Last updated on March 14, 2018
1.1Rights Granted. Subject to the terms and conditions of this Service Subscription Agreement (“Agreement”) and the separately provided, confidential quote (“Quote”), OneLogin grants to Subscriber, during the Term (as defined in Section 4.1 below), a limited, worldwide, non-exclusive, non-sublicensable, non-transferable (except as permitted in Section 7.2): (a) right to use the OneLogin Services (as defined herein), (b) license to copy, install, and use the software that is provided with the OneLogin Services to communicate between Subscriber’s servers and the OneLogin Services, and (c) license to reproduce, without modification, and internally use a reasonable number of copies of the OneLogin-provided user documentation relating to the OneLogin Services (e.g., user manuals, on-line help files) (“Documentation”) solely in connection with the use of the OneLogin Services; provided that (a) through (c) are all solely in connection with Subscriber’s internal business operations. Any copy or portion of the Documentation will continue to be subject to the terms and conditions of this Agreement. The OneLogin Services will be provided to Subscriber and its designated users that are paid for by Subscriber, which may include its employees, contractors, dealers/distributors and other third parties working for Subscriber.
With respect to Subscriber, the “OneLogin Services” includes the plan and/or products identified in the Quote.
1.2Technical Support Services. For so long as Subscriber is current with its payment of the fees specified in the Quote, OneLogin will use reasonable efforts to provide an administrator designated by Subscriber with technical support services relating to the OneLogin Services by phone and email as follows: (a) if the Quote indicates “Standard Support”, (i) 6am-5pm Pacific Standard Time, Monday through Friday, excluding German national holidays, or (ii) if Subscriber’s administrator is located in Europe or the Middle-East, from 8am-5pm GMT Monday through Friday, excluding German national holidays, or (b) if the Quote indicates “Premium Support”, 24 hours a day, 7 days a week.
1.3Use Restrictions. Except as otherwise explicitly provided in this Agreement or as may be expressly required by applicable law, Subscriber will not, and will not permit or authorize third parties to: (a) rent, lease, disclose, transfer, or otherwise permit third parties (other than designated users as described in Section 1.1 above) to use the OneLogin Services or Documentation; (b) use the OneLogin Services to provide services to third parties (e.g., as a service bureau); (c) breach, circumvent, tamper with or disable any security or other technological features or measures of the OneLogin Services; (d) attempt to probe, scan or test the vulnerability of any systems related to the OneLogin Services, including penetration or load tests, without OneLogin’s prior written approval for each test instance; or (e) reverse engineer, modify, adapt, hack or otherwise attempt to discover the underlying structure, technology or algorithms of the OneLogin Services. Subscriber is responsible for all activity that occurs under its OneLogin Services account(s) but only in case of Subscriber’s fault.
1.4Compliance with Laws. Subscriber will use the OneLogin Services and Documentation in compliance with all applicable laws and regulations. OneLogin will comply with all applicable laws and regulations in its performance of this Agreement.
1.5Data Protection. OneLogin shall act as a data processor (the “Data Processor”) in as far as any personal data are collected, processed or used by OneLogin in the course of providing the OneLogin Services, and Subscriber shall be the responsible data controller (the “Data Controller”) with regard to the personal data of Subscriber. The rights and obligations of the parties and any applicable safeguards for such collection, processing or use of personal data are specified in a separate Data Processing Addendum.
1.6Protection against Unauthorized Use. Safeguarding the security of Subscriber Data (as defined in Section 2.1 below) that resides within the OneLogin Services is a shared responsibility between OneLogin (as the Data Processor) and the Subscriber (as the Data Controller) and, consequently: (a) OneLogin is responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store and/or process any Subscriber Data that can be traced back to OneLogin’s personnel or OneLogin’s security control failure, and (b) in case of Subscriber’s fault, Subscriber is responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store and/or process any Subscriber Data that can be traced back to Subscriber’s personnel or Subscriber’s security control failure. Furthermore, OneLogin is responsible for properly configuring and administering the OneLogin Services and taking appropriate measures to maintain the security, protection and backup of Subscriber Data, including using encryption technology to protect Subscriber Data, and to routinely archive Subscriber Data. Subscriber shall be responsible for Subscriber Data that is added, modified, and removed from its OneLogin Services account and for maintaining the security of its systems that interface with the OneLogin Services and any account access passwords relevant to the OneLogin Services, and will use reasonable efforts to prevent any unauthorized use of the OneLogin Services and Documentation and immediately notify OneLogin in writing of any unauthorized use that comes to Subscriber’s attention. If there is unauthorized use by anyone who obtained access to the OneLogin Services directly or indirectly through Subscriber, Subscriber will take all steps reasonably necessary to terminate the unauthorized use. Subscriber will cooperate and assist with any actions taken by OneLogin to prevent or terminate unauthorized use of the OneLogin Services or Documentation.
