1. USE OF THE ONELOGIN SERVICES
1.1 Rights Granted. Subject to the terms and conditions of this Service Subscription Agreement (“Agreement”) and the separately provided, confidential quote (“Quote”), OneLogin grants to Subscriber, during the Term (as defined in Section 4.1 below), a limited, worldwide, non-exclusive, non-sublicensable, non-transferable (except as permitted in Section 8.2): (a) right to use the OneLogin Services (as defined herein), (b) license to copy, install, and use the software that is provided with the OneLogin Services to communicate between Subscriber’s servers and the OneLogin Services, and (c) license to reproduce, without modification, and internally use a reasonable number of copies of the OneLogin-provided user documentation relating to the OneLogin Services (e.g., user manuals, on-line help files) (“Documentation”) solely in connection with the use of the OneLogin Services; provided that (a) through (c) are all solely in connection with Subscriber’s internal business operations. Any copy or portion of the Documentation will continue to be subject to the terms and conditions of this Agreement. The OneLogin Services will be provided to Subscriber and its designated users that are paid for by Subscriber, which may include its employees, contractors, dealers/distributors and other third parties working for Subscriber. OneLogin reserves the right to modify or discontinue the OneLogin Services, any plan or any feature or functionality thereof at any time, but for discontinuation OneLogin will provide thirty (30) days prior notice to Subscriber.
With respect to Subscriber, the “OneLogin Services” includes the plan and/or products identified in the Quote.
1.2 Technical Support Services. For so long as Subscriber is current with its payment of the fees specified in the Quote, OneLogin will use reasonable efforts to provide an administrator designated by Subscriber with technical support services relating to the OneLogin Services by phone, support portal, and email as stated in the Terms of Service for the designated Success Package.
1.3 Professional Services. If set forth in the Quote, Subscriber shall engage OneLogin to perform professional services fee in exchange for OneLogin providing reasonable assistance with initial onboarding and deployment efforts. Details of the professional services shall be defined in an applicable service description or separate Statement of Work (“SOW”). It is understood that OneLogin shall be performing similar services for other clients. In this regard, it is specifically agreed and understood that OneLogin (a) shall have the sole responsibility in assigning which personnel shall perform the services set forth in this SOW; and (b) may engage certified OneLogin services partners or other qualified contractors to perform some or all of the Services and OneLogin acknowledges it is legally responsible for the acts of these partners or contractors related to this SOW. OneLogin shall perform professional services in a professional and workmanlike manner, and with the appropriate care and skill.
1.4 Use Restrictions. Except as otherwise explicitly provided in this Agreement or as may be expressly required by applicable law, Subscriber will not, and will not permit or authorize third parties to: (a) rent, lease, disclose, transfer, or otherwise permit third parties (other than designated users as described in Section 1.1 above) to use the OneLogin Services or Documentation; (b) use the OneLogin Services to provide services to third parties (e.g., as a service bureau); (c) breach, circumvent, tamper with or disable any security or other technological features or measures of the OneLogin Services; (d) attempt to probe, scan or test the vulnerability of any systems related to the OneLogin Services, including penetration or load tests, without OneLogin’s prior written approval for each test instance; or (e) reverse engineer, modify, adapt, hack or otherwise attempt to discover the underlying structure, technology or algorithms of the OneLogin Services. Subscriber is responsible for all activity that occurs under its OneLogin Services account(s).
1.5 Compliance with Laws. Subscriber will use the OneLogin Services and Documentation in compliance with all applicable laws and regulations. Without limiting the foregoing, Subscriber may not export from the United States the OneLogin Services or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. OneLogin will comply with all applicable laws and regulations in its performance of this Agreement.
1.6 California Consumer Privacy Act.
1.6.2 The parties agree that, for purposes of the CCPA, Subscriber is a Business and OneLogin is a Service Provider. Subscriber represents and warrants that it will only provide or make Personal Information available to OneLogin in compliance with the CCPA.
1.6.3 Notwithstanding anything to the contrary in the Agreement, OneLogin shall not (1) retain or use Personal Information other than as needed to perform OneLogin Services or (2) Sell or otherwise disclose such Personal Information except to Service Providers needed to render OneLogin Services.
1.6.4 Notwithstanding anything else in this Agreement, Subscriber agrees that OneLogin, its affiliates, and each of their directors, officers, employees, agents, representatives, successors and assigns will not be liable under the Agreement for any claim arising from any action or omission by OneLogin that resulted from the Subscriber’s instructions or from Subscriber’s failure to comply with its obligations under the CCPA.
