Filthy Rich Idea – REFUND POLICY

*Pricing excludes applicable taxes and ICANN fees.

This Limited Scope Representation Agreement (“Agreement“) is between Filthy Rich Idea LLC (“FRI” or “incfile.com” or “Incfile” or “incfile“) and the individual purchasing an Trademark Registration service (“Service“) (“you,” or “your“) (together, the “Parties“) on the incfile.com website. A limited scope representation means that the amount of work the attorney performs for you is limited to certain tasks. Limited scope representation is a means to provide access to legal services while making legal help affordable. The remainder of tasks required outside the scope of this Agreement, if any, will be your sole responsibility.

This Agreement is effective as of the date of purchase of the Service. By completing your purchase, you agree to the terms of this Agreement as follows:

1. Firm and Additional Services

Incfile.com may use certain service providers to complete the services under this Agreement. Any funds required for those covered services are included in your original payment and require no additional payment by you to Incfile.

Incfile.com has the right to subcontract services under this Agreement to lawyers located in the United States. Services performed by attorneys in the United States are governed by the ethical rules in the state of the licensed attorney.

For the purposes of this Agreement, “your attorney” or “attorney” means the attorney or firm listed as the attorney of record on your trademark application.

Once your application is (1) approved by the United States Patent and Trademark Office (“USPTO”), (2) rejected by the United States Patent and Trademark Office (“USPTO“) and you do not retain your attorney as counsel, or (3) objected to by a third party and you do not retain your attorney as counsel, your attorney may remove itself as the attorney of record on your trademark unless they are retained by you to monitor or continue as the attorney of record for your subsequently registered trademark. This is the end of your Limited Services.

2. Filing Fees

For new trademark applications, incfile.com charges a flat “Filing Fee” of $350 per class in addition to other fees. Government filing fees for filing a trademark application range from $250 to $350 per class. The $250 application type requires more precision and effort than the $350 application type, so in situations where your attorney uses the $250 application type, the remaining $100 is used to cover the additional labor for the $250 application type.

The cost of the service provided by incfile.com solely covers the filing of the trademark application in one class of goods or services. The cost does not include any additional classes or other work associated with the trademark application, including, but not limited to, responses or communication with the USPTO. Filing in additional classes will require additional expenses as discussed with and determined between you and your attorney.

3. Included Limited Services

This Agreement is for a limited scope of legal services. You retain incfile.com to provide the following limited services (“Limited Services”) within 120 days of your purchase of the Service:

a. A knockout trademark search, which is a search at the USPTO database for exact matches, it is not a comprehensive clearance search and does not necessarily indicate trademark availability;

b. A review of your search results and, as deemed necessary by your attorney, consultation on potential conflicts;

c. If appropriate, preparation and filing of your trademark application with the USPTO, where your attorney will serve as attorney of record (subject to the limitations herein) and your attorney will sign the trademark application attesting to the veracity of the content and the use of the mark in commerce, or a bona fide intent to do so, as alleged by you. In such case, you shall defend, indemnify, and hold harmless your attorney from any harm resulting from any statements made by your attorney (upon direction from you) in the trademark application which are false.

4. Excluded Services

This Agreement specifically excludes the following services:

a. Work required to proceed with an application where the attorney believes there is a conflict;

b. Work on Office action issues;

c. Work on appeals or notices of suspension subsequent to the filing of your trademark application;

d. Representation for responses to third-party objections of any kind;

e. Intellectual property litigation, cease & desist demands, claims of infringement, including if the attorney is called upon to perform additional services such as the subject of a deposition regarding the trademark applied for under this agreement;

f. The filing of any trademark application where a credit card or other payment is declined or the funds are not actually received by incfile.com or a charge back is requested;

g. The filing of any trademark application where the required specimen or other material is not received by the attorney;

h. If you are not using the trademark in commerce yet, your attorney will need to file under an intent-to-use basis. If the application is successful, a specimen will need to be filed later, which will require additional government and processing fees. If you are not using the mark in commerce within six months of receiving a Notice of Allowance from the USPTO, your attorney can file up to five six-month extensions of time for you provided you meet certain criteria (such as marketing your products/services), which will require additional government and processing fees;

i. Monitoring of marks; and

j. Any other service not included as a Limited Service under this Agreement.

5. Trademark Submitted Material

You are required to submit to incfile.com and/or to your attorney materials – such specimens, drawings, and/or copies of your work – in order for your attorney to complete your order and submit your document(s) to the USPTO.

6. Responsibilities of Parties

a. incfile.com

i. incfile.com agrees to keep you informed (via the attorney) of progress and developments, and respond to your inquiries and communications in connection with your trademark application; and

ii. incfile.com agrees to forward (via the attorney) notices received on your behalf via email to your email address on file up until the end of Limited Services.

b. You

i. You agree to cooperate and respond promptly to incfile.com and your attorney;

ii. You agree to update incfile.com and your attorney with any changes to your contact information, including changes to telephone numbers, address, and email address;

iii. You agree to regularly check your email address provided to incfile.com and the attorney;

iv. You agree for your attorney to provide the status of your trademark application to incfile.com so that if you contact incfile.com regarding the status, incfile.com will have that information;

v. You agree that you are solely responsible for receipt of communications sent via email. If a communication has been sent to the provided e-mail address, your attorney is not responsible for any e-mail not received due to the applicant’s security or anti-spam software, or any problems within the applicant’s e-mail system; and

vi. You agree that your attorney is not liable for the refund of any monies paid by you to incfile.com and that your sole recourse for a refund of any monies paid is through incfile.com.

7. Electronic Communication

You agree to receive communications by email. Your attorney is not obligated to send correspondence by U.S. or international postal mail. You understand that the USPTO TEAS filing system is an electronic filing system. You agree that your attorney may authorize the USPTO, on your behalf, to contact you at the email address you have provided in your order, and submit documents and communications electronically using the USPTO TEAS system. If you fail to comply with these requirements, the USPTO may charge you additional fees. Your attorney is not liable for damages caused by your failure to update and/or check your email address of record.

8. Sharing Documents

You agree that incfile.com may share your order information with your attorney, and your attorney will perform work in connection with the Limited Service.

9. Attorney-Client Privilege

You understand that, by submitting your order information using the questionnaire on the incfile.com website, that information may not be protected by attorney-client privilege.

10. Termination

a. By You

i. You may terminate your order and discharge your attorney at any time by written notice, effective when received. Unless specifically agreed by your attorney and you, your attorney will provide no further services and advance no further costs on your behalf after receipt of the notice. You agree to execute and return a substitution-of-attorney form immediately upon receipt from your attorney.

Upon termination, all Limited Services will be deemed completed.

b. By incfile.com

i. Withdrawal as Attorney of Record.

Your attorney may terminate your order and withdraw as your attorney at any time as permitted under the ethical rules of conduct in the state of license of your attorney. Upon termination, all Limited Services will be deemed completed.

ii. Conflict of Interest. If, at any point, a conflict of interest is found between you and another party represented by your attorney, your attorney may obtain written consent of both parties to proceed. If a conflict of interest is found which requires your attorney to decline representation, or if both parties do not consent, your attorney will not find alternative counsel and you will be issued a refund.

iii. Automatic Termination after Provision of Services or 120 Days.

If you do not use your Limited Services by the 120th day after your purchase of the Service, your order will terminate, you will no longer be entitled to the Limited Services, and you will not be given a refund.

11. No Guarantee

Neither incfile.com nor your attorney can guarantee a particular result. There is no guarantee that any trademark application filed will result in the registration of the proposed mark, or that the search will increase the likelihood that the proposed mark will be registered. Although your attorney may offer an opinion about possible results regarding the subject matter of this Agreement, your attorney cannot guarantee any particular result. You acknowledge that your attorney has made no promises about the outcome, and that any opinion offered by your attorney in the future will not constitute a guarantee. There is absolutely no guarantee that any trademark application filed by your attorney will result in the registration of the proposed mark, or that any search performed will increase the likelihood that the proposed mark will be registered, or that the results will be complete. Trademark examiners at the USPTO each have subjective opinions and these may vary from examiner to examiner.

12. Entire Agreement

This Agreement contains the entire agreement of the Parties. No other agreement, statement, or promise made on or before the effective date of this Agreement will be binding on the Parties.

13. Miscellaneous

This Agreement is governed by the laws of the State of New York in the United States of America, to which venue and personal jurisdiction you hereby consent to. Your attorney is not responsible for the proper operation of any website(s). All orders must be confirmed by telephone by speaking with the attorney of record or by email with your attorney of record. You assume all risks for technical difficulties in placing your order(s) or submitting information over the Internet.

Updated August 1, 2022

 
 
Filthy Rich Idea

GET FOUND SERVICE AGREEMENT

Last Revised: 04/21/2023

PLEASE READ THIS AGREEMENT CAREFULLY, AS IT CONTAINS IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS AND REMEDIES.

1. OVERVIEW

 

This Get Found Service Agreement (this “Agreement”) is entered into by and between Filthy Rich Idea (“Filthy Rich Idea“) and you, and is made effective as of the date of electronic acceptance. This Agreement sets forth the terms and conditions of your use of Filthy Rich Idea’s Get Found services (the “Services”), and represents the entire agreement between you and Filthy Rich Idea concerning the subject matter hereof. 

Your electronic acceptance of this Agreement signifies that you have read, understand, acknowledge and agree to be bound by this Agreement, along with our Universal Terms of Service Agreement, which is incorporated herein by this reference, and any other agreements or policies that are expressly incorporated herein.

The terms “we”, “us” or “our” shall refer to Filthy Rich Idea. The terms “you”, “your”, “User” or “customer” shall refer to any individual or entity who accepts this Agreement. Nothing in this Agreement shall be deemed to confer any third-party rights or benefits.

We may, in our sole and absolute discretion, change or modify this Agreement, any policies or agreements which are incorporated herein, and any limits or restrictions on the Services, at any time, and such changes or modifications shall be effective immediately upon posting to this Site. Your use of the Services after such changes or modifications shall constitute your acceptance of this Agreement and any limitations to the Services as last revised. If you do not agree to be bound by this Agreement and any Service limitations as last revised, do not continue to use the Services. We may occasionally notify you of changes or modifications to this Agreement by email. It is therefore very important that you keep your shopper account information current. We assume no liability or responsibility for your failure to receive an email notification if such failure results from an inaccurate email address.

 

2. SERVICES

Get Found services enable customers to search for, add, update, and publish their business name, address, phone, menus, and website URL to online partners via a website interface (the “Website”).

3. COPYRIGHT AND TRADEMARK INFORMATION

This Website, and the information which it contains, is the property of Filthy Rich Idea and its affiliates and licensors, and is protected from unauthorized copying and dissemination by United States copyright law, trademark law, international conventions and other intellectual property laws. All other product names are trademarks or registered trademarks of their respective owners.

4. THIRD PARTY DATA

 

The Services described herein may contain data collected from third-party websites that are not owned or controlled by Filthy Rich Idea. Filthy Rich Idea assumes no responsibility for the content, terms and conditions, privacy policies, or practices of any third-party websites. In addition, Filthy Rich Idea does not censor or edit the content of any third-party websites. Filthy Rich Idea does not guarantee any of the content will be published. Filthy Rich Idea makes no representations or warranties about any third-party data offered in connection with the Services, and expressly disclaims any liability or responsibility regarding the same.

By using the Services, you expressly agree to Filthy Rich Idea’s use of such third party data and agree to release Filthy Rich Idea from any and all liability arising from your use of any third-party data. You acknowledge and agree that you will protect, defend, indemnify and hold harmless Filthy Rich Idea from and against any and all claims imposed upon or incurred by Filthy Rich Idea directly or indirectly arising from your use or misuse of the third-party data.  You acknowledge and agree that the providers of the third-party data are third-party beneficiaries to this Agreement for purposes of enforcing their rights under this Agreement.

 

5. NO IMPLIED ENDORSEMENTS

In no event shall any reference to any third party or third party product or service be construed as an approval or endorsement by Filthy Rich Idea of that third party or of any product or service provided by a third party.