1.7Incident Management. In the event that OneLogin or Subscriber becomes aware that the security of the OneLogin Services is adversely impacted, and this event subsequently leads to Subscriber Data in OneLogin's control being subject to use or disclosure not authorized by this Agreement (a “Security Incident”), the knowledgeable party will promptly (but in any case not later than forty-eight (48) hours after becoming aware of such Security Incident): (a) assess the nature and scope of the Security Incident; (b) identify the Subscriber Data involved, if any; (c) take appropriate steps to contain, control and stop the Security Incident; and (d) collaborate with the other party in providing relevant information that can be used to address and mitigate the impact of the Security Incident, subject to any request by law enforcement or other government agency to withhold such notice pending the completion of an investigation, except if required otherwise by Articles 33 or 34 of Regulation (EU) 2016/679. The obligation to notify a personal data breach to the supervisory authority according to Article 33 of Regulation (EU) 2016/679 as well as the obligation to communicate a personal data breach to the data subject according to Article 34 of Regulation (EU) 2016/679 remain unaffected.
1.8Reservation of Rights. OneLogin reserves to itself all rights in and to the OneLogin Services and Documentation not expressly granted to Subscriber under this Agreement.
2.1Confidentiality. In connection with this Agreement, each party will have access to certain non-public information provided by and regarding the other party that is marked or otherwise should reasonably be understood to be treated as confidential (“Confidential Information”) including, for Subscriber, its user email addresses, user names and passwords (“Subscriber Data”). Except as otherwise permitted by this Agreement or as reasonably required for OneLogin to provide the OneLogin Services, each party shall keep confidential and not intentionally disclose to any third party (other than its directors, officers, employees, agents and representatives on a need-to-know basis) or use any Confidential Information of the other party; provided, however, that neither party shall be prohibited from disclosing or using Confidential Information that: (i) is publicly available or becomes publicly available through no act or omission of the receiving party, (ii) is or has been disclosed to such party by a third party who is not under an obligation of confidentiality with respect thereto, (iii) is or has been independently developed by such party, without use or reference to the other party’s Confidential Information, or (iv) must be used or disclosed under court order or applicable law, provided such use or disclosure is to the minimum extent required by such court order or applicable law. OneLogin will operate the OneLogin Services using reputable third party web service providers, co-location facilities and the like.
2.2Feedback. If Subscriber provides any feedback to OneLogin concerning the functionality or performance of the OneLogin Services (including identifying potential errors and improvements), Subscriber hereby assigns to OneLogin all right, title, and interest in and to the feedback, and OneLogin is free to use and disclose the feedback without payment or restriction. However, in connection with its use of feedback, OneLogin will not disclose any information that identifies Subscriber or any of its users to any third party, and will not use Subscriber’s trademarks and logos without Subscriber’s prior written consent.
3.1Fees and Payment Terms. Subscriber will pay OneLogin the fees specified in the Quote. Full payment for the OneLogin Services for the first year of the Term is due within thirty (30) days of the Subscription Start Date (as defined in the Quote), unless otherwise set forth in the Quote. Fees for any additional years under the Term and fees for all Renewal Terms are payable annually in advance and due on the applicable anniversary of the Subscription Start Date. All amounts payable are denominated in Euros, and Subscriber will pay all such amounts in Euros. Any payment not received from the Subscriber by the due date shall accrue interest at the statutory rate. Subscriber will be responsible for all taxes associated with the OneLogin Services, other than U.S. taxes based on OneLogin’s net income. All fees are non-refundable, except only if Subscriber terminates this Agreement with immediate effect pursuant to Section 4.2 or is permitted to reduce prepaid fees.