1.7 Protection against Unauthorized Use. Safeguarding the security of Subscriber Data (as defined in Section 2.1 below) that resides within the OneLogin Services is a shared responsibility between OneLogin (the “Data Processor”) and the Subscriber (the “Data Controller”) and, consequently: (a) OneLogin is responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store and/or process any Subscriber Data that can be traced back to OneLogin’s personnel or OneLogin’s security control failure, and (b) Subscriber is responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store and/or process any Subscriber Data that can be traced back to Subscriber’s personnel or Subscriber’s security control failure. Furthermore, OneLogin is responsible for properly configuring and administering the OneLogin Services and taking appropriate measures to maintain the security, protection and backup of Subscriber Data, including using encryption technology to protect Subscriber Data, and to routinely archive Subscriber Data. Subscriber shall be responsible for Subscriber Data that is added, modified, and removed from its OneLogin Services account and for maintaining the security of its systems that interface with the OneLogin Services and any account access passwords relevant to the OneLogin Services, and will use reasonable efforts to prevent any unauthorized use of the OneLogin Services and Documentation and immediately notify OneLogin in writing of any unauthorized use that comes to Subscriber’s attention. If there is unauthorized use by anyone who obtained access to the OneLogin Services directly or indirectly through Subscriber, Subscriber will take all steps reasonably necessary to terminate the unauthorized use. Subscriber will cooperate and assist with any actions taken by OneLogin to prevent or terminate unauthorized use of the OneLogin Services or Documentation.
1.8 Incident Management. In the event that OneLogin or Subscriber becomes aware that the security of the OneLogin Services is adversely impacted, and this event subsequently leads to Subscriber Data in OneLogin’s control being subject to use or disclosure not authorized by this Agreement (a “Security Incident”), the knowledgeable party will promptly (but in any case not later than seventy-two (72) hours after becoming aware of such Security Incident): (a) assess the nature and scope of the Security Incident; (b) identify the Subscriber Data involved, if any; (c) take appropriate steps to contain, control and stop the Security Incident; and (d) collaborate with the other party in providing relevant information that can be used to address and mitigate the impact of the Security Incident, subject to any request by law enforcement or other government agency to withhold such notice pending the completion of an investigation.
1.9 Reservation of Rights. OneLogin reserves to itself all rights in and to the OneLogin Services and Documentation not expressly granted to Subscriber under this Agreement.
2.1 Confidentiality. In connection with this Agreement, each party will have access to certain non-public information provided by and regarding the other party that is marked or otherwise should reasonably be understood to be treated as confidential (“Confidential Information”) including, for Subscriber, its user email addresses, user names and passwords (“Subscriber Data”). Except as otherwise permitted by this Agreement or as reasonably required for OneLogin to provide the OneLogin Services, each party shall keep confidential and not intentionally disclose to any third party (other than its directors, officers, employees, agents and representatives on a need-to-know basis) or use any Confidential Information of the other party; provided, however, that neither party shall be prohibited from disclosing or using Confidential Information that: (i) is publicly available or becomes publicly available through no act or omission of the receiving party, (ii) is or has been disclosed to such party by a third party who is not under an obligation of confidentiality with respect thereto, (iii) is or has been independently developed by such party, without use or reference to the other party’s Confidential Information, or (iv) must be used or disclosed under court order or applicable law, provided such use or disclosure is to the minimum extent required by such court order or applicable law. If legally permissible, the receiving party shall promptly notify the disclosing party of any pending disclosure of the disclosing party’s Confidential Information that may be so required and consult with the disclosing party prior to such disclosure as to the advisability of seeking a protective order or other means of preserving the confidentiality of the Confidential Information. OneLogin will operate the OneLogin Services using reputable third party web service providers, co-location facilities and the like.
2.2 Feedback. If Subscriber provides any feedback to OneLogin concerning the functionality or performance of the OneLogin Services (including identifying potential errors and improvements), Subscriber hereby assigns to OneLogin all right, title, and interest in and to the feedback, and OneLogin is free to use and disclose the feedback without payment or restriction. However, in connection with its use of feedback, OneLogin will not disclose any information that identifies Subscriber or any of its users to any third party, and will not use Subscriber’s trademarks and logos without Subscriber’s prior written consent.
