern any action arising out of or related to these Terms.
- Miscellaneous
- General Terms. These Terms, including the Privacy Policy and any other agreements expressly incorporated by reference into these Terms, are the entire and exclusive understanding and agreement between you and FAAR regarding your use of the Service. You may not assign or transfer these Terms or your rights under these Terms, in whole or in part, by operation of law or otherwise, without our prior written consent. We may assign these Terms and all rights granted under these Terms at any time without notice or consent. The failure to require performance of any provision will not affect our right to require performance at any other time after that, nor will a waiver by us of any breach or default of these Terms, or any provision of these Terms, be a waiver of any subsequent breach or default or a waiver of the provision itself. Use of Section headers in these Terms is for convenience only and will not have any impact on the interpretation of any provision. Throughout these Terms the use of the word "including" means "including but not limited to." If any part of these Terms is held to be invalid or unenforceable, then the unenforceable part will be given effect to the greatest extent possible, and the remaining parts will remain in full force and effect.
- Governing Law. These Terms are governed by the laws of the District of Columbia without regard to conflict of law principles. You and FAAR submit to the personal and exclusive jurisdiction of the state courts and federal courts located within Columbia County, District of Columbia for resolution of any lawsuit or court proceeding permitted under these Terms. We operate the Service from our offices in District of Columbia, and we make no representation that Materials included in the Service are appropriate or available for use in other locations.
- Privacy Policy. Please read the Responsibility Works Privacy Policy (the "Privacy Policy") carefully for information relating to our collection, use, storage, and disclosure of your personal information. The FAAR Privacy Policy is incorporated by this reference into, and made a part of, these Terms.
- Additional Terms. Your use of the Service is subject to all additional terms, policies, rules, or guidelines applicable to the Service or certain features of the Service that we may post on or link to from the Service (the "Additional Terms"). All Additional Terms are incorporated by this reference into, and made a part of, these Terms.
- Consent to Electronic Communications. By using the Service, you consent to receiving certain electronic communications from us as further described in our Privacy Policy. Please read our Privacy Policy to learn more about our electronic communications practices. You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that those communications be in writing.
- Contact Information. The Service is offered by Foundation for Advancing Alcohol Responsibility, located at 1250 I Street NW #400, Washington, DC 20005. You may contact us by sending correspondence to that address or by emailing us at [email protected].
- Notice to California Residents. If you are a California resident, then under California Civil Code Section 1789.3, you may contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 1625 N. Market Blvd., Suite S-202, Sacramento, California 95834, or by telephone at +1-800-952-5210 in order to resolve a complaint regarding the Service or to receive further information regarding use of the Service.
- No support. We are under no obligation to provide support for the Service. In instances where we may offer support, the support will be subject to published policies.
- International Use. The Service is intended for visitors located within the United States. We make no representation that the Service is appropriate or available for use outside of the United States. Access to the Service from countries or territories or by individuals where such access is illegal is prohibited.
Data Procesing Agreement
This Data Processing Agreement ("DPA") amends and forms part of the written agreement between the Foundation for Advancing Alcohol Responsibility dba Responsibility.org ("FAAR, " "we, " or"us") and you ("Customer") titled Terms of Service (the "Agreement"). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
- Definitions
- In this DPA:
a)
"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor", and "Supervisory Authority" have the meaning given to them in Data Protection Law;
b)
"Customer Personal Data" means Personal Data Processed by Responsibility.org as a Processor on behalf of Customer or Third Party Controller;
c)
"Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area ("EEA"), including the European Union, the UK Data Protection Act 2018, the GDPR as amended by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020 ("UK GDPR") and all other data protection laws of the EEA and Switzerland, each as applicable, and as may be amended or replaced from time to time;
d)
"Data Subject Rights" means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;
e)
"Internationl Data Transfer" means any disclosure of Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
f)
"Services" means the services provided by Responsibility.org to Customer under the Agreement;
g)
"Subprocessor" means a Processor engaged by Responsibility.org to Process Customer Personal Data;
h)
"SCCs" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), C/2021/3972, OJ L 199, 7.6.2021, p. 31-61, as amended or replaced from time to time;
i)
"Third-Party Controller" means a Controller for which Customer is a Processor; and
j)
- Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
- Scope
- This DPA only applies if the Processing of Customer Personal Data by Responsibility.org is subject to Data Protection Law to provide the Services. By agreeing to the Agreement, the Customer also agrees to this DPA to the extent applicable.