EMAIL MARKETING SERVICES

Last Revised: January 11, 2023

PLEASE READ THIS AGREEMENT CAREFULLY, AS IT CONTAINS IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS AND REMEDIES.

1. OVERVIEW

 

This Email Marketing Service Agreement (this “Agreement”) is entered into by and between Filthy Rich Idea and you, and is made effective as of the date of electronic acceptance. This Agreement sets forth the terms and conditions of your use of Email Marketing services (the “Services”), and represents the entire agreement between you and Filthy Rich Idea concerning the subject matter hereof. 

Your electronic acceptance of this Agreement signifies that you have read, understand, acknowledge and agree to be bound by this Agreement, along with our Universal Terms of Service Agreement, which is incorporated herein by this reference, and any other agreements or policies that are expressly incorporated herein.

The terms “we”, “us” or “our” shall refer to Filthy Rich Idea. The terms “you”, “your”, “User” or “customer” shall refer to any individual or entity who accepts this Agreement. Nothing in this Agreement shall be deemed to confer any third-party rights or benefits.

We may, in our sole and absolute discretion, change or modify this Agreement, any policies or agreements which are incorporated herein, and any limits or restrictions on the Services, at any time, and such changes or modifications shall be effective immediately upon posting to this Site. Your use of the Services after such changes or modifications shall constitute your acceptance of this Agreement and any limitations to the Services as last revised. If you do not agree to be bound by this Agreement and any Service limitations as last revised, do not continue to use the Services. We may occasionally notify you of changes or modifications to this Agreement by email. It is therefore very important that you keep your shopper account information current. We assume no liability or responsibility for your failure to receive an email notification if such failure results from an inaccurate email address.

 

2. SERVICES

 

Email Marketing services enable corporate web sites, small business web sites, community sites and individual sites to sign up web site visitors, collect and store visitor subscription information, and build and conduct email communications with their contacts.

The number of contacts in your account is metered by Filthy Rich Idea.

All subscription plan prices are subject to change at any time.

Monthly fees will be charged even if your account was not used to send emails.

It is understood that Filthy Rich Idea makes no guarantee that HTML messages will be rendered properly on all recipients’ email programs, due to the wide variety of HTML generation tools available. Filthy Rich Idea makes every attempt to make sure that all email messages sent through our servers follow email standards, but we cannot guarantee that messages will look consistent across all email platforms. For example, if you use Microsoft Word to generate HTML email messages, it is expected that recipients of your message using a non-Microsoft email application may have difficulty reading your message. For best results Filthy Rich Idea recommends, but does not guarantee, the use of HTML editors that generate HTML that adheres to W3C standards.

 

3. ANTI-SPAM POLICY

 

You may not at any time utilize the Services for the sending of unsolicited email messages (sometimes called and hereinafter referred to as “spam”). All messages sent by means of your use of our Services shall be in compliance with the terms of this Agreement and shall only be used for lawful purposes in compliance with all other applicable U.S., state, local and international laws governing your business, operations and activities, which may include (1) the U.S.’ CAN-SPAM Act of 2003 (“CAN-SPAM”), (2) Canada’s Anti-Spam Legislation (“CASL”), or (3) any other jurisdictions’ policies and laws related to unsolicited emails, spamming, privacy, obscenity, or defamation, copyright and trademark infringement, child protective email address registry laws, laws relating to advertising, sales or promotional efforts or practices, redemption, refunds and provision of your products or services and laws that govern false, unfair and deceptive practices, etc.  Click the links provided for more information on compliance with CAN-SPAM or CASL.  

We have a zero-tolerance spam policy. Notwithstanding anything to the contrary in the Universal Terms of Service Agreement, you acknowledge and agree that we may immediately terminate or cancel any account, product, or service, including your use of the Services, that we believe, in our sole and absolute discretion, is transmitting or is otherwise connected with any spam or other unsolicited bulk email activity. We reserve the right without notice to take all measures of any nature (whether legal, technical or otherwise) to prevent unsolicited bulk email and/or other unauthorized email, messages or campaigns from entering, utilizing or remaining within our network.  Accounts, products, or services terminated or cancelled in connection to spam or other unsolicited bulk email activity are ineligible for any refund.

The content you include in any email must be accurate and you may only use the Services to send emails to customers and contacts who have expressly opted in or otherwise given you lawful permission to send emails to them. If you do not have written proof that each recipient on your contact list has expressly opted in or given you permission to send emails to them, they should not be included in any email marketing campaign. You must be able to provide opt-in verification for each contact for each email marketing campaign. 

We prohibit the use of third-party, purchased, rented, or harvested mailing lists. You shall not send emails (i) to newsgroups, message boards, distribution lists, or unsolicited email addresses, or (ii) to any recipient who has opted out, unsubscribed, or otherwise objected to receiving such emails from you or another party on whose behalf you may be commissioned.  To the extent the Services include features that allow you to request a recipient to confirm that you have the recipient’s permission to send messages to such recipient (assuming such use is permitted by laws applicable to you), and such recipient has not responded or does not respond affirmatively to such request for confirmation, you agree that you shall not send messages to that recipient. 

You acknowledge and agree that we have the right but not the obligation to copy and/or store your contact lists, customer and contact information, and other information as needed. We shall not use this information in any way that violates our Privacy Policy.

 

4. USE OF PROPER MESSAGING CONTENT

 

You represent and warrant that the information you use in any email marketing campaign, including the header, subject line, and content, is not false, deceptive, or misleading. More specifically, you agree (1) to include a valid and correct physical address and other contact information required by applicable law (e.g., secondary contact, such as a phone number, as required under CASL), (2) to ensure to provide a valid, accurate and non-deceptive identification of your organization in the “from” and “reply to” address in every email as the sole person sending or causing to be sent the email using our Services and (3) to ensure the “subject” line of any message sent is not deceptive or misleading with respect to the subject matter of the email message itself.   

Every commercial email message sent utilizing our Services should include an “unsubscribe” link that allows subscribers to remove themselves from your mailing list. You agree not to remove or disable this link in your use of our Services.  You must comply and are responsible for honoring all opt-out requests within ten (10) business days of receipt and the opt-out method used must be able to process opt-out requests for a minimum of sixty (60) days after the email is sent. Generally speaking, you cannot charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an unsubscribe request.

 

5. PROHIBITED USE

 

You acknowledge and agree that you shall not use the Services to request, collect or send any non-public or personally identifiable information about another user or any other person without their express prior written consent (or the parent’s consent in the case of a minor), illegal information, or any other information you do not have the right to request, collect or distribute. 

You may not use Filthy Rich Idea to send email campaigns that link to or display pornography, other sexually explicit content, illegal goods or services, pyramid schemes, chain letters, multi-level marketing campaigns, affiliate and network marketing materials, or any other content we deem inappropriate. You may not exploit Filthy Rich Idea’s service agreement by systematically uploading, sending, deleting, then replacing contacts in order to send to more unique email addresses than you’re permitted for your service level.

Unfortunately, some industries yield higher-than-normal abuse rates, which can negatively affect the deliverability for other Filthy Rich Idea users. In order to maintain the highest possible delivery rates for all our users, Filthy Rich Idea is unable to send on behalf of certain industries and senders. This includes, but is not limited to, the following: 

  • Pharmaceutical products
  • Work from home, make money on online, and lead generation opportunities
  • Online trading, day trading tips, or stock market-related content
  • Gambling services, products, or tips
  • Multi-level marketing (MLM)
  • Affiliate marketing
  • Credit repair and get out of debt opportunities
  • Mortgage and loan content
  • Nutritional, herbal, and vitamin supplements
  • List brokers or list rental services
  • Counterfeit or “knock off” products appearing to be another brand

It is the responsibility of the sender to ensure that their content falls within these guidelines. Filthy Rich Idea may monitor your account to ensure compliance with these terms and operation within the acceptable standards of the industry and of the email providers you are sending to.

 

6. INACTIVITY

 

If you do not log into your account for more than 120 days, the account will become inactive. When an account is classified (at Filthy Rich Idea’s sole discretion) as inactive, Filthy Rich Idea will flag that account as inactive.

INACTIVE ACCOUNTS HAVE 30 DAYS TO BECOME ACTIVE OR THE ACCOUNT AND ITS DATA, INCLUDING SUBSCRIBER SIGNUPS, MAY BE PERMANENTLY REMOVED FROM THE FILTHY RICH IDEA DATABASE.

 

7. INDEMNIFICATION AND LIMITATION OF LIABILITY

You expressly agree and acknowledge that, except as modified by this Agreement, your use of the Services is subject to the entirety of our Universal Terms of Service, and specifically those sections governing Filthy Rich Idea’s Limitation of Liability and your obligations of Indemnification arising from or relating to your use of the Services.

Filthy Rich Idea

CERTIFICATE SERVICES AGREEMENT

Last Revised: 04/10/2023

PLEASE READ THIS AGREEMENT CAREFULLY, AS IT CONTAINS IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS AND REMEDIES

    1. OVERVIEW

       

      This Certificate Services Agreement (this “Agreement”) is entered into by and between Filthy Rich Idea, (“Filthy Rich Idea”), and you, and is made effective as of the date of electronic acceptance. This Agreement sets forth the terms and conditions of your use of the various SSL and code signing certificate services (“Services”) that we offer. Your electronic acceptance of this Agreement signifies that you have read, understand, acknowledge and agree to be bound by this Agreement, which incorporates by reference all of (i) our Universal Terms of Service Agreement, (ii) all relevant agreements, statements, practices and forms set forth in our Certificate Services Repository, and (ii) any plan limits, product disclaimers or other restrictions presented to you on the web security or certificates landing page of the Filthy Rich Idea website (this “Site”).

      The terms “we”, “us” or “our” shall refer to Filthy Rich Idea. The terms “you”, “your”, “User” or “customer” shall refer to any individual or entity who accepts this Agreement and/or uses the Services. Unless otherwise specifically provided in this Agreement, nothing in this Agreement shall be deemed to confer any third-party rights or benefits.

      You acknowledge and agree that (i) Filthy Rich Idea, in its sole and absolute discretion, may change or modify this Agreement, and any policies or agreements which are incorporated herein, at any time, and such changes or modifications shall be effective immediately upon posting to this Site, and (ii) your use of this Site or the Services found at this Site after such changes or modifications have been made (as indicated by the “Last Revised” date at the top of this page) shall constitute your acceptance of this Agreement as last revised. If you do not agree to be bound by this Agreement as last revised, do not use (or continue to use) this Site or the Services found at this Site. In addition, Filthy Rich Idea may occasionally notify you of changes or modifications to this Agreement by email. It is therefore very important that you keep your shopper account (“Shopper Account”) information, including your email address, current. Filthy Rich Idea assumes no liability or responsibility for your failure to receive an email notification if such failure results from an inaccurate or out-of-date email address.

 

 

2. DESCRIPTION OF SERVICES

We offer various “web security” services, including SSL and code signing certificates services. Each of these are further described below and are governed by individual agreements with a specific set of terms and conditions referenced and incorporated herein, as well as various practice and policy statements that govern the services generally. All Services are governed by our Certification Policy and Certification Practice Statement. To the extent applicable, Services may also be subject to terms and conditions of our SSL Certificate Service Relying Party Agreement.

SSL Certificates. Any SSL certificate you purchase from us or our affiliates is subject to and is intended for its specific use as described in the SSL Certificate Service Subscriber Agreement, or, if an extended validation certificate, by the terms the Extended Validation Certificate Service Subscriber Agreement. For Premium (EV) certificates, there is an extensive vetting process that starts with an in-depth application that will require you to provide details about your business, such as registration number, incorporation or registration agent and any relevant jurisdiction information.

SSL Certificates Term. A new regulation introduced by CA/Browser Forum requires that all SSL certificates issued on or after September 1, 2020 be valid for no more than 398 days. As such, we will automatically re-validate and re-issue certificates so that the certificate validity period is not greater than 398 days as long as the subscription is active.