3. FEES AND PAYMENT
3.1 Fees and Payment Terms. Subscriber will pay OneLogin the fees specified in the Quote. Full payment for the OneLogin Services for the first year of the Term is due within thirty (30) days of the Subscription Start Date (as defined in the Quote), unless otherwise set forth in the Quote. Fees for any additional years under the Term and fees for all Renewal Terms are payable annually in advance and due on the applicable anniversary of the Subscription Start Date. All amounts payable are denominated in United States dollars, and Subscriber will pay all such amounts in United States dollars. Any payment not received from the Subscriber by the due date shall accrue interest at a rate equal to the lower of 1.5% per month or the maximum rate permitted by law on the outstanding balance. Subscriber will be responsible for all taxes associated with the OneLogin Services, other than U.S. taxes based on OneLogin’s net income. All fees are non-refundable.
3.2 Additional Users. The number of Users included in the baseline Fees shown in the Quote determines the initial invoice amount. If Subscriber wants to add additional users beyond the total included in the baseline Fees (“Additional Users”), Subscriber may purchase additional subscriptions in blocks of users and for the price specified in the Quote. Additionally, OneLogin will periodically assess whether Additional Users exist, and, if found, OneLogin will invoice Subscriber for the number of Additional Users. Fees for Additional Users will be prorated based on the time remaining until the expiration of the Term or the then-current Renewal Term, as applicable, so that all users renew on the same date.
3.3 Innovation Increase. OneLogin reserves the right to increase the fees for the OneLogin Services by up to ten percent (10%) per year during the Term, effective on each anniversary of the Subscription Start Date, to reflect OneLogin’s continued innovation investment in the OneLogin Services. Any such increase will be invoiced in advance of the year during which such increase would take effect and will be based on the number of Subscriber’s users at that time.
3.4 Fees for Professional Services. If set forth in the Quote, Subscriber will pay OneLogin a professional services fee in exchange for OneLogin providing reasonable assistance with initial onboarding and deployment efforts as defined in more detail in a separate Statement of Work entered into by and between OneLogin and Subscriber.
3.5 Sandbox Accounts. If set forth in the Quote, OneLogin may provide Subscriber the use of “sandbox” user accounts for the OneLogin Services, each of which will be charged at an additional rate of fifteen percent (15%) of the baseline Fee specified in the Quote (as applicable).
4. TERM AND TERMINATION
4.1 Term. Unless this Agreement is terminated earlier in accordance with this Section 4, the initial term of this Agreement will be the period between the Subscription Start Date and the Subscription End Date as set forth in the Quote (the “Term”), and will automatically renew for successive, one-year periods (each, a “Renewal Term”) unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current period.
4.2 Termination. If Subscriber fails to timely pay any fees or otherwise breaches any term or condition of this Agreement, OneLogin may, without limitation to any of its other rights or remedies, immediately suspend the OneLogin Services with notice to Subscriber until Subscriber cures the applicable breach. OneLogin may terminate this Agreement effective after fifteen (15) days’ notice if Subscriber breaches any term of this Agreement and such breach is not cured within the notice period.
4.3 Post-Termination Obligations. If this Agreement is terminated for any reason or otherwise expires (a) OneLogin will, within thirty (30) days, delete all information uploaded by Subscriber or its users to the OneLogin Services from its (and its subcontractors’) active and passive instances of the OneLogin Services, which shall include any archived information, backups and log files (it being understood that this information cannot be retrieved by Subscriber after such termination or expiration), (b) each party will remove all of the other party’s Confidential Information from its (and its subcontractors’) systems, (c) Subscriber will discontinue the use of all copies of the software provided with the OneLogin Services and all related Documentation and will destroy, and document in writing such destruction of, any embodiments of these materials stored in or on a reusable electronic or similar medium, including but not limited to memory, disk packs, tapes and other peripheral devices, and (d) upon request by OneLogin, Subscriber will provide OneLogin with a written certification signed by an authorized Subscriber representative certifying that all Subscriber’s use of the OneLogin Services and Documentation has been discontinued. The provisions of Sections 2, 3 (with respect to payment obligations accrued during the Term), 4.3, 5.2, 7 and 8 will survive any termination or expiration of this Agreement.