- The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I.
- Customer is a Controller and appoints Responsibility.org as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
- If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Responsibility.org; must obtain all necessary authorizations from such Third-Party Controller; undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
- Customer acknowledges that Responsibility.org may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as account management, technical support, and compliance with law. Responsibility.org is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
- Instructions
- Responsibility.org will Process Customer Personal Data to provide the Services and in accordance with Customer's documented instructions.
- The Controller's instructions are documented in this DPA, the Agreement, and any applicable statement of work.
- Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Responsibility.org may charge a reasonable fee to comply with any additional instructions.
- Unless prohibited by applicable law, Responsibility.org will inform Customer if Responsibility.org is subject to a legal obligation that requires Responsibility.org to Process Customer Personal Data in contravention of Customer's documented instructions.
- Personnel
- Responsibility.org will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
- Security and Personal Data Breaches
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Responsibility.org will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
- Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer's intended Processing and will notify Responsibility.org prior to any intended Processing for which Responsibility.org's security measures may not be appropriate.
- Responsibility.org will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Responsibility.org's notification is delayed, it will be accompanied by reasons for the delay.
- Subprocessing
- Customer hereby authorizes Responsibility.org to engage the following Subprocessors: Amazon Web Services, Auth0 and DigitalOcean.
- Responsibility.org will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.
- Responsibility.org will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Responsibility.org's notification of the intended change. Customer and Responsibility.org will work together in good faith to address Customer's objection. If Responsibility.org chooses to retain the Subprocessor, Responsibility.org will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
- Assistance
- Taking into account the nature of the Processing, and the information available to Responsibility.org, Responsibility.org will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer's own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct Data Protection Impact Assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
- Responsibility.org may charge a reasonable fee for assistance under this Section 7. If Responsibility.org is at fault, Responsibility.org and Customer shall each bear their own costs related to assistance.
- Audit
- Upon reasonable request, Responsibility.org must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, at reasonable intervals or if there are indications of non-compliance, and performed by an independent auditor as agreed upon by Customer and Responsibility.org. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal business disruption.
- Responsibility.org will inform Customer if Responsibility.org believes that Customer's instruction under Section 8.1 infringes Data Protection Law. Responsibility.org may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
- Responsibility.org and Customer each bear their own costs related to an audit.
- Audit
- Upon reasonable request, Responsibility.org must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, at reasonable intervals or if there are indications of non-compliance, and performed by an independent auditor as agreed upon by Customer and Responsibility.org. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal business disruption.
- Responsibility.org will inform Customer if Responsibility.org believes that Customer's instruction under Section 8.1 infringes Data Protection Law. Responsibility.org may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
- Responsibility.org and Customer each bear their own costs related to an audit.
- Notifications
- Customer will send all notifications, requests and instructions under this DPA to Responsibility.org via email to [email protected].
- Liability
- Where Responsibility.org has paid compensation, damages or fines, Responsibility.org is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer's part of responsibility for the compensation, damages or fines.
- Termination and return or deletion
- This DPA is terminated upon the termination of the Agreement.
- Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Responsibility.org will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
- Applicable law and jurisdiction
- This DPA is governed by the laws of the United States. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts of the United States, Washington, D.C.
- Modification of this DPA
- This DPA may only be modified by a written amendment signed by both Responsibility.org and Customer.
