Privacy Policy

Updated April 14, 2025

Table of Contents

Introduction
Our Role Under the GDPR: Data Controller and Data Processor
Data Protection Officer
How we collect and use (process) your personal information
Use of RCI’s websites and EasyRCA
Cookies and tracking technologies
Sharing information with third parties
Transferring personal data to the U.S.
Security of Personal Data
Data Subject rights
Customer Data and Customer Obligations
Data storage and retention
Children’s data
Questions, concerns, or complaints

1. Introduction

Reliability Center Inc. (RCI) is a company dedicated to improving asset performance and safety through better root cause analysis.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes RCI’s policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

2. Our Role Under the GDPR: Data Controller and Data Processor

Under the European Union’s General Data Protection Regulation (GDPR), our responsibilities differ depending on whether we are acting as a data controller or a data processor. This distinction is important in determining how we handle personal data and what obligations we have under the law.

When We Act as a Data Controller

We act as a data controller when we collect and use information from our customers, users, employees, or business contacts for our own operational, legal, or marketing purposes.

As a data controller, we are responsible for:

Lawful Basis for Processing: Ensuring that all personal data is processed on a valid legal basis, such as consent, contract performance, legal obligation, or legitimate interest.
Transparency: Providing clear and accessible information about how we collect, use, and share personal data, typically through this Privacy Policy and related communications.
Data Subject Rights: Enabling individuals to exercise their rights under the GDPR, including the rights of access, rectification, erasure, restriction, objection, and data portability.
Data Retention: Retaining personal data only as long as necessary for the purposes for which it was collected, in accordance with our data retention policies.
Security Measures: Implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Accountability: Maintaining records of processing activities and being able to demonstrate compliance with GDPR principles.

When We Act as a Data Processor

We act as a data processor for business clients who use our EasyRCA platform to manage their root cause analysis program.

As a data processor, we are committed to:

Processing Only on Instructions: Processing personal data only on documented instructions from the data controller, unless otherwise required by law.
Confidentiality: Ensuring that all personnel authorized to process personal data are subject to confidentiality obligations.
Security: Implementing appropriate technical and organizational measures to ensure the security of the personal data we process on behalf of our clients.
Sub-Processors: Only engaging sub-processors with prior authorization from the data controller, and entering into data processing agreements with those sub-processors that include GDPR-compliant terms.
Assistance with Data Subject Rights: Assisting data controllers in responding to data subject requests, where applicable.
Data Breach Notification: Notifying data controllers without undue delay after becoming aware of a personal data breach.
Return or Deletion of Data: At the end of the service relationship, deleting or returning all personal data to the controller, as directed.

3. Data Protection Officer

RCI is headquartered in Richmond, Virginia, in the United States. We have appointed an internal data protection officer for you to contact if you have any questions or concerns about our personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to our data protection officer as follows:

Data Protection Officer Name: Dana Barrow

Title: Business Administrator

Email: [email protected]

Phone: 804-458-0645

4. How we collect and use (process) your personal information

RCI collects personal information about its website visitors and Customers. With a few exceptions, this information is generally limited to:

Name
Job title
Work email
Work phone number

We use this information to provide prospects and Customers with Services. Within the EasyRCA platform, we collect name and company email only. Other data is non-personally identifiable incident-related data (e.g., descriptions, timestamps, and responsible parties) to facilitate structured RCA investigations.

Outside of EasyRCA, we collect name and contact information from individuals upon request to provide information regarding our services.

We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services.

From time to time, RCI receives personal information about individuals from third parties. Typically, information collected from third parties will include further details on your employer or industry. We may also collect your personal data from a third party website (e.g. LinkedIn).

5. Use of RCI’s Websites and EasyRCA

As is true of most other websites, RCI’s websites and EasyRCA collect certain information automatically and store it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of RCI’s websites, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

RCI has a legitimate interest in understanding how members, Customers and potential Customers use its websites. This assists RCI with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and Customer needs.

6. Cookies and tracking technologies

RCI makes available a comprehensive Cookie Notice that describes the cookies and tracking technologies used on RCI’s website and provides information on how users can accept or reject them. Please see our Cookie Policy for reliability.com here and our Cookie Policy for easyrca.com here.

7. Sharing information with third parties

The personal information RCI collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, RCI engages third parties to send information to you, including information about our products, services, and events.

A list of our third party sub-processors can be found here: www.easyrca.com/privacy/subprocessors.

We do not otherwise reveal your personal data to non-RCI persons or businesses for their independent use unless: (1) you request or authorize it; (2) it’s in connection with RCI-hosted and RCI co-sponsored conferences as described above; (3) the information is provided to comply with the law (for example, compelled by law enforcement to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (4) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (5) to address emergencies or acts of God; or (6) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf. We may also gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

8. Transferring personal data to the U.S.

RCI has its headquarters in the United States. Information we collect about you will be processed in the United States. By using RCI’s services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, RCI is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.

Per Article 6 of the GDPR, depending on the circumstance, RCI collects and transfers to the U.S. personal data with consent or to fulfill a compelling legitimate interest of RCI in a manner that does not outweigh your rights and freedoms for the purpose of providing requested information regarding our products and services. With regards to customers, RCI collects only that personal data which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. RCI endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with RCI and the practices described in this Privacy Statement. RCI also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, RCI has received zero government requests for information.