 

Code Signing Certificates. Any Code Signing certificate you purchase from us or our affiliates is subject to and is intended for its specific use as described in the Code Signing Certificate Service Subscriber Agreement. After you purchase a Code Signing Certificate, you need to take all reasonable measures necessary to maintain sole control of, keep confidential, and properly protect at all times Your Private Key that corresponds to the Public Key to be included in the requested Certificate(s) (and any associated activation data or device – e.g. password or token) and ensure that, at a minimum, the Private Key is stored on a USB token that is physically separate from the device that hosts the code signing function until a signing session is begun. provide a certificate signing request (CSR) from the computer that is signing the code. Be sure to request the certificate using the computer and the account (typically Administrator) you will use to sign the code. Requesting the certificate creates a private key on the computer that you must associate with the code signing certificate when you install it. Depending on the use of the certificate, you can create the CSR automatically, or you can use a tool like OpenSSL to generate the CSR. After you submit your request, we verify the company information you supplied. The Registration Authority (RA) might contact you to provide additional information, if required. You can monitor the validation process through your account. Once the Code Signing Certificate is issued, we’ll send you an email with a link to download and install the certificate file and any associated intermediate certificates.

 

 

3.  APPLICANT REPRESENTATIVE

 

You are permitted to assign a representative the authority to (1) sign and submit, or approve a certificate request on your behalf, (2) sign and submit a Subscriber Agreements on your behalf and/or (3) to acknowledge the Terms of Use on your behalf, provided that you acknowledge and agree that you are, and will remain, subject to and bound by all terms and conditions of this agreement.

 

 

4. TITLES AND HEADINGS; INDEPENDENT COVENANTS; SEVERABILITY

 

The titles and headings of this Agreement are for convenience and ease of reference only and shall not be utilized in any way to construe or interpret the agreement of the parties as otherwise set forth herein. Each covenant and agreement in this Agreement shall be construed for all purposes to be a separate and independent covenant or agreement. If a court of competent jurisdiction holds any provision (or portion of a provision) of this Agreement to be illegal, invalid, or otherwise unenforceable, the remaining provisions (or portions of provisions) of this Agreement shall not be affected thereby and shall be found to be valid and enforceable to the fullest extent permitted by law.

 

 

5. DEFINITIONS; CONFLICTS

 

Capitalized terms used but not defined herein shall have the meanings ascribed to them in the Universal Terms of Service Agreement. In the event there is a conflict between the provisions of this Agreement and the provisions of the Universal Terms of Service Agreement, the provisions of this Agreement shall control.

STANDARD TERMS FOR PUBLISHERS (“STANDARD TERMS”)

  1. JOINING THE NETWORK


    1.1 By submitting an Application Form, or by accessing the Interface, the Person named in the Application Form (the “Publisher” also known as “Affiliate”) is offering to participate in Filthy Rich Idea’s Affiliate Program, and market Advertisers and their Products, in accordance with the Application Form and these Standard Terms. By submitting an Application Form, the Publisher is also agreeing to the terms of FRI’s privacy policy, which can be found here: https://filthyrichidea.com/privacy-policy.
    1.2 Acceptance of the Application Form is subject to the sole discretion of Filthy Rich Idea LLC of 2232 Dell Range Blvd, Ste 245-3706, Cheyenne, WY 82009 (“FRI”). Acceptance or rejection of the Application Form will be notified to the proposed Publisher by email.
    1.3 On acceptance of the Application Form by FRI, the Application Form and these Standard Terms, including the applicable data processing annex(es), will together constitute a legally binding “Agreement” entered into by FRI and the Publisher. On rejection of the Application Form, no agreement will be formed.
    1.4 The Publisher is the operator of a website, application or service (including email service), or is a Subnetwork. By entering this Agreement with FRI, the Publisher will join the Network to market Advertisers or their Products.
    1.5 This Agreement prevails over any terms supplied by the Publisher.
    1.6 Any individual contracting on his or her own behalf warrants that he or she is aged 18 or over. Any individual completing the Application Form on behalf of a proposed Publisher warrants that he or she has all necessary authority to bind that proposed Publisher.

    2. DEFINITIONS


    2.1 The following definitions and rules of interpretation apply in this Agreement:
    “Action” means a Sale, Lead, Click, Ad Impression, or other event, that has been specified as eligible for remuneration by the respective Advertiser under its Program Terms, on which commissions may be based under this Agreement;
    “Ad Impression” means a display of an advertisement of an Advertiser by the Publisher, as reported by the Tracking Code only;
    “Admin” means a single Authorized User with full access to, and control of, the Publisher Account and which is at all times authorized to act on behalf of the Publisher and bind the Publisher;
    “Advertiser” (also known as “Merchant”) means a Person which has agreed with FRI to join the Network to be marketed, and/or to have its Products marketed;
    “Advertiser Materials” means any trade marks, advertising content, images, text, video, data or other material provided by or on behalf of an Advertiser to FRI, the Publisher or a Subpublisher;
    “Advertiser Program” means an ongoing affiliate marketing program of an Advertiser on the Network, for the promotion of the Advertiser or its Products in accordance with this Agreement and the Program Terms;
    “Advertiser URLs” means, from time to time, any websites, apps or services of an Advertiser offering Products and to which the Publisher may link;
    “Advertising Standards” means any applicable advertising laws, regulations or standards, data laws relating to advertising (including the Children’s Online Privacy Protection Act), including without limitation any FTC Guidance, any generally accepted self-regulatory codes of practice, and any related guidance or best practice advice; “Application Form” means the registration form by which operators of websites, applications, technologies or services apply to participate in the Network;
    “Application Form” means the registration form by which operators of websites, applications, technologies or services apply to participate in the Network;
    “Authorized User” means an individual permitted to view, or view and operate, the Publisher Account on behalf of the Publisher, by its individual Authorized User Account, as set out in clause 3;
    “Authorized User Account” means the account of an individual on the Interface, permitted to view, or view and operate, the Publisher Account on behalf of the Publisher, as set out in clause 3;
    “Bonus” means an ad hoc payment to the Publisher by an Advertiser in return for a specific promotion or other marketing activity;
    “Business Day” means a day other than a Saturday, Sunday or national public holiday in Georgia, U.S.;
    “Change of Control” means a change in the beneficial ownership of more than 50% of the issued share capital of a company or a change in the majority of the Persons with legal power to direct or cause the direction of the general management of a company;
    “Click” means the intentional and voluntary following of a Link by a Visitor as part of marketing services as reported by the Tracking Code only;
    “Code of Conduct” means the code of conduct for publishers at https://filthyrichidea.com/fri-policy-agreements/ as may be amended or updated by FRI at its discretion on notice to the Publisher;
    “Commission” means the amount payable to the Publisher in return for marketing an Advertiser and its Products, in accordance with that Advertiser’s Program Terms;
    “Confidential Information” means any information disclosed by or relating to a party, including: information arising during the Term of this Agreement; information about a party’s business affairs; information about a party’s operations, products or trade secrets; information about a party’s technology (including any know-how and source code) and any derivatives of any part of any of them and which (i) is marked or identified as confidential; or (ii) would be regarded as confidential by a reasonable business person;
    “CPA” means a Commission earned per tracked and locked Sale;
    “CPC” means Commission earned per valid Click;
    “CPL” means a Commission earned per tracked and locked Lead;
    “CPM” means a Commission earned per one thousand Ad Impressions;
    “Data Regulation” means any applicable data protection, privacy or similar laws that apply to data processed in connection with this Agreement, including for EU citizens the GDPR or ePrivacy and for US citizens, FTC Guidance, self-regulatory principles set forth by the Digital Advertising Alliance, the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. (“CCPA”) and other US state and federal legislation relating to data privacy and security;
    “Effective Date” means the date of acceptance of the Application Form by FRI;
    “ePrivacy” means the Privacy and Electronic Communications Directive 2002/58 (including any replacing or superseding legislation);
    “FTC Guidance” means the published cases and guidelines from the United States Federal Trade Commission, including without limitation the guidance on substantiation of claims, privacy, data security, native advertising and disclosure guidance for influencers and spokespeople.
    “GDPR” means the EU General Data Protection Regulation 2016/679.
    “Group Company” means any holding company or subsidiary of a party or any of its holding companies. A company is a “subsidiary” of another company, its “holding company”, if that other company (i) holds a majority of the voting rights in it, or (ii) is a member of it and has the right to appoint or remove a majority of its board of directors, (iii) or is a member of it and controls alone, pursuant to an agreement with other members, a majority of the voting rights in it;
    “Intellectual Property Rights” means all copyrights and related rights, patents rights to inventions, utility models trademarks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights (including any database rights in the Network), topography rights, moral rights, rights in confidential information (including know- how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world;
    “Interface” means the intranet and software platform operated by FRI or FRI Group Companies and any functionality accessed or made available through such platform;
    “Lead” means a ‘sales lead’ of an Advertiser generated in the Tracking Period, as reported by the Tracking Code only;
    “Link” means a hyperlink from a Promotional Space to an Advertiser URL;
    “Network” means the marketing network of publishers and Advertisers operated by FRI or FRI Group Companies to facilitate, amongst other things, affiliate and performance marketing.;
    “Network Fee” means the fee payable to FRI, calculated as an override fee of an amount equal to a specified percentage of any total Commissions and Bonuses due, or on such other basis as may be agreed by FRI and an Advertiser;
    “Product” means a product, service or equivalent offered by an Advertiser on any Advertiser URL;
    “Program Terms” means any terms and conditions, or other requirements applied by an Advertiser to the participation in its Advertiser Program;
    “Promotional Space” means any advertising inventory appearing on the Publisher
    Service, or means of delivering Advertiser Materials enabled by the Publisher Service;
    “Publisher Account” means the respective account of the Publisher on the Interface;
    “Publisher Service” means a website, application or service operated by the Publisher capable of marketing Advertisers and their respective Products;
    “Sale” means the agreed purchase of a Product by a Visitor in the Tracking Period, as reported by the Tracking Code only;
    “Subpublisher” means the operator of a website, application or service, which has agreed with the Subnetwork to market advertisers or their products;
    “Subnetwork” means the operator of a marketing network of further publishers to facilitate, amongst other things, affiliate and performance marketing, which has entered this Agreement to join the Network to market advertisers or their products as a Publisher;
    “Subprocessor” any person (excluding an employee of either party) appointed by or on behalf of either party to Process Personal Data on behalf of such party or otherwise in connection with this Agreement.
    “Suspension” means the suspension by FRI or any FRI Group Company of the Publisher’s participation in the Network for a period of time, including the following:(i) preventing the Publisher from accessing the Interface; (ii) withholding payments otherwise due to the Publisher; (iii) ceasing to track Actions; (iv) removing any Advertiser Materials from the Publisher Service and “Suspend” shall be interpreted accordingly;
    “Term” means the term of this Agreement from the Effective Date until its termination or expiry in accordance with clause 14 or 17.4;
    “Tracking Code” means the software code (from time to time) provided by FRI for the recording of, amongst other things, web traffic and Actions;
    “Tracking Period” means the period of time in which the Actions of a Visitor are attributed to the Publisher and, subject to the Program Terms, generate Commissions for the Publisher;
    “Validation Period” means the period of time during which Advertisers may approve or decline Sales and Leads; and
    “Visitor” means any Person who follows a Link.
    2.2 In this Agreement:
    2.2.1 any meanings given to terms in the attached Application Form shall apply to these Standard Terms;
    2.2.2 the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” and “Processing” have the meanings given to them in GDPR;
    2.2.3 the terms “Consumer”, “Personal Information”, “Business”, “Service Provider”, and “Third Party” have the meanings given to them in the CCPA;
    2.2.4 “include” or “including” is without limitation;
    2.2.5 the singular will include reference to the plural and vice versa;
    2.2.6 a “Person” includes an individual, company, partnership or unincorporated association;
    2.2.7 a statute, order, regulation or other similar instrument will include any amendments to it or replacements of it; and
    2.2.8 “writing” and “written” includes emails but not faxes.