- Invalidity and severability
- If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
ANNEX I
DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES
Data exporter:
- Name: Customer (as defined above)
- Address: Set out in the applicable order form, in the Customer's account, or other relevant documentation.
- Contact person's name, position and contact details: Set out in the applicable order form, in the Customer's account, or other relevant documentation.
- Activities relevant to the data transferred under these Clauses: Customer receives Responsibility.org's services as described in the Agreement and Responsibility.org Processes Personal Data on behalf of Customer in that context.
- Signature and date: Set out in the applicable order form, in the Customer's account, or other relevant documentation.
- Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller.
Data importer:
- Name: Responsibility.org (as defined above)
- Address: 1250 Eye Street NW, Washington DC, United States, 20005.
- Contact person's name, position and contact details: Courtney Armour, Chief Legal Officer and Corporate Secretary, [email protected].
- Activities relevant to the data transferred under these Clauses: Responsibility.org provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
- Signature and date: 03/22/2023.
- Role (controller/processor): Processor on behalf of Responsibility.org, or Subprocessor on behalf of Third-Party Controller.
B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER
- Categories of Data Subjects whose Personal Data is transferred:
# | Category of Data Subjects | 1. | Customer's customers or end-users |
2. | Customer's personnel, staff and contractors |
3. | Website visitors |
4. | Participants in Responsibility Works |
- Categories of Personal Data transferred:
# | Category of Personal Data | 1. | Registration and profile information |
2. | Careers information |
3. | (Professional) contact details |
4. | Location Information |
5. | Device Information |
6. | Usage Information |
7. | Cookies for stored authentication sessions |
8. | (Personal) contact details |
9. | Company details |
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
# | Category of Sensitive Data | Applied restrictions or safeguards | 1. | No sensitive data transferred | n/a |
- The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.
- Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement. The Personal Data is processed as data subjects interact with our services, such as during Responsibility Works and when browsing the website.
- Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement, such as for operating Responsibility Works and for ensuring the website functions effectively.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law. When determining the retention period, we take into account various criteria, such as the type of products and services requested, the nature and length of our relationship with the data subject, the impact on the services we provide to the data subject if we delete some information from or about them, mandatory retention periods provided by law and the statute of limitations.
- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
- Categories of Data Subjects whose Personal Data is transferred:
- The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
- The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
- The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Responsibility.org utilizes security measures provided by Auth0. Further information can be found at the following link: https://auth0.com/security
In addition, Responsibility.org stores user and session data in DigitalOcean which is a cloud database provider. Further information can be found at the following link: https://www.digitalocean.com/trust
Responsibility.org secures all API connections that transfer data so they are not vulnerable to attacks.
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);
- Security staff;
- Surveillance facilities, video/CCTV monitor, alarm system; and
- Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
- User identification and authentication procedures;
- Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password);
- Automatic blocking (e.g. password or timeout);
- Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
- Creation of one master record per user, user-master data procedures per data processing environment; and
- Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Customer Personal Data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
- Encryption.
4. Disclosure control
Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
- Encryption/tunneling;
- Logging; and
- Transport security.
5. Entry control
Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
- Unambiguous wording of the contract;
- Formal commissioning (request form); and
- Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
- Backup procedures;
- Mirroring of hard disks (e.g. RAID technology);
- Uninterruptible power supply (UPS);
- Remote storage;
- Anti-virus/firewall systems; and
- Disaster recovery plan.
8. Separation control
Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:
- Separation of databases;
- "Internal client" concept / limitation of use;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.
9. Testing controls
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
- Periodical review and test of disaster recovery plan;
- Testing and evaluation of software updates before they are installed;
- Authenticated (with elevated rights) vulnerability scanning; and
- Test bed for specific penetration tests and Red Team attacks.
Responsibility.org will contractually require its Subprocessors to implement the same or at least equivalent technical and organizational measures to be able to provide assistance to Customer.