3.2Additional Users. The number of Users included in the baseline Fees shown in the Quote determines the initial invoice amount. If Subscriber wants to add additional users beyond the total included in the baseline Fees (“Additional Users”), Subscriber may purchase additional subscriptions in blocks of users and for the price specified in the Quote. Additionally, OneLogin will periodically assess whether Additional Users exist, and, if found, OneLogin will invoice Subscriber for the number of Additional Users. Fees for Additional Users will be prorated based on the time remaining until the expiration of the Term or the then-current Renewal Term, as applicable, so that all users renew on the same date.
3.3Innovation Increase. OneLogin reserves the right to increase the fees for the OneLogin Services by up to ten percent (10%) per year during the Term, effective on each anniversary of the Subscription Start Date, to reflect OneLogin’s continued innovation investment in the OneLogin Services. Any such increase will be invoiced in advance of the year during which such increase would take effect and will be based on the number of Subscriber’s users at that time.
3.4Fees for Professional Services. If set forth in the Quote, Subscriber will pay OneLogin a professional services fee in exchange for OneLogin providing reasonable assistance with initial onboarding and deployment efforts as defined in more detail in a separate Statement of Work by and between OneLogin and Subscriber.
3.5Sandbox Accounts. If set forth in the Quote, OneLogin may provide Subscriber the use of “sandbox” user accounts for the OneLogin Services, each of which will be charged at an additional rate of fifteen percent (15%) of the baseline Fee specified in the Quote (as applicable).
4.1Term. Unless this Agreement is terminated earlier in accordance with this Section 4, the initial term of this Agreement will be the period between the Subscription Start Date and the Subscription End Date as set forth in the Quote (the “Term”), and will automatically renew for successive, one-year periods (each, a “Renewal Term”) unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current period.
4.2Termination. If Subscriber fails to timely pay any fees or otherwise breaches any term or condition of this Agreement, OneLogin may, without limitation to any of its other rights or remedies, immediately suspend the OneLogin Services with notice to Subscriber until Subscriber cures the applicable breach. The right to extraordinary termination due to important reason remains unaffected.
4.3Post-Termination Obligations. If this Agreement is terminated for any reason or otherwise expires (a) OneLogin will, within thirty (30) days, delete all information uploaded by Subscriber or its users to the OneLogin Services from its (and its subcontractors’) active and passive instances of the OneLogin Services, which shall include any archived information, backups and log files (it being understood that this information cannot be retrieved by Subscriber after such termination or expiration), (b) each party will remove all of the other party’s Confidential Information from its (and its subcontractors’) systems, (c) Subscriber will discontinue the use of all copies of the software provided with the OneLogin Services and all related Documentation and will destroy, and document in writing such destruction of, any embodiments of these materials stored in or on a reusable electronic or similar medium, including but not limited to memory, disk packs, tapes and other peripheral devices, and (d) upon request by OneLogin, Subscriber will provide OneLogin with a written certification signed by an authorized Subscriber representative certifying that all Subscriber’s use of the OneLogin Services and Documentation has been discontinued. The provisions of Sections 2, 3 (with respect to payment obligations accrued during the Term), 4.3, 6 and 7 will survive any termination or expiration of this Agreement.
5.1Warranties; Service Level Agreement. Each party represents and warrants to the other that this Agreement constitutes a valid and binding agreement enforceable against such party in accordance with its terms. Subject to the terms and conditions herein, OneLogin warrants 99.9% availability of the OneLogin Services. Availability is based directly on OneLogin’s published statistics, available at https://www.onelogin.com/why-onelogin/trust. Downtime does not include unavailability due to Force Majeure (as defined in Section 7.5 below) or due to planned OneLogin downtime with at least forty-eight (48) hours prior notice (email is sufficient) to Subscriber.
5.2Initial Defects. OneLogin's liability regardless of fault due to initial defects (§ 536a (1) Alt. 1 BGB) is excluded, unless OneLogin acted intentionally.
5.3Expiry of Warranty Claims. Any warranty claims against OneLogin shall expire after one (1) year, provided that OneLogin did not cause a defect intentionally or in case of breach of a guarantee.
5.4Third Party Services. OneLogin provides connectors, which are configured by and at the Subscriber’s discretion, for the OneLogin Services that interact with third party applications, and OneLogin may or may not have a commercial or contractual relationship with the providers of those applications. OneLogin monitors the working condition of these connectors and will use commercially reasonable efforts to resolve any issues that may arise from such a provider changing the login procedure of its application. However, Subscriber acknowledges and agrees that OneLogin is not responsible for any changes to or functionality or defect of any third-party applications and that interoperability with the OneLogin Services can be broken temporarily or permanently at any time.