    2.3 If there is a conflict between the Application Form and the Standard Terms, the Application Form shall prevail.

    3. PARTICIPATION IN THE NETWORK AND USE OF THE INTERFACE


    3.1 Subject to the Publisher’s compliance with this Agreement, FRI will:
    3.1.1 permit the Publisher’s participation in the Network for its assignment of the Promotional Space; and
    3.1.2 grant access to the Interface.
    3.2FRI may change any aspect of the Interface at its sole discretion.
    3.3 On the Effective Date, the Publisher shall:
    3.3.1 register a Publisher Account; and
    3.3.2 nominate an Authorized User as Admin of that Publisher Account.
    3.4 Each Publisher Account may have only one Admin, and must have an Admin at all times. Each Publisher Account may have a reasonable number of Authorized Users.
    3.5 The Admin may assign its Admin role to another Authorized User via the Interface at any time. Assignment of the Admin role does not assign the Publisher’s rights and obligations under this Agreement.
    3.6 To the extent enabled by the Interface, Authorized Users shall be allocated permissions to view, or view and operate, the Publisher Account by the Admin, acting on behalf of the Publisher. Authorized Users may, on behalf of the Publisher, also allocate permissions to view, or view and operate, the Publisher Account, provided that no Authorized User may grant greater permissions than they themselves hold. The Admin may, at any time, withdraw the permission of any Authorized User to view and/or operate the Publisher Account.
    3.7 The Publisher undertakes that:
    3.7.1 the Admin shall remain authorized to act on behalf of the Publisher and bind the Publisher;
    3.7.2 all Authorized Users are permitted to view, or view and operate, the Publisher Account in accordance with any permissions granted on the Interface, which shall be kept up to date by the Publisher;
    3.7.3 it shall use best endeavours to ensure that the Admin and all Authorized Users shall:
    (a) access the Interface in their own name under their own Authorized User Account; and
    (b) keep any passwords confidential.
    3.8 The Publisher shall:
    3.8.1 ensure the proper functioning and maintenance of all Links;
    3.8.2 provide Advertisers and FRI with full and clear instructions as to
    the Advertiser Material it may reasonably require for the purposes of the promotion of an Advertiser or its Products in accordance with this Agreement and the Program Terms;
    3.8.3 provide Advertisers reasonable access to information the Advertiser may require to operate the Advertiser Program; and
    3.8.4 remain primarily liable for the acts and omissions of all Subpublishers.
    3.9 FRI shall not be liable for any losses or damages suffered by the Publisher due to the disclosure of any Authorized User Account passwords.
    3.10 The Publisher shall remain primarily responsible and liable for all activities occurring under any of the Authorized User Accounts and the acts or omissions of any Authorized User.
    3.11 If the Publisher suspects that a third party has gained unauthorized access to access data, the Publisher shall inform FRI immediately by sending an e-mail to [email protected] or such other e-mail as may be notified to the Publisher from time to time.
    3.12 FRI may Suspend or withdraw any Authorized User Accounts at its discretion, or on request by the Publisher.
    3.13 Under this Agreement FRI, or any FRI Group Company may, on behalf of FRI:
    3.13.1 provide any aspect of the Network or the Interface (including the granting of sublicenses and licenses under clause 10);
    3.13.2 enjoy any benefit, or exercise any right;
    3.13.3 satisfy any of FRI’s obligations.

    4. MARKETING


    4.1 The Publisher may request to market Advertisers or their Products at their discretion by applying to participate in an Advertiser Program. Advertisers may approve or refuse such requests, and remove Publishers from Advertiser Programs, at any time at their discretion. The Publisher may only market an Advertiser or its Products under this Agreement with the Advertiser’s continued approval, unless specifically enabled by the proper use of the Interface.
    4.2 Advertisers may apply Program Terms and make changes to any Program Terms at their discretion, which shall become effective on notice to the Publisher, including by publication on the Interface. Advertisers may change their Program Terms at any time. The Publisher is solely responsible for ensuring it is aware of any changes to the Program Terms.
    4.3 Subject to the Publisher’s compliance with this Agreement and the Program Terms, and the continued approval of the respective Advertiser, FRI will provide to the Publisher the Advertiser Materials.
    4.4 FRI, however, is not obliged to review any Advertiser Material or check their legality or accuracy. A Publisher admitted to the Advertiser Program may publish the Advertiser Materials through its Publisher Service at its discretion and use them solely to the extent permitted under this Agreement and the Program Terms.
    4.5 FRI may deactivate any Links on request of the respective Advertiser, or at its sole discretion.
    4.6 The Publisher shall remove any Advertiser Materials from the Publisher Service immediately on request of either the Advertiser or FRI.
    4.7 FRI will use reasonable endeavors to procure that Advertisers comply with any terms and conditions, or other requirements, applied by the Publisher to its promotion of Advertisers or their Products.

    5. TRACKING AND VALIDATION


    5.1 The Tracking Code and Program Terms as interpreted by FRI will be the sole bases for recording and determining Actions and Commissions and for tracking. No other means of recording or determining Actions or Commissions shall be used under this Agreement, notwithstanding any agreement or arrangement between the Publisher and any Advertiser to the contrary.
    5.2 Sales, Clicks and Leads will only be attributed to the Publisher where the Tracking Code records that the Publisher was responsible for the most recent referral of the Visitor to the Advertiser URL prior to that Sale or Lead, unless expressly agreed otherwise between the parties or specified otherwise by the Advertiser in the respective Program Terms, and in each case subject to any communicated “cookie hierarchy” or “commission hierarchy”.
    5.3 Tracked Sales, Clicks and Leads will be locked after a certain period, subject to the applicable Program Terms.

    6. ACTIONS, COMMISSIONS AND BONUSES


    6.1 The amount of any Commissions is as may be displayed on the Interface. CPA Commissions in respect of locked Sales will be determined as either:
    6.1.1 a percentage of the purchase price of the Product(s) subject of the locked Sale, as set out on the Interface; or
    6.1.2 a fixed amount, irrespective of the purchase price of the Product(s) subject of the locked Sale, as set out on the Interface.
    6.2 Advertisers may change the amount of Commission offered on notice to Publishers. FRI will use reasonable endeavors to procure that Advertiser’s reductions of the amount of Commissions offered shall take effect seven days after notification.
    6.3 Bonuses may be agreed by the Publisher and Advertisers at their discretion and must be processed via the Interface.
    6.4 Commissions and Bonuses shall only be due for payment:
    6.4.1 on receipt by FRI of the corresponding payment in respect of that Action from the Advertiser; and
    6.4.2 in respect of Actions procured in accordance with this Agreement and any applicable Program Terms.
    6.5 Without prejudice to any other rights or remedies of FRI, if FRI reasonably suspects that any Commissions paid under this Agreement have been generated in breach of this Agreement, FRI may set off or deduct the amount of such Commissions from any future payments due to the Publisher or from any funds held to the Publisher’s account from time to time (whether under this Agreement or any other agreement between FRI and the Publisher). Such deduction shall constitute a genuine pre-estimation of the loss suffered by FRI as a result of the payment of such Commission in breach of this Agreement.

    7. INVOICING AND PAYMENTS


    7.1 FRI will pay the Publisher:
    7.1.1 Commissions in respect of locked Sales, Leads, Clicks or one thousand Ad
    Impressions; and
    7.1.2 Bonuses agreed between the Publisher and Advertisers.
    7.2 Payment of Commissions and Bonuses may be subject to any Advertiser Terms.
    7.3 Payment statements for Commissions and Bonuses can be accessed by the Publisher via the Interface. The Publisher agrees to the following:
    7.3.1 the Publisher agrees not to issue invoices for any Commissions and Bonuses generated under this Agreement;
    7.3.2 FRI may provide a copy of this Agreement to the Internal Revenue Service (or equivalent local tax authority) in order to evidence the payment arrangements between FRI and the Publisher;
    7.3.3 the Publisher will immediately notify FRI if it transfers any part of its business as a going concern;
    7.3.4 FRI may engage third party service providers to administer the issuing of payments under this Agreement.
    7.4 FRI will pay all due Commissions and Bonuses subject to:
    7.4.1 the passing of the lock date set out in the Interface by the Advertiser for the respective Action;
    7.4.2 any minimum payment thresholds implemented by FRI from time to time being satisfied;
    7.4.3 the correct, accurate and complete bank and tax information of the Publisher being shown on the Interface;
    7.4.4 the provision of any additional information reasonably requested by FRI in respect of the Publisher’s location or residence;
    7.4.5 the payment not being subject to any internal audits or ‘network quality’ reviews from time to time.
    7.5 All payments will be made in accordance with the payment method selected by the Publisher in the ‘Payment Settings’ section of the respective Publisher Account on the Interface. FRI is not obligated to take steps to verify the accuracy of the payment information provided by the Publisher, including mailing address if the Publisher chooses to be paid by check or bank account information if the Publisher chooses to be paid by ACH. Updates to bank account information may take up to two Business Days to take effect.
    7.6 All sums payable under this Agreement shall be exclusive of any sales taxes, use taxes, value added taxes, goods or services taxes or comparable taxes which, if applicable, shall be added at the appropriate rate. These taxes shall be collected and remitted pursuant to applicable law. If payments under this Agreement are subject to withholding tax, FRI is entitled to deduct the appropriate amount from payments to the Publisher. The parties agree to work together on reducing any withholding tax, and, upon request, shall provide documents required for any reduction, exemption, reimbursement or deduction of withholding tax.
    7.7 All amounts payable shall be paid in the currency in which the respective Commissions are received from Advertisers. Any costs of currency conversion or losses caused by exchange rate fluctuations shall be borne by the Publisher.
    7.8 The Publisher will immediately repay any amounts paid to the Publisher in error, or other than in accordance with the Publisher’s rights under this Agreement.
    7.9 Publisher accounts that are abandoned will be closed. If an abandoned Publisher account has a positive balance, the balance will be paid out to the Publisher upon closure. An abandoned Publisher account is defined as any account that has not been logged in to, nor had any transactions posted to it, for a period of 6 months. If one or the other of those conditions are true, the account will remain in an active state. If a payout to the Publisher is not possible, in accordance with applicable law, the payable amount may be considered as unclaimed property and will be reported and paid to the respective state authority by FRI.
    7.10 Any underpaid Commission or Bonuses must be notified to FRI immediately. Subject to clause 6.4, any underpaid Commission or Bonuses notified by the Publisher to FRI within 12 months of the underpayment will be rectified. The Publisher hereby waives its right to recover any underpaid Commissions or Bonuses that the Publisher fails to report to FRI within 12 months of the underpayment.

    8. PUBLISHER’S RELATIONSHIP WITH ADVERTISERS


    8.1 The Publisher’s participation in the Network does not create any contract between the Publisher and any Advertiser.
    8.2 During the term of this agreement the Publisher will not, directly or indirectly, enter or attempt to enter into any agreement, understanding or other form of arrangement (whether express or implied) with any Advertiser where payments are made to the Publisher in respect of any marketing services (including but not limited to affiliate, display, programmatic, search, email and click-to-call marketing) other than under this Agreement, without FRI’s prior written approval.