For more information or if you have any questions, please contact us at [email protected]

9. Security of Personal Data

We take the security of your personal information seriously and implement a range of technical, administrative, and organizational safeguards designed to protect it from unauthorized access, disclosure, alteration, or destruction.

Our security measures include, but are not limited to:

Encryption: We use industry-standard encryption protocols within EasyRCA (such as TLS/SSL) to secure data transmitted between your device and our systems. We also use at-rest encryption.
Access Controls: Access to personal data is limited to authorized personnel who require it for legitimate business purposes, and is managed through role-based access controls and authentication mechanisms.
Data Minimization: We collect only the data necessary for the purposes outlined in this Privacy Policy and retain it only as long as needed to fulfill those purposes or comply with legal obligations.
Monitoring and Logging: Our systems are continuously monitored for potential vulnerabilities and threats. Activity logs are maintained to help detect, investigate, and respond to suspicious behavior.
Secure Hosting: Our data is stored on secure servers hosted by reputable third-party providers that comply with recognized industry standards and certifications (e.g., ISO 27001, SOC 2). Our EasyRCA platform is SOC 2 certified.
Employee Training: All employees undergo regular training on data protection best practices, privacy policies, and their role in maintaining the security of personal information. Employees are also subjected to a background check prior to hiring.
Incident Response: In the event of a data breach, we have established procedures to contain and assess the situation, notify affected individuals as required by applicable law, and prevent future occurrences.

While we strive to protect your personal data using commercially reasonable means, no method of transmission over the internet or method of electronic storage is 100% secure. We therefore cannot guarantee its absolute security but remain committed to continuously improving our practices. See Customer Obligations, below, for information regarding our expectations of our customers.

10. Data Subject rights

The GDPR and other countries’ privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:

Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right of data portability
Right to object
Rights related to automated decision making including profiling

This Privacy Notice is intended to provide you with information about what personal data RCI collects about you and how it is used.

If you wish to confirm that RCI is processing your personal data, or to have access to the personal data RCI may have about you, please contact us.

You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside RCI might have received the data from RCI; what the source of the information was (if you didn’t provide it directly to RCI); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by RCI if it is inaccurate. You may request that RCI erase that data or cease processing it, subject to certain exceptions. You may also request that RCI cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how RCI processes your personal data. When technically feasible, RCI will—at your request—provide your personal data to you.

Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, RCI will provide you with a date when the information will be provided. If for some reason access is denied, RCI will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal data, you can email us at [email protected]. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation’s data protection authority.

11. Customer data and Customer obligations

Data Processing by RCI. All data processing activities carried out as part of the Services within EasyRCA will be governed by the Data Processing Addendum (“DPA”) incorporated by reference herein.

Rights in Customer Data. As between the parties, Customer will retain all of Customer’s Intellectual Property Rights in and to the Customer Data provided to RCI. Subject to the terms of this Agreement, Customer hereby grants to RCI a non-exclusive, worldwide, royalty-free right to access, use and display the Customer Data in order to provide the Services to Customer.

Storage of Customer Data. RCI does not provide an archiving service. RCI will delete a Customer’s information upon request. Otherwise, information is stored in an encrypted format. By using the service, Customer agrees to notify RCI should they wish to have their information deleted upon termination.

Customer Obligations:

In General. Customer is solely responsible for the accuracy, content and legality of all Customer Data. Customer represents and warrants to RCI that Customer has all necessary rights, consents and permissions to collect, share and use all Customer Data as contemplated in this Agreement and that no Customer Data will violate or infringe: (i) any third party Intellectual Property Rights or, publicity, privacy, or other rights, (ii) any Laws, or (iii) any terms of service, privacy or other policies and/or any other agreements governing the Customer Properties or Customer’s accounts with any Third-Party Platforms. Customer will be fully responsible for any Customer Data submitted to the Services.
No Sensitive Personal Information. Except as otherwise expressly agreed between the Parties in writing, Customer specifically agrees not to use the Services to collect, store, process or transmit any Sensitive Personal Information. Except for RCI’s obligations under any business associate agreement entered into with Customer, Customer shall be responsible for any Sensitive Personal Information it submits to the Service, and Customer acknowledges that RCI is not subject to any additional obligations that may apply to any Sensitive Personal Information submitted to the Services.
Compliance with Laws. Customer agrees to comply with all applicable Laws in its use of the Services.
Indemnification by Customer. Customer will indemnify, defend and hold harmless RCI from and against any and all third party (including, without limitation, People) claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys’ fees and costs) arising from or relating to any Customer Data. This indemnification obligation is subject to Customer receiving (i) prompt written notice of such claim (but in any event notice in sufficient time for Customer to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense, or settlement of such claim; and (iii) all necessary cooperation of RCI at Customer’s expense. Notwithstanding the foregoing sentence, (a) RCI may participate in the defense of any claim by counsel of its own choosing, at its cost and expense and (b) Customer will not settle any claim without RCI’s prior written consent, unless the settlement fully and unconditionally releases RCI and does not require RCI to pay any amount, take any action, or admit any liability.

12. Data storage and retention

Your personal data is stored by RCI on its servers, and on the servers of the cloud-based database management services RCI engages, located in the United States. RCI retains service data for the duration of the Customer’s business relationship with RCI and for a period of time thereafter. RCI retains prospect data until such time as it no longer has business value and/or Customer request data be deleted. All personal data that RCI controls may be deleted upon verified request from Data Subjects or their authorized agents. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at: [email protected].