6.1Disclaimer of Indirect Damages. ONELOGIN WILL BE LIABLE WITHOUT LIMITATION IN THE EVENT OF CLAIMS FOR DAMAGES ON THE BASIS OF GROSS NEGLIGENCE OR WILFUL INTENT, AS WELL AS IN CASES WHERE A GUARANTEE OF QUALITY HAS BEEN ASSUMED OR ANY DEFECTS HAVE BEEN CONCEALED WITH MALICIOUS INTENT. MOREOVER, ONELOGIN WILL BE LIABLE WITHOUT LIMITATION IN THE EVENT OF A CULPABLE INJURY TO LIFE, LIMB OR HEALTH. IN THE CASE OF SLIGHT NEGLIGENCE, ONELOGIN WILL BE LIABLE ONLY IF AN OBLIGATION IS VIOLATED AND THE FULFILMENT OF THIS OBLIGATION IS OF ESSENTIAL IMPORTANCE TO THE ATTAINMENT OF THE PURPOSE OF THE CONTRACT (“CARDINAL OBLIGATION”). ONELOGIN’S LIABILITY BASED ON THE GERMAN PRODUCT LIABILITY ACT REMAINS UNAFFECTED. ANY FURTHER LIABILITY OF ONELOGIN IS EXCLUDED. THE LIMITATION PERIOD FOR CLAIMS FOR DAMAGES AGAINST ONELOGIN EXPIRES AFTER ONE (1) YEAR; EXCEPT FOR SUCH CASES COVERED BY SENTENCES 1 OR 2.
7.1Relationship. No agency, partnership, or joint venture is created as a result of this Agreement and neither party has any authority of any kind to bind the other party. OneLogin may use Subscriber’s company name and logo on OneLogin website and further OneLogin may work with Subscriber to develop a public case study, with final content subject to Subscriber’s review and final approval.
7.2Assignability. Neither party may assign its right, duties, and obligations under this Agreement without the other party’s prior written consent, except that OneLogin may assign this Agreement to a successor to all or substantially all of OneLogin’s related assets or business.
7.3Subcontractors. OneLogin may utilize a subcontractor or other third party to perform its duties under this Agreement so long as OneLogin remains responsible for all of its obligations under this Agreement.
7.4Notices. Any notice required or permitted to be given in accordance with this Agreement will be effective if it is in writing and sent by certified or registered mail, or insured courier, return receipt requested, to the appropriate party at the address set forth in the Quote, with the appropriate postage prepaid. Either party may change its address for receipt of notice by notice to the other party in accordance with this Section 7.4. Notices are deemed given two (2) business days following the date of mailing or one (1) business day following delivery to a courier.
7.5Force Majeure. Neither party will be liable for, or be considered to be in breach of or default under this Agreement (other than with respect to payment obligations) on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond its reasonable control, including denial-of-service attacks, strikes, shortages, widespread security breaches (e.g., heartbleed bug), riots, fires, flood, storm, earthquakes, explosions, acts of God, war, terrorism, and governmental action (“Force Majeure”).
7.6Governing Law. This Agreement will be interpreted, construed, and enforced in all respects in accordance with the local laws of Germany, without reference to its conflicts of law rules and not including the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods. Both parties agree to submit to the exclusive personal jurisdiction of the courts located in Munich, Germany for the purpose of resolving any dispute relating to this Agreement or the relationship between the parties. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover its reasonable costs and attorneys’ fees.
7.7Severability. If any part of this Agreement is found to be illegal, unenforceable, or invalid, the remaining portions of this Agreement will remain in full force and effect. If any material limitation or restriction on the use of the OneLogin Services under this Agreement is found to be illegal, unenforceable, or invalid, Subscriber’s right to use the OneLogin Services will immediately terminate.
7.8Entire Agreement. This Agreement, including the Quote, is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. To the extent of any conflict or inconsistency between the terms of this Agreement and the Quote, the terms of the Quote shall prevail. All waivers and modifications to this Agreement must be in a written agreement signed by an authorized agent of both parties. OneLogin will not be bound by, and specifically objects to, any term, condition, or other provision that is different from or in addition to this Agreement (whether or not it would materially alter this Agreement) that is proffered by Subscriber in any receipt, acceptance, confirmation, correspondence, or otherwise, unless OneLogin specifically agrees to such provision in writing and signed by an authorized agent of OneLogin.