    9. WARRANTIES AND INDEMNITY


    9.1 Each party warrants and undertakes to the other for the Term that:
    9.1.1 it has full power and authority to enter into this Agreement;
    9.1.2 it holds all licenses and approvals necessary for the performance of its obligations under this Agreement;
    9.1.3 it will perform its obligations under this Agreement in accordance with all applicable laws and using reasonable skill and care; and
    9.1.4 it will not make any false, misleading or disparaging representations or statements regarding the other party.
    9.2 The Publisher warrants and undertakes to FRI for the Term that:
    9.2.1 neither the Publisher, nor any of its officers or shareholders, have previously been party to an agreement terminated by FRI or any FRI Group Company for breach;
    9.2.2 no officer or shareholder of the Publisher has been an officer or shareholder of a company (or other entity) party to an agreement terminated by FRI or any FRI Group Company for breach;
    9.2.3 all information about the Publisher set out in the Application Form or on the Interface is complete, true, accurate, not misleading and will be kept up to date (including, but not limited to address details, payment details and tax information);
    9.2.4 its marketing of any Advertiser or its Products will comply with all Advertising Standards and Data Regulation;
    9.2.5 the Publisher Service will be operated in accordance with all applicable laws (including Advertising Standards and Data Regulation);
    9.2.6 it shall comply with the Code of Conduct at all times;
    9.2.7 it shall comply with all relevant tax laws;
    9.2.8 it shall retain ultimate control of the operation of the Publisher Service;
    9.2.9 it is the owner or valid licensee of any Intellectual Property Rights appearing on the Publisher Service, and that no part of the Publisher Service infringes the rights of any third party; and
    9.2.10 all Advertiser Materials will be accurately and faithfully reproduced.
    9.3 The Publisher will indemnify, defend and hold harmless FRI and any FRI Group Company (including its directors, employees, agents or contractors), from and against any claims, costs, damages, losses, liabilities and expenses (including legal fees) relating to any claims, actions, suits or proceedings by third parties against FRIor any FRI Group Company arising out of or related in any way to any breach by the Publisher of any of the warranties at clauses 9.1 and 9.2, or Publisher’s gross negligence or willful misconduct.

    10. INTELLECTUAL PROPERTY

    10.1FRI hereby grants to the Publisher, for the duration of its participation in the Advertiser Program, a revocable, non-exclusive, non-transferable, royalty-free, worldwide sublicense to publish Advertiser Materials, without modification, on the Publisher Service in the Promotional Spaces to the extent necessary to enable the Publisher to market the respective Advertiser and its Products on the Network in compliance with the Agreement and the Program Terms.
    10.2 A sublicense granted to a Subnetwork under clause 10.1 shall be further sub- licensable by the Subnetwork to Subpublishers on terms equivalent to clause 10.1, with FRI’s prior written consent.
    10.3 A sublicense granted by a Subnetwork under clause 10.2 shall not be capable of further sublicense by the Subpublisher without FRI’s prior written consent.
    10.4 FRI hereby grants to the Publisher a revocable, non-exclusive, non-sub- licensable, non-transferable, royalty-free worldwide license to use the Interface to the extent necessary for the Publisher to participate in the Network and perform its obligations under this Agreement.
    10.5 The Publisher will not, and will not attempt to, change, reverse engineer or create derivative works of the Interface or the Tracking Code.
    10.6 Each party reserves all of its right, title and interest to any of its Intellectual Property Rights licensed under this clause 10, or which it creates under this Agreement or which is created by operation of the Tracking Code.
    10.7 The Publisher shall use information and data obtained from and in connection with participating in the Network only for the purpose of this Agreement. Uses for any other purpose, or disclosure of such information and data are prohibited.
    10.8 Either party may identify the other party in lists of clients or customers, and may use the other party’s name and logo in marketing materials and presentations. Any other use shall require the prior written consent of the other party.

    11. CONFIDENTIALITY

    11.1 Each party will only use Confidential Information to enjoy its rights or comply with its obligations under this Agreement. Save as set out in this Agreement, neither party will disclose any Confidential Information. Confidential Information shall be kept confidential.
    11.2 The obligations of confidentiality in this Agreement will not apply to Confidential Information to the extent it:
    11.2.1 is in the public domain (other than as a result of a breach of this Agreement);
    11.2.2 can be demonstrated as having been independently developed by the receiving party;
    11.2.3 is published on the Interface in the receipt or provision of the Services in accordance with this Agreement;
    11.2.4 is required to be disclosed by law or a court order.
    11.3 FRI may disclose Confidential Information to FRI Group Companies.
    11.4 This clause will survive termination for five years.
    12. DATA PROTECTION AND COOKIES
    12.1 FRI and the Publisher will comply with their respective obligations under Data Regulation and in accordance with the applicable data processing annex(es) to these Standard Terms.

    13. LIMITATION OF LIABILITY

    13.1 This clause 13 sets out the entire liability of FRI and its Group Companies under or in connection with the Agreement.
    13.2 Each party shall be liable for any breaches of Data Regulation for which they are responsible and accordingly there shall be no joint liability between the parties in respect of such breaches.
    13.3 FRI will not be liable for any losses of the Publisher if FRI’s compliance with the Agreement is prevented by the acts or omissions of the Publisher.
    13.4 FRI will not be liable to the Publisher for: loss of profit, business, goodwill, anticipated savings, goods, contract, use or data; losses arising from the acts or omissions of an Advertiser; or for any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.
    13.5 The total liability of FRI in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise arising in connection with the Agreement will be limited to the amount of Network Fee actually received by FRI from Advertisers in respect of Commissions paid to the Publisher in the 12 month period preceding the date on which the claim arose.
    13.6 Except as expressly stated otherwise in this Agreement, all warranties, conditions and other terms implied by statute or common law are excluded to the fullest extent permitted by law.
    13.7 The Network, the Interface, the Tracking Code, their use and the results of such use are provided “as is” to the fullest extent permitted by law. FRI disclaims all express or implied warranties, including warranties of satisfactory quality and fitness for a particular purpose, which may be implied in respect of the Network, the Interface, the Tracking Code, their use and the results of such use. The performance of the Network, the Tracking Code and the Interface relies on third parties beyond FRI’s control, and in particular, the maintenance by Advertisers of the proper integration of the Tracking Code into Advertiser URLs. FRI specifically disclaims any warranty:
    13.7.1 that the use or operation of the Network, the Interface or the Tracking
    Code will be uninterrupted or error-free;
    13.7.2 that the Tracking Code will be properly integrated into the Advertiser URLs;
    13.7.3 that the Tracking Code accurately records Actions at all times;
    13.7.4 in respect of the Advertiser Materials, including any warranty that the Advertiser Materials comply with Advertising Standards;
    13.7.5 that defects will be corrected;
    13.7.6 that the Network, the Interface or the Tracking Code are free of viruses or malicious code;
    13.7.7 that any security methods employed will be sufficient;
    13.7.8 in respect of any Advertiser or its technology and any third party or its technology; and
    13.7.9 regarding correctness, accuracy, or reliability.
    13.8FRI shall only be held liable in cases of intent or gross negligence of one of its legal representatives, executives or other vicarious agents, in the event of any culpable breach of a material contractual obligation and limited to the amount of the typically foreseeable loss.
    13.9 Nothing in this Agreement limits or excludes the liability of FRI in the event of culpable injury to life, limb or health, fraud, fraudulent misrepresentation or fraudulent misstatement as well as in cases of mandatory statutory liability.

    14. TERMINATION AND SUSPENSION

    14.1 This Agreement will start on the Effective Date and continue until terminated in accordance with its terms.
    14.2 Either party may terminate the Agreement on 30 days’ written notice to the other party for any reason.
    14.3 Without prejudice to its other rights or remedies, a party may terminate the Agreement immediately on written notice to the other party, if:
    14.3.1 the other party materially breaches this Agreement;
    14.3.2 the other party is deemed unable to pay its debts; steps are made to wind up, or appoint an administrator over, the other party; a third party becomes entitled to appoint a receiver over the assets of the other party; the other party negotiates with all or a class of its creditors, or proposes or enters a compromise with such creditors; or any similar or analogous event occurs.
    14.4 FRI may immediately terminate this Agreement or Suspend the Publisher if the Publisher:
    14.4.1 does not access the Publisher Account for a period of six months or if no Commissions have been generated for a period of six months;
    14.4.2 is reasonably suspected by FRI to have breached any:
    (a) of the warranties at clauses 9.1 and 9.2;
    (b) Program Terms of an Advertiser;
    (c) part of the Code of Conduct.
    14.5 FRI may terminate this Agreement, immediately on written notice, if the Publisher undergoes a Change of Control.

    15. CONSEQUENCES OF TERMINATION AND SUSPENSION

    15.1 During any period of Suspension:
    15.1.1 the Publisher is not permitted to access the Interface;
    15.1.2 all licenses will be Suspended and the Publisher shall immediately remove any Advertiser Materials from the Publisher Service;
    15.1.3 FRI may deactivate any Links and remove any Advertiser Materials from the Publisher Service (to the extent it is able); and
    15.1.4 no payments will be made to the Publisher.
    15.2 On termination of the Agreement:
    15.2.1 all licenses will terminate and the Publisher shall immediately remove any Advertiser Materials from the Publisher Service;
    15.2.2 FRI may deactivate any Links and remove any Advertiser Materials from the Publisher Service (to the extent it is able);
    15.2.3 each party will return or at the other party’s option destroy all confidential information in its possession within five Business Days; and
    15.2.4 unless terminated by FRI under clauses 14.3 or 14.4, FRI will pay all outstanding Commissions and Bonuses due to the Publisher;
    15.2.5 by FRI under clauses 14.3 or 14.4 all unpaid Commissions as of the date of termination, or accruing after the date of termination, shall be forfeited to FRI irrevocably and the Publisher hereby waives any right or entitlement to recover such Commissions and Bonuses from FRI.
    15.3 Termination of this Agreement will not affect any existing rights or remedies.
    15.4 Clauses 1, 2, 5, 6, 7, 10.5, 10.6, 11, 12, 13, 15, 16 and 17 will survive
    termination.

    16. NOTICES

    16.1 Notices given under this Agreement will be in writing and:
    16.1.1 displayed by FRI on the Interface;
    16.1.2 delivered by the Publisher by hand or sent by pre-paid first-class post or recorded delivery post to FRI at FRI’s registered office;
    16.1.3 delivered by FRI by hand or sent by pre-paid first-class post or recorded delivery post to the Publisher at its notice address set out in the Application Form (or such other address as may be set out on the Publisher Account); or
    16.1.4 sent by FRI by email to the Publisher’s notice email address set out in the Application Form (or such other notice email address as may be set out on the Publisher Account).
    16.2 A notice displayed by FRI on the Interface will be deemed to have been received at the time of its display (or if displayed outside business hours, at 9 am
    on the first Business Day following display). A notice delivered by hand will be deemed to have been received when delivered (or if delivered outside business hours, at 9 am on the first Business Day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post will be deemed to have been received two Business Days after posting. A notice sent by email will be deemed to have been received at the time of transmission as shown by the sender’s records (or if sent outside business hours, at 9 am on the first Business Day following dispatch).

    17. GENERAL

    17.1 FRI may change the terms of this Agreement on 14 days’ notice to the Publisher.
    17.2 Certain functionalities or services offered by FRI or third parties may be subject to additional terms. Such terms will be communicated to the Publisher before those functionalities or services are supplied, including by displaying on the Interface.
    17.3 FRI may set off any liability of the Publisher against any liability of FRI.
    17.3 Time for performance of clauses 3.10, 4.6, 7.3.3, 7.8, 15.1.2 and 15.2.1 are of the essence of this Agreement.
    17.4 No party will be liable for any breach of this Agreement arising from circumstances beyond its reasonable control (a “Force Majeure Event”). If a Force Majeure Event continues for six months, the unaffected party may terminate this Agreement by giving 30 days’ written notice to the other party.
    17.5 The Publisher may not assign or subcontract its rights or obligations under this Agreement in whole or part without FRI’s prior written consent. FRI may assign or subcontract its rights or obligations under this Agreement, including to a FRI Group Company.
    17.6 Nothing in the Agreement constitutes a partnership or joint venture between the parties, nor constitutes a party the agent of the other. No party has authority to bind the other.
    17.7 A Person who is not a party to this Agreement will not have any statutory rights under or in connection with it.
    17.8 A counterpart of this Agreement executed and/or transmitted electronically shall be treated as fully binding and with full legal force and effect.
    17.9 This Agreement constitutes the entire agreement between the parties relating to its subject matter, to the exclusion of the United Nations Convention on Contracts for International Sale of Goods.
    17.10 The Parties irrevocably agree that the state and federal courts in Fulton County of Atlanta, Georgia shall have exclusive jurisdiction to settle any dispute or claim that arises out of, or in connection with, the Agreement or its subject matter.