5. WARRANTIES; DISCLAIMER; THIRD PARTY SERVICES; GOVERNMENT TERMS
5.1 Warranties; Service Level Agreement. Each party represents and warrants to the other that this Agreement constitutes a valid and binding agreement enforceable against such party in accordance with its terms. Subject to the terms and conditions herein, OneLogin guarantees 99.9% availability of the OneLogin Services. Availability is based directly on OneLogin’s published statistics, available at [https://www.onelogin.com/why-onelogin/trust](/why-onelogin/trust). Downtime does not include unavailability due to Force Majeure (as defined in Section 8.5 below) or due to planned OneLogin downtime with at least 48 hours prior notice to Subscriber. If OneLogin fails to meet the 99.9% availability stated herein, as Subscriber’s sole and exclusive remedy, Subscriber will receive the following credit: for every 15 minutes of downtime, Subscriber will receive a credit equal to 5% of Subscriber’s annual fee for the affected OneLogin Services, divided by 12. However, Subscriber’s maximum, total credit in any calendar month shall not exceed 100% of the fees for the affected OneLogin Services paid by Subscriber and attributable to that month. To receive a credit, Subscriber will need to request the credit in writing via email and provide documented proof of the downtime in the form of traceroute reports within thirty (30) days of the downtime.
5.2 Disclaimer. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THIS AGREEMENT, THE ONELOGIN SERVICES, SOFTWARE AND DOCUMENTATION ARE PROVIDED AS-IS AND ONELOGIN MAKES NO ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER. ONELOGIN EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, NON-INFRINGEMENT, ACCURACY AND TITLE. ONELOGIN DOES NOT WARRANT THAT THE ONELOGIN SERVICES OR SOFTWARE ARE ERROR-FREE OR THAT OPERATION OF THE ONELOGIN SERVICES OR SOFTWARE WILL BE UNINTERRUPTED.
5.3 Third Party Services. OneLogin provides connectors, which are configured by and at the Subscriber’s discretion, for the OneLogin Services that interact with third party applications, and OneLogin may or may not have a commercial or contractual relationship with the providers of those applications. OneLogin monitors the working condition of these connectors and will use commercially reasonable efforts to resolve any issues that may arise from such a provider changing the login procedure of its application. However, Subscriber acknowledges and agrees that OneLogin is not responsible for any changes to or functionality or defect of any third-party applications and that interoperability with the OneLogin Services can be broken temporarily or permanently at any time.
5.3 Government Terms. OneLogin provides the OneLogin Services for ultimate federal government end use solely in accordance with the terms of this Agreement. If Subscriber (or any of its customers) is an agency, department, or other entity of any government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the OneLogin Services, or any related documentation of any kind, including technical data, software, and manuals, is restricted by the terms of this Agreement. All other use is prohibited and no rights other than those provided in this Agreement are conferred. The OneLogin Services were developed fully at private expense.
6. INTELLECTUAL PROPERTY INDEMNIFICATION
6.1 Indemnification. OneLogin will, at its expense, either defend Subscriber from or settle any claim, proceeding, or suit brought by a third party against Subscriber (“Claim”) alleging that Subscriber’s use of the OneLogin Services infringes or misappropriates any third party patent, copyright, trade secret, trademark, or other intellectual property right during the Term, and will indemnify and hold harmless Subscriber from all damages and costs finally awarded against Subscriber in any Claim and all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by Subscriber in connection with the defense of a Claim (other than attorneys’ fees and costs incurred without OneLogin’s consent); provided that: (a) Subscriber gives OneLogin prompt written notice of the Claim; (b) Subscriber grants OneLogin full and complete control over the defense and settlement of the Claim; and (c) Subscriber provides assistance in connection with the defense and settlement of the Claim as OneLogin may reasonably request. Subject to the foregoing, Subscriber will have the right to participate in the defense of the Claim at its own expense and with counsel of its own choosing.
6.2 Exclusions from Obligations. OneLogin will have no obligation under this Section 6 for any infringement or misappropriation to the extent that it arises out of or is based upon (a) use of the OneLogin Services in combination with other products or services; (b) use of the OneLogin Services by Subscriber for purposes outside the scope of the rights and licenses granted to Subscriber; (c) Subscriber’s failure to use the OneLogin Services in accordance with this Agreement and the Documentation; (d) any modification of the OneLogin Services by Subscriber not made or authorized in writing by OneLogin; or (e) any activity after OneLogin has provided Subscriber with a work around or modification that would have avoided such Claim. This Section 6 sets forth OneLogin’s entire obligation and Subscriber’s exclusive remedy with respect to any infringement, misappropriation or other violation of third party rights.