Overview

These Business Partner Standards of Conduct (“Standards”) state Filthy Rich Idea’s own commitments and its expectations of its business partners.

1. Integrity and Compliance with Laws Anti-Corruption

Business partners must not permit or engage in any unethical practices, corruption, extortion, or bribery – whether they are working with government officials or solely in the private sector. Business partners must not offer, give, or authorize any gift, loan, fee, reward, bribe, or other advantage to any customer, government official, government employee, or Filthy Rich Idea employee to improperly influence any action or decision. Business partners must follow applicable international anti-corruption laws, including the U.S. Foreign Corrupt Practices Act (“FCPA”), the UK Bribery Act, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Business must comply, where applicable, with 31 U.S.C. 1352 (concerning payments to influence federal transactions) or the Procurement Integrity Act (Subsection 27(a) of the Federal Procurement Policy Act, (42 U.S.C. 423) as amended by Section 814 of Public Law (101-189) to obtain information or to secure business for itself or others.

2. Fair Competition

While Filthy Rich Idea competes vigorously in all of its business activities, it is committed to dealing fairly with customers and competitors. Business partners must never propose, discuss, exchange information regarding, or enter into an understanding or agreement, with any competitor concerning:

  • Filthy Rich Idea’s costs, prices, discounts or other terms or conditions of sale;
  • Filthy Rich Idea’ profits or profit margins;
  • Filthy Rich Idea’ allocation of product, customers, markets, or territories;
  • Filthy Rich Idea’ limitations on production or supply;
  • Boycotts of Filthy Rich Idea’ business by customers or suppliers; or
  • Bids or the intent to bid on Filthy Rich Idea products and/or services.

3. Honest and Accurate Dealings

Business partners must not make any false representations in connection with any Filthy Rich Idea transaction including, but not limited to, oral misrepresentations of fact or the promotion or utilization of false documentation such as non-genuine customer purchase orders, fraudulent or forged contracts, forged letters of destruction or any other false or inaccurate records.

4. Conflicts of Interest.

Business partners must avoid activities that create or appear to create actual or potential conflicts of interest between their own interests and the interests of Filthy Rich Idea. Filthy Rich Idea business partners must not offer or provide gifts or excessive hospitality or entertainment to any Filthy Rich Idea employee or customer or their families to obtain or retain business or to influence a decision. Filthy Rich Idea employees and their family members may not hold any significant economic interest in any entity that does business with Filthy Rich Idea, and business partners are required to avoid such relationships with Filthy Rich Idea employees. Business partners may not engage in reselling to a government customer when the business partner has already provided consulting services to the government customer advising on the procurement of services that Filthy Rich Idea provides. Filthy Rich Idea business partners must proactively raise actual or potential conflicts of interest with Filthy Rich Idea so that the situation can be evaluated and addressed appropriately.

5. Export Controls

U.S. and international trade laws control (a) where Filthy Rich Idea may send or receive its products and services, and (b) to whom Filthy Rich Idea may sell its products and services. Business partners must not engage in any transactions or dealings, directly or indirectly, with any individuals or entities that are (i) located or residing in any country or territory that is subject to comprehensive U.S. sanctions (including Crimea, Cuba, Iran, North Korea, and Syria); or (ii) identified on any applicable restricted or sanctioned parties’ lists (together the “Prohibited Party Lists”). Filthy Rich Idea business partners must strictly comply with applicable international trade laws and regulations.

6. Intellectual Property and Confidential Information

Business partners may only use Filthy Rich Idea’ intellectual property, such as trade secret information, copyrights, patents and trademarks, in a manner permitted under their contract with Filthy Rich Idea and may not misappropriate or infringe the intellectual property rights of others. Filthy Rich Idea business partners must not misuse any trade secrets or proprietary or confidential information of Filthy Rich Idea or of others for their own purposes or disclose such information to unauthorized third parties. Filthy Rich Idea business partners must notify Filthy Rich Idea if they become aware of any unauthorized use of the Filthy Rich Idea intellectual property.

7. Labor Standards

Business partners and their suppliers must only engage in labor practices that comply with applicable laws, including anti-human trafficking laws.

8. Freely Chosen Employment

Business partners and their suppliers must not use forced, bonded, or indentured labor or involuntary prison labor. Business partners must only utilize labor where the individuals performing such labor have freely chosen such employment – their workforce must not be a result of slavery or the trafficking of persons. Business partners and their suppliers should not transport, harbor, or recruit vulnerable persons by means of threat, force, coercion, abduction, or fraud.

9. Labor Conditions

Business partners must:

  • Not engage in child labor (the term “child” refers to any person under the minimum legal age for employment where the work is performed);
  • Pay applicable legal wages and enable employees to work hours that comply with local laws;
  • Comply with applicable safety and health laws, regulations, policies, and procedures and provide working conditions that meet local health and safety standards; and
  • Validate and review all relevant documentation prior to employment of a worker to ensure that all employees have the legal right to work in their local.

10. Diversity and Non-Discrimination.

Business partners must not unlawfully discriminate in employment opportunities or practices on the basis of gender, race, color, religion, age, citizenship, sexual orientation, gender identity, gender expression, marital status, pregnancy, national origin, ancestry, physical or mental disability or condition, or any other protected class under applicable laws.

11. Freedom from Harassment

Business partners must never allow unlawful harassment, bullying, or physical punishment in the workplace. This would include any conduct that may foster an offensive or hostile work environment, such as unwelcome or unsolicited sexual advances, threats of physical harm or violent behavior, or use of discriminatory slurs or inappropriate remarks or jokes.

12. Application of Standards

These Standards apply to all business partners, including our distributors, resellers, solution and consulting partners, alliances partners, affiliates partners, suppliers, vendors, and service providers.

13. Raising Issues and Concerns

It is the intention of Filthy Rich Idea to terminate its relationship with any business partner who does not comply with these Standards or who, upon discovery of noncompliance, does not commit to a specific plan to achieve compliance. In addition, violations may be reported to the law enforcement authorities when appropriate. It is our expectation that our business partners will report any violation of laws, rules, regulations, or these Standards in connection with a Filthy Rich Idea transaction or engagement immediately to the Filthy Rich Idea Legal Department. We expect that our business partners will not retaliate against anyone who, in good faith, reports a violation or suspected violation or assists in an inquiry into such a report.

Security Architecture and Operating Model

In the digital age, cyber-attacks are inevitable. At Filthy Rich Idea, we are taking a “zero trust”, “minimal infrastructure” approach to managing risk and information security.

This document describes our guiding principles and aspirations in managing risk and the building blocks of our security model.

Policy Statements

Filthy Rich Idea policy requires that:

(a) Filthy Rich Idea’s security program and operations should be designed and implemented with the following objectives and best practices:

  • data-centric, cloud-first
  • assume compromise therefore never trust, always verify
  • apply controls using least-privilege and defense-in-depth principles
  • avoid single point of compromise
  • automate whenever possible, the simpler the better, less is more
  • prompt self-management and reward good behaviors

(b) Security shall remain a top priority in all aspects of Filthy Rich Idea’s business operations and product development.

Controls and Procedures

Filthy Rich Idea Security Principles

(1) Data-centric model; zero-trust architecture

“Zero Trust” is a data-centric security design that puts micro-perimeters around specific data or assets so that more granular rules can be enforced. It remedies the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting “never trust, always verify” as its guiding principle. This differs substantially from conventional security models which operate on the basis of “trust but verify.”

In particular, with Zero Trust there is no default trust for any entity — including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. In addition, verifying that authorized entities are always doing only what they’re allowed to do is no longer optional; it’s now mandatory.

Summary

  • No internal network. (Almost) 100% cloud.
  • Fully segregated with Granular policy enforcements.
  • Individually secured devices. No production access by default.

(2)) Least-privilege temporary access

Cyber-attacks are inevitable. When it comes to preparing for potential attacks, Filthy Rich Idea security operations take the approach that assumes a compromise can happen at any time, to any device, with little to no indicators. This is also an extension of the “zero trust” model. When building security operations, we carefully perform risk analysis and threat model, to identify potential single point of compromise and to avoid having the “keys to the kingdom”.

In other words, compromise of any single system or user or credential, should not easily lead to a broad or full compromise of the entire infrastructure or operations. For example, if an attacker gains access to an admin credential (e.g. App Server Admin User), it should not directly lead to the compromise of all systems and data in the environment.

Summary

  • Need-based access control for both employees and computing services.
  • Access to critical systems and resources are closed by default, granted on demand.
  • Protected by strong multi-factor authentication.
  • No “keys to the kingdom”; no single points of compromise.
  • “Secrets” (such as SSH Keys) must remain secret at all times.

(3) Infrastructure as code builds and deploys

The Filthy Rich Idea platform leverages a multi-service architecture. This means that the system has been decomposed into numerous components that can be built and deployed individually. Before these components get deployed to our production environments, we thoroughly test and validate the changes in our lower environments which are completely isolated from production. This allows us to test upcoming changes while ensuring there is no impact to our customers.

Once a build has been validated in our lower (non-production) environments, we then deploy it to our production environment where the change will be available to Filthy Rich Idea customers and end-users.

Changes to our infrastructure (database schema changes, storage buckets, load balances, DNS entries, etc.) are also described in our source code and deployed to our environments just like the applications. This architectural approach to managing infrastructure is referred to as infrastructure as code and is a key requirement for fully automated deployments with minimal human touch.

Summary

  • Infrastructure as code with active protection.
  • Automated security scans and full traceability from code commit to production.
  • “Hands-free” deployment ensures each build is free from human error or malicious contamination.

(4) End-to-end data protection and privacy

It is of the utmost importance that Filthy Rich Idea provides for confidentiality (privacy), integrity and availability of its customer’s data. Your data is protected with end-to-end encryption, combined with strong access control and key management. We also have controls on our internal employees to access our business customers data directly in production. So your data remains safe and private at all times. We will never use or share our business customers data without your prior consent.

Summary

  • Data is safe both at rest and in transit, using strong encryption, access control and key management.
  • No internal user access is allowed to customer data in production.

(5) Strong yet flexible user access

We all know by now that “Password” makes a terrible password. Access control is so important we must get it right. That’s why we leverage tried-and-true technology such as Bastion Host with multi-factor authentication, and short-lived temporary authorizations from our Certificate Authority that signs users personal Keys and logs each request, both for our internal staff to access business resources and for our customers to access Filthy Rich Idea platform and services.

Summary

  • Utilizing a Certificate Authority to authorize and log access.
  • Multi-factor authentication.
  • Fine-grain attribute-based or role-based authorization.

(6) Watch everything, even the watchers

You can’t protect what you can’t see.

As the famous strategist, Sun Tzu, once said, “Know thy self, know thy enemy. A thousand battles, a thousand victories.” It all starts with knowing ourselves. This applies to the infrastructure, environments, operations, users, systems, resources, and most importantly, data. It is important to inventory all assets, document all operations, identify all weaknesses, and visualize/understand all events.

This includes conducting various risk analysis, threat modeling, vulnerability assessments, application scanning, and penetration testing. Not only that, this requires security operations to keep an eye on everything, and someone should also “watch the watchers”.

At first, this would require significant manual effort and may seem impossible to keep up-to-date. Our goal is to automate security operations, so that this can be achieved programmatically as our operations evolve to become more complex.

Additionally, Filthy Rich Idea security team will actively monitor threat intelligence in the community, with feeds from NH-ISAC and CISA stay abreast of the attacker activities and methodologies.

Summary

  • All environments are monitored; All events are logged; All alerts are analyzed; All assets are tracked.
  • No privileged access without prior approval or full auditing.
  • We deploy monitoring redundancy to “watch the watchers”.

(7) Centralized and automated operations

As much as possible, Filthy Rich Idea security will translate policy and compliance requirements into reusable code for easy implementation and maintenance. This allows us to truly be able to enforce policy and compliance in a fast and scalable way, rather than relying solely on written policies and intermittent manual audits. For example, end-point device policies may be translated into DockerFiles or Bash run scripts and compliance may be enforced through the agent. Access Control policies for production environments are translated into AWS IAM JSON policies and implemented via CloudFormation code.

Automation makes it truly possible to centralize security operations, including not only event aggregation and correlation, but also the orchestration and management of previously siloed security controls and remediation efforts.

Summary

  • Cloud-native security fabric, that
  • centrally monitors security events,
  • visualizes risk management,
  • automates compliance audits, and
  • orchestrates near real-time remediation.

(8) Usable security

Security benefits from transparency, and should operate as an open-book. This allows the entire organization to take responsibility for and accountability of adopting security best practices. Similar to code reviews and pull requests in the development process, Filthy Rich Idea security team makes security standards and practices available to all employees for feedback prior to adoption.

We emphasize on the usability and practicality of security. A security solution or process is not effective, if it is not being used, no matter how good it may be. Having impractical security would only generate noise, provide a false sense of security, and incur unnecessary cost. Nothing is perfect, but we embrace an agile mindset to test and try, and to continuously improve.

Summary

  • All employees receive security awareness training at least annually.
  • Simple policies, processes, and procedures.
  • No “Shadow IT”.
  • DevSecOps with common goals and an integrated team.
  • Processes that encourage self-management and reward good behavior.

(9) Regulatory compliant

Security!= Compliance. We cannot have one without the other.

Summary

  • Regulatory Compliant;
  • Assessed and Compliant;

Security Architecture

Filthy Rich Idea developed a security architecture on top of its main infrastructure environment in AWS.

Architecture Diagrams

Detailed architecture diagrams of the in-scope networks, endpoints, applications as well as the security operations are developed and maintained Internally.

Cloud Architecture

Cloud Native
  • Designed for the cloud using true multi-tenant architecture
  • Auto scaling across multiple data centers in multiple regions
  • Filthy Rich Idea services deployed inside private subnets of Virtual Private Cloud (VPC)
  • Comprehensive security and compliance testing via AWS
  • Ongoing security testing by AWS and internally
Customer Benefits
  • Infrastructure is tailored to our customer’s goals and usage patterns
  • “Shared use” model reduces cost
  • Nearly infinite compute and data capacity via AWS cloud provider
  • Customers can focus on solving business problems and not worry about infrastructure
  • Automatic backup and easy recovery
  • Continuous improvements via change control process
  • Faster adoption of new technology
Evolution of Cloud Computing
  1. Baremetal
    • A computer in someone else’s data center
  2. Virtual Machine
    • A portion of a computer in someone else’s data center
    • In AWS, a Virtual Machine is created from Amazon Machine Image (AMI)
  3. Container
    • A package of essential application libraries and code but not the core OS libraries – Simpler to scale a docker image because – No duplication of core OS processes (networking, filesystem, etc) – Typically a Docker container

Filthy Rich Idea strives to leverage containers as the primary building blocks for our platform because:

  • Containers standardize our development and security practices across environments
  • AWS automatically scales containers based on workload
  • Containers are constantly redeployed in our release process providing automated patching to minimizes attack surface

Metrics, Measurements and Continuous Monitoring

A set of metrics / KPIs have been defined to assist in the measuring, reporting and optimizing the security program and the controls in place.

A security scorecard is produced every with updates to key metrics of the Filthy Rich Idea information security program, to measure its adoption and effectiveness.

The reports and scorecards are maintained by Filthy Rich Idea.

Quality of Service

Filthy Rich Idea strives to provide a high quality of service to all of its customers. This is accomplished through a security architecture that encompasses all of Filthy Rich Idea’s operations and provides high data confidentiality, integrity, and availability.

An overview of Filthy Rich Idea’s architecture can be found in Security Architecture. Filthy Rich Idea uses a highly scalable cloud architecture to provide system quality at all times.

All systems are monitored and measured in real time as described in Application Service Event Recovery.

Filthy Rich Idea uses DevOps methodology as described in Software Development Process to ensure a smooth delivery process of all systems and applications.

Status for external facing, customer applications and systems is published at Filthy Rich Idea’s website.

 

Business Continuity and Disaster Recovery

The Filthy Rich Idea Contingency Plan establishes procedures to recover Filthy Rich Idea following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the Filthy Rich Idea Security Officer and Privacy Officer.

HIPAA: This Filthy Rich Idea Contingency Plan has been developed as required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), which requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information.

Policy Statements

Filthy Rich Idea policy requires that:

(a) A plan and process for business continuity and disaster recovery (BCDR), including the backup and recovery of systems and data, must be defined and documented.

(b) BCDR shall be simulated and tested at least once a year. Metrics shall be measured and identified recovery enhancements shall be filed to improve the BCDR process.

(c) Security controls and requirements must be maintained during all BCDR activities.

Controls and Procedures

BCDR Objectives and Roles

Objectives

The following objectives have been established for this plan:

  1. Maximize the effectiveness of contingency operations through an established plan that consists of the following phases:
    • Notification/Activation phaseto detect and assess damage and to activate the plan;
    • Recovery phaseto restore temporary IT operations and recover damage done to the original system;
    • Reconstitution phaseto restore IT system processing capabilities to normal operations.
  2. Identify the activities, resources, and procedures needed to carry out Filthy Rich Idea processing requirements during prolonged interruptions to normal operations.
  3. Identify and define the impact of interruptions to Filthy Rich Idea systems.
  4. Assign responsibilities to designated personnel and provide guidance for recovering Filthy Rich Idea during prolonged periods of interruption to normal operations.
  5. Ensure coordination with other Filthy Rich Idea staff who will participate in the contingency planning strategies.
  6. Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies.

Example of the types of disasters that would initiate this plan are natural disaster, political disturbances, man made disaster, external human threats, and internal malicious activities.

Filthy Rich Idea defined two categories of systems from a disaster recovery perspective.

  1. Critical Systems. These systems host production application servers/services and database servers/services or are required for functioning of systems that host production applications and data. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.
  2. Non-critical Systems. These are all systems not considered critical by definition above. These systems, while they may affect the performance and overall security of critical systems, do not prevent Critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.

Line of Succession

The following order of succession to ensure that decision-making authority for the Filthy Rich Idea Contingency Plan is uninterrupted. The Chief Operating Officer (COO) is responsible for ensuring the safety of personnel and the execution of procedures documented within this Filthy Rich Idea Contingency Plan. The Head of Engineering is responsible for the recovery of Filthy Rich Idea technical environments. If the COO or Head of Engineering is unable to function as the overall authority or chooses to delegate this responsibility to a successor, the CEO shall function as that authority or choose an alternative delegate. To provide contact initiation should the contingency plan need to be initiated, please use the contact list below.

Response Teams and Responsibilities

The following teams have been developed and trained to respond to a contingency event affecting Filthy Rich Idea infrastructure and systems.

  1. ITis responsible for recovery of the Filthy Rich Idea hosted environment, network devices, and all servers. The team includes personnel responsible for the daily IT operations and maintenance. The team leader is the IT Manager who reports to the COO.
  2. HR & Facilitiesis responsible for ensuring the physical safety of all Filthy Rich Idea personnel and environmental safety at each Filthy Rich Idea physical location. The team members also may include any site leads at each Filthy Rich Idea work site. A team leader is the Facilities Manager who reports to the COO.
  3. DevOpsis responsible for assuring all applications, web services, platform and their supporting infrastructure in the Cloud. The team is also responsible for testing re-deployments and assessing damage to the environment. A team leader is the Head of Engineering.
  4. Securityis responsible for assessing and responding to all cybersecurity related incidents according to Filthy Rich Idea Incident Response policy and procedures. The security team shall assist the above teams in recovery as needed in non-cybersecurity events. A team leader is the Security Officer.

Members of above teams must maintain local copies of the contact information of the BCDR succession team. Additionally, the team leads must maintain a local copy of this policy in the event Internet access is not available during a disaster scenario.

All executive leadership shall be informed of any and all contingency events. For current members of Filthy Rich Idea leadership team contact [email protected].

General Disaster Recovery Procedures

Notification and Activation Phase

This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to Filthy Rich Idea. Based on the assessment of the Event, sometimes according to the Filthy Rich Idea Incident Response Policy, the Contingency Plan may be activated by either the COO or Head of Engineering. The Contingency Plan may also be activated by the Security Officer in the event of a cyber disaster.

The notification sequence is listed below:

  • The first responder is to notify the COO. All known information must be relayed to the COO.
  • The COO is to contact the Response Teams and inform them of the event. The COO or delegate is responsible to begin assessment procedures.
  • The COO is to notify team members and direct them to complete the assessment procedures outlined below to determine the extent of damage and estimated recovery time. If damage assessment cannot be performed locally because of unsafe conditions, the COO is to following the steps below.
    • Damage Assessment Procedures:
    • The COO is to logically assess damage, gain insight into whether the infrastructure is salvageable, and begin to formulate a plan for recovery.
    • Alternate Assessment Procedures:
    • Upon notification, the COO is to follow the procedures for damage assessment with the Response Teams.
  • The Filthy Rich Idea Contingency Plan is to be activated if one or more of the following criteria are met:
    • Filthy Rich Idea will be unavailable for more than 48 hours.
    • On-premise hosting facility or cloud infrastructure service is damaged and will be unavailable for more than 24 hours.
    • Other criteria, as appropriate and as defined by Filthy Rich Idea.
  • If the plan is to be activated, the COO is to notify and inform team members of the details of the event and if relocation is required.
  • Upon notification from the COO, group leaders and managers are to notify their respective teams. Team members are to be informed of all applicable information and prepared to respond and relocate if necessary.
  • The COO is to notify the hosting facility partners that a contingency event has been declared and to ship the necessary materials (as determined by damage assessment) to the alternate site.
  • The COO is to notify remaining personnel and executive leadership on the general status of the incident.
  • Notification can be message, email, or phone.

Recovery Phase

This section provides procedures for recovering Filthy Rich Idea infrastructure and operations at an alternate site, whereas other efforts are directed to repair damage to the original system and capabilities.

Procedures are outlined per team required. Each procedure should be executed in the sequence it is presented to maintain efficient operations.

Recovery Goal: The goal is to rebuild Filthy Rich Idea infrastructure to a production state.

The tasks outlines below are not sequential and some can be run in parallel.

  1. Contact Partners and Customers affected to begin initial communication – DevOps
  2. Assess damage to the environment – DevOps
  3. Create a new production environment using new environment automation – DevOps
  4. Ensure secure access to the new environment – Security
  5. Begin code deployment and data replication using pre-established automation – DevOps
  6. Test new environment and applications using pre-written tests – DevOps
  7. Test logging, security, and alerting functionality – DevOps and Security
  8. Assure systems and applications are appropriately patched and up to date – DevOps
  9. Update DNS and other necessary records to point to new environment – DevOps
  10. Update Partners and Customers affected through established channels – DevOps

Reconstitution Phase

This section discusses activities necessary for restoring full Filthy Rich Idea operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. If necessary, when the hosted data center at the original or new site has been restored, Filthy Rich Idea operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.

  1. Original or New Site Restoration
    • Repeat steps 5-9 in the Recovery Phase at the original or new site / environment.
    • Restoration of Original site is unnecessary for cloud environments, except when required for forensic purpose.
  2. Plan Deactivation
    • If the Filthy Rich Idea environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to the Filthy Rich Idea Media Disposal Policy.

Testing and Maintenance

The COO and/or Head of Engineering shall establish criteria for validation/testing of a Contingency Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan’s execution. At a minimum the Contingency Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Contingency Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Contingency Plan is included in the technical testing of their respective support systems that technical test will satisfy the annual requirement.

Tabletop Testing

Tabletop Testing is conducted in accordance with the CMS Risk Management Handbook, Volume 2. The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the CP, in a timely manner. The exercises include, but are not limited to:

  • Testing to validate the ability to respond to a crisis in a coordinated, timely, and effective manner, by simulating the occurrence of a specific crisis.

Simulation and/or Technical Testing

The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:

  • Process from backup system at the alternate site;
  • Restore system using backups; and
  • Switch compute and storage resources to alternate processing site.