7. LIMITATIONS OF LIABILITY
7.1 EXCEPT FOR LIABILITY ARISING FROM BREACH OF CONFIDENTIALITY OR A PARTY’S INTELLECTUAL PROPERTY RIGHTS, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR INDIRECT, CONSEQUENTIAL, PUNITIVE, INCIDENTAL, SPECIAL, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOST PROFITS OR LOSS OF BUSINESS, EVEN IF SUCH PARTY IS APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING.
7.2 EXCEPT FOR LIABILITY ARISING FROM BREACH OF CONFIDENTIALITY OR A PARTY’S INTELLECTUAL PROPERTY RIGHTS, UNDER NO CIRCUMSTANCES WILL EITHER PARTY’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNTS PAID BY SUBSCRIBER TO ONELOGIN DURING THE 12 MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO SUCH LIABILITY.
7.3 THE LIMITATIONS HEREUNDER APPLY WITH RESPECT TO ALL LEGAL THEORIES, WHETHER IN CONTRACT, TORT, OR OTHERWISE. THE PROVISIONS OF THIS SECTION 7 REASONABLY ALLOCATE THE RISKS UNDER THIS AGREEMENT BETWEEN THE PARTIES, AND THE PARTIES HAVE RELIED ON THESE LIMITATIONS IN DETERMINING WHETHER TO ENTER INTO THIS AGREEMENT.
8.1 Relationship. No agency, partnership, or joint venture is created as a result of this Agreement and neither party has any authority of any kind to bind the other party. OneLogin may use Subscriber’s company name and logo on OneLogin website and further OneLogin may work with Subscriber to develop a public case study, with final content subject to Subscriber’s review and final approval. Subscriber shall provide an approved quote about its selection and/or use of OneLogin, for publication in a blog, press release or other online post.
8.2 Assignability. Neither party may assign its right, duties, and obligations under this Agreement without the other party’s prior written consent, except that OneLogin may assign this Agreement to a successor to all or substantially all of OneLogin’s related assets or business.
8.3 Subcontractors. OneLogin may utilize a subcontractor or other third party to perform its duties under this Agreement so long as OneLogin remains responsible for all of its obligations under this Agreement.
8.4 Notices. Any notice required or permitted to be given in accordance with this Agreement will be effective if it is in writing and sent by certified or registered mail, or insured courier, return receipt requested, to the appropriate party at the address set forth in the Quote, with the appropriate postage prepaid. Either party may change its address for receipt of notice by notice to the other party in accordance with this Section 8.4. Notices are deemed given two (2) business days following the date of mailing or one (1) business day following delivery to a courier.
8.5 Force Majeure. Neither party will be liable for, or be considered to be in breach of or default under this Agreement (other than with respect to payment obligations) on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond its reasonable control, including denial-of-service attacks, strikes, shortages, widespread security breaches (e.g., heartbleed bug), riots, fires, flood, storm, earthquakes, explosions, acts of God, war, terrorism, and governmental action (“Force Majeure”) so long as that party uses all commercially reasonable efforts to avoid or remove the causes of non-performance.
8.6 Governing Law. This Agreement will be interpreted, construed, and enforced in all respects in accordance with the local laws of the State of California, U.S.A., without reference to its conflicts of law rules and not including the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods. Both parties agree to submit to the exclusive personal jurisdiction of the federal and state courts located in San Francisco, California for the purpose of resolving any dispute relating to this Agreement or the relationship between the parties. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover its reasonable costs and attorneys’ fees.
8.7 Severability. If any part of this Agreement is found to be illegal, unenforceable, or invalid, the remaining portions of this Agreement will remain in full force and effect. If any material limitation or restriction on the use of the OneLogin Services under this Agreement is found to be illegal, unenforceable, or invalid, Subscriber’s right to use the OneLogin Services will immediately terminate.
8.8 Entire Agreement. This Agreement, including the Quote, is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. To the extent of any conflict or inconsistency between the terms of this Agreement and the Quote, the terms of the Quote shall prevail. All waivers and modifications to this Agreement must be in a written agreement signed by an authorized agent of both parties. OneLogin will not be bound by, and specifically objects to, any term, condition, or other provision that is different from or in addition to this Agreement (whether or not it would materially alter this Agreement) that is proffered by Subscriber in any receipt, acceptance, confirmation, correspondence, or otherwise, unless OneLogin specifically agrees to such provision in writing and signed by an authorized agent of OneLogin.