Work Site Recovery

In the event a Filthy Rich Idea has any facilities and they are not functioning due to a disaster, employees will work from home or locate to a secondary site with Internet access, until the physical recovery of the facility impacted is complete. The recovery shall be performed by the facility management firm under contract with Filthy Rich Idea, and coordinated by the Facility Manager and/or the Site Lead.

Filthy Rich Idea’s software development organization has the ability to work from any location with Internet access and does not require an office provided Internet connection.

Application Service Event Recovery

Filthy Rich Idea will develop a status page to provide real time update and inform our customers of the status of each service. The status page is updated with details about an event that may cause service interruption / downtime.

A follow up root-cause analysis details (RCA) will be available to customers upon request after the event has transpired for further details to cause and remediation plan for any Moderate or Long events in the future. Event Service Levels;

Short (hours)

  • Experience a short delay in service.
  • Filthy Rich Idea will monitor the event and determine course of action. Escalation may be required.

Moderate (days)

  • Experience a modest delay in service where processes in flight may need to be restarted.
  • Filthy Rich Idea will monitor the event and determine course of action. Escalation may be required.
  • Filthy Rich Idea will notify customers of delay in service and provide updates on Filthy Rich Idea’s status page.

Long (a week or more)

  • Experience a delay in service and processes in flight may need to be restarted.
  • Filthy Rich Idea will monitor the event and determine course of action. Escalation may be required.
  • Filthy Rich Idea will notify customers of delay in service and provide updates on Filthy Rich Idea’s status page.

Production Environments and Data Recovery

Production data in S3 Buckets is to be synchronized across multiple availability zones. Lifecycle policies may move the data to AWS Glacier for long term storage and recovery. In an event that requires data to be recovered, it will be retrieved from S3 or Glacier if S3 is unavailable.

Production database backups are synchronized across multiple regions. In an event that requires data to be recovered, it will be retrieved from the last know healthy Backup from any available regions.

Filthy Rich Idea assumes that in the worst-case scenario, that one of the production environments suffers a complete data loss, the account will be reconstructed from code, and the data restored from a different region and/or AWS account.

Recovery of production Environments and data should follow the procedures listed above and in Data Management – Backup and Recovery.

Data Management Policy

This policy outlines the requirements and controls/procedures Filthy Rich Idea has implemented to manage the end-to-end data lifecycle, from data creation/acquisition to retention and deletion.

Additionally, this policy outlines requirements and procedures to create and maintain retrievable exact copies of electronic protected health information(ePHI), PII and other critical customer/business data.

Data backup is an important part of the day-to-day operations of Filthy Rich Idea. To protect the confidentiality, integrity, and availability of sensitive and critical data, both for Filthy Rich Idea and Filthy Rich Idea Customers, complete backups are done daily to assure that data remains available when it needed and in case of a disaster.

Policy Statements

Filthy Rich Idea policy requires that

(a) Data should be classified at time of creation or acquisition according to the Filthy Rich Idea data classification model, by labeling or tagging the data.

(b) Maintain an up-to-date inventory and data flows mapping of all critical data.

(c) All business data should be stored or replicated to a company controlled repository (eg. Google Drive, GIT, etc), including data on end-user computing systems.

(d) Data must be backed up according to its level defined in Filthy Rich Idea data classification.

(e) Data backup must be validated for integrity.

(f) Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically,

  • Data and records belonging to Filthy Rich Idea platform customer must be retained per Filthy Rich Idea product terms and conditions and/or specific contractual agreements.

(g) By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified by Filthy Rich Idea data classification, specific regulations or contractual agreement.

Controls and Procedures

Data Classification Model

Filthy Rich Idea defines the following four classifications of data:

  • Critical
  • Confidential
  • Internal
  • Public

Definitions and Examples

Critical data includes data that must be protected due to regulatory requirements, privacy, and/or security sensitivities.

Unauthorized disclosure of critical data may result in major disruption to business operations, significant cost, irreparable reputation damage, and/or legal prosecution to the company.

External disclosure of critical data is strictly prohibited without an approved process and agreement in place.

Example Critical Data Types includes

  • PII
  • PHI or ePHI
  • PCI or CHD (cardholder data)
  • Production Security data, such as
    • Production secrets, passwords, access keys, certificates, etc.
    • Production security audit logs, events, and incident data

Confidential and proprietary data represents company secrets and is of significant value to the company.

Unauthorized disclosure may result in disruption to business operations and loss in value.

Disclosure requires the signing of NDA and management approval.

Example Confidential Data Types includes

  • Business plans
  • Employee/HR data
  • News and public announcements (pre-announcement)
  • Patents (pre-filing)
  • Specialized source codes
  • Non-production Security data, including
    • Non-prod secrets, passwords, access keys, certificates, etc.
    • Non-prod security audit logs, events, reports, and incident data
    • Audit/compliance reports, security architecture docs, etc.

Internal data contains information used for internal operations.

Unauthorized disclosure may cause undesirable outcome to business operations.

Disclosure requires management approval. NDA is usually required but may be waived on a case-by-case basis.

Example Internal Data Types includes

  • Internal documentation
  • Policies and procedures
  • Product roadmaps
  • Most source codes

Public data is Information intended for public consumption. Although non-confidential, the integrity and availability of public data should be protected.

Example Internal Data Types includes:

  • News and public announcements (post-announcement)
  • Marketing materials
  • Product documentation
  • Contents posted on company website(s) and social media channel(s)

Data Handling Requirements Matrix

Requirements for data handling, such as the need for encryption and the duration of retention, are defined according to the Filthy Rich Idea Data Classifications.

Data

Labeling or Tagging

Segregated Storage

Endpoint Storage

Encrypt At Rest

Encrypt In Transit

Encrypt In Use

Controlled Access

Monitoring

Destruction at Disposal

Retention Period

Backup Recovery

Critical

Required

Required

Prohibited

Required

Required

Required

Access is blocked to end users by default; Temporary access for privileged users only

Required

Required

7 years for audit trails; Varies for customer-owned data†

Required

Confidential

Required

N/R

Allowed

Required

Required

Required

All access is based on need-to-know

Required

Required

7 years for official documentation; Others vary based on business need

Required

Internal

Required

N/R

Allowed

N/R

N/R

N/R

All employees and contractors (read); Data owners and authorized individuals (write)

N/R

N/R

7 years for official documentation; Others vary based on business need

Optional

Public

N/R

N/R

Allowed

N/R

N/R

N/R

Everyone (read); Data owners and authorized individuals (write)

N/R

N/R

Varies based on business need

Optional

N/R = Not Required

† customer-owned data is stored for as long as they remain as a Filthy Rich Idea customer as per our Terms and Conditions, or as required by regulations, whichever is longer. Customer may request their data to be deleted at any time; unless retention is required by law, or defined in our Terms and Conditions.

Data Inventory and Lifecycle Management

Filthy Rich Idea Security team uses an automated system utilizing AWS Config to query across our cloud-based infrastructure like AWS, to obtain inventory records of all data repositories, including but not limited to:

  • AWS S3 repositories
  • AWS RDS instances
  • AWS EC2 and EFS volumes
  • Source code repositories

The records are stored by AWS. Records tagged with owner/project and classification when applicable may be queried in the system. All records are kept up to date via automation.
The system is also designed to track movement of data and update/alert accordingly.

AWS S3 Object Lifecycle Management

The Filthy Rich Idea platform will automatically adjust the storage class for certain types of data based on its usage pattern and age. This allows the Filthy Rich Idea platform to provide competitive pricing while still allowing the customer to store large amounts of data.

AWS provides the following storage classes:

  • General Purpose
  • Infrequent Access
  • Archive (Amazon Glacier)

S3 lifecycle policies are used to manage the storage class for certain types of data. In most cases, the Filthy Rich Idea platform automatically adjusts the storage class but we may give customers the ability to adjust the storage class manually to meet their pricing or performance needs.

Filthy Rich Idea performs regular full backups of all production data. We leverage S3 lifecycle policies to automatically remove old backup data. This allows older data to “age out” instead of having to explicitly delete it. S3 lifecycle policies are also used to adjust the storage class of data backups based on the age of the backup.

Other Business Data

All internal and confidential business records and documents, such as product plans, business strategies, presentations and reports, are stored outside of an employee workstation or laptop.

  • Official records are stored in record management systems such as
    • Jira (tickets),
    • AWS CodeCommit (source code),
    • HR System, etc.
  • Unstructured business documents such as Word documents, Excel spreadsheets and PowerPoint presentations are stored on Filthy Rich Idea internal document store.
  • Confidential business documents/records are be stored in encrypted form and with access control enabled on a need-to-know basis.

Transient Data Management

Data may be temporarily stored by a system for processing. For example, a storage device may be used to stage temp/raw files prior to being uploaded to the production environment in AWS. These transient data repositories are not intended for long term storage, and data is purged immediately after use.

Filthy Rich Idea currently does NOT use transient storage for any sensitive data.

Backup and Recovery

Customer Data

Filthy Rich Idea stores data in a secure production account in AWS, using a combination of database technologies and S3. By default, Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects.

All data store services and platforms in use are HIPAA compliant.

Filthy Rich Idea performs automatic backup of all customer and system data to protect against catastrophic loss due to unforeseen events that impact the entire system. An automated process will back up or mirror all data to a separate AWS region in the same country (e.g. US East to US West). By default, data will be backed up daily. The backups are encrypted in the same way as live production data.

Customers may also utilize the Filthy Rich Idea Application Programming Interface (API), if applicable, to extract and store their data elsewhere. Standard API usage fees will apply.

Source code

Filthy Rich Idea stores its source in git repositories.

Source code repositories are backed up to Filthy Rich Idea’s secondary repositories as part of the SDLC process with a common set of configurations for each repository to enforce SDLC processes.

In the event that Filthy Rich Idea’s source control suffers a catastrophic loss of data, source code will be restored from the secondary repository backups.

With the primary and secondary repositories both using git we are able to leverage git’s ability to maintain a full history of all changes to our git repos via the commit log.

Business records and documents

Each data owner/creator is responsible for maintaining a backup copy of their business files local on their laptop/workstation to the appropriate location on Filthy Rich Idea internal document store. Examples of business files include, but are not limited to:

  • Documents (e.g. product specs, business plans)
  • Presentations
  • Reports and spreadsheets
  • Design files/images/diagrams
  • Meeting notes/recordings
  • Important records (e.g. approval notes)

Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self-managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as iCloud if and only if the data is both encrypted and password protected (passwords must meet Filthy Rich Idea requirements).

Data Deletion Procedures

For Platform Customers

Despite not being a requirement within HIPAA, Filthy Rich Idea understands and appreciates the importance of health data retention. Acting as a subcontractor/service provider, and at times a business associate, Filthy Rich Idea is not directly responsible for health and medical records retention as set forth by each state.

Filthy Rich Idea has created and implemented the following procedures to make it easier for Filthy Rich Idea Customers to support data retention laws.

Some types of customer data may be automatically transitioned to a storage class that is appropriate for archival or infrequent usage. The guidelines for transitioning data to different storage classes is at the discretion of Filthy Rich Idea.

Customer data is retained for as long as the account is in active status. Data enters an expired state when the account is voluntarily closed. Expired account data will be retained for 14 days. After 14 days, the project/account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually or via the API, if available, prior to closing their account.

If an account is involuntarily suspended, then there is a 14-day grace period during which the account will be inaccessible but can be re-opened if the customer meets their payment obligations and resolves any terms of service violations. If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the API and user interface will be available for their use. After 14 days, the suspended account will be closed and the data will be permanently removed (except when required by law to retain).

For patient data as a Covered Entity

Filthy Rich Idea is NOT a covered entity. Should we become a covered entity in the future, we would be required by law to retain healthcare records for up to 10 years beyond when service was last provided when providing healthcare services directly to patients. Any patient data that is marked for deletion will be archived for the time required by law. This archived data can be retrieved by the customer as long as it is retrieved within 10 years from date of last service.