BY ACCEPTING THIS SERVICE SUBSCRIPTION AGREEMENT (“AGREEMENT”) (WHICH INCLUDES ENTERING INTO A SEPARATE AGREEMENT WITH AN AUTHORIZED ONELOGIN RESELLER THAT REFERENCES OR INCLUDES THIS AGREEMENT), OR OTHERWISE USING THE ONELOGIN SERVICES (AS DEFINED BELOW), YOU AGREE TO THE TERMS AND CONDITIONS IN THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT AS AN INDIVIDUAL, THE TERM “SUBSCRIBER” REFERS TO YOU. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “SUBSCRIBER” SHALL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE ONELOGIN SERVICES.
1. USE OF THE ONELOGIN SERVICES
1.1 Rights Granted. Subject to the terms and conditions of this Agreement, OneLogin grants to Subscriber, during the Contract Term (as defined in Section 4.1 below), a limited, worldwide, non-exclusive, non-sublicensable, non-transferable (except as permitted in Section 7.2): (a) right to use the OneLogin Services (as defined herein), (b) license to copy, install, and use the software that is provided with the OneLogin Services to communicate between Subscriber’s servers and the OneLogin Services, and (c) license to reproduce, without modification, and internally use a reasonable number of copies of the OneLogin-provided user documentation relating to the OneLogin Services (e.g., user manuals, on-line help files) (“Documentation”) solely in connection with the use of the OneLogin Services; provided that (a) through (c) are all solely in connection with Subscriber’s internal business operations. Any copy or portion of the Documentation will continue to be subject to the terms and conditions of this Agreement. The OneLogin Services will be provided to Subscriber and its designated users that are paid for by Subscriber, which may include its employees, contractors, dealers/distributors and other third parties working for Subscriber.
With respect to Subscriber, the “OneLogin Services” only include the OneLogin plan and/or products that Subscriber is purchasing, has purchased, or will purchase directly from Reseller (as defined below).
1.2 Technical Support Services. For so long as Subscriber is current with its payment of the fees to Reseller in accordance with Section 3, OneLogin will use reasonable efforts to provide an administrator designated by Subscriber with technical support services relating to the OneLogin Services by phone, support portal, and email as stated in the Terms of Service for the designated Success Package.
1.3 Professional Services. If set forth in the Quote, Subscriber shall engage OneLogin to perform professional services fee in exchange for OneLogin providing reasonable assistance with initial onboarding and deployment efforts. Details of the professional services shall be defined in an applicable service description or separate Statement of Work (“SOW”). It is understood that OneLogin shall be performing similar services for other clients. In this regard, it is specifically agreed and understood that OneLogin (a) shall have the sole responsibility in assigning which personnel shall perform the services set forth in this SOW; and (b) may engage certified OneLogin services partners or other qualified contractors to perform some or all of the Services and OneLogin acknowledges it is legally responsible for the acts of these partners or contractors related to this SOW. OneLogin shall perform professional services in a professional and workmanlike manner, and with the appropriate care and skill.
1.4 Use Restrictions. Except as otherwise explicitly provided in this Agreement or as may be expressly required by applicable law, Subscriber will not, and will not permit or authorize third parties to: (a) rent, lease, disclose, transfer, or otherwise permit third parties (other than designated users as described in Section 1.1 above and for which Subscriber has paid all applicable fees) to use the OneLogin Services or Documentation; (b) use the OneLogin Services to provide services to third parties (e.g., as a service bureau); (c) breach, circumvent, tamper with or disable any security or other technological features or measures of the OneLogin Services; (d) attempt to probe, scan or test the vulnerability of any systems related to the OneLogin Services, including penetration or load tests, without OneLogin’s prior written approval for each test instance; or (e) reverse engineer, modify, adapt, hack or otherwise attempt to discover the underlying structure, technology or algorithms of the OneLogin Services. Subscriber is responsible for all activity that occurs under its OneLogin Services account(s) but only in case of Subscriber’s fault.
1.5 Compliance with Laws. Subscriber will use the OneLogin Services and Documentation in compliance with all applicable laws and regulations. OneLogin will comply with all applicable laws and regulations in its performance of this Agreement.
1.6 California Consumer Privacy Act.
1.6.2 The parties agree that, for purposes of the CCPA, Subscriber is a Business and OneLogin is a Service Provider. Subscriber represents and warrants that it will only provide or make Personal Information available to OneLogin in compliance with the CCPA.
1.6.3 Notwithstanding anything to the contrary in the Agreement, OneLogin shall not (1) retain or use Personal Information other than as needed to perform OneLogin Services or (2) Sell or otherwise disclose such Personal Information except to Service Providers needed to render OneLogin Services.
1.6.4 Notwithstanding anything else in this Agreement, Subscriber agrees that OneLogin, its affiliates, and each of their directors, officers, employees, agents, representatives, successors and assigns will not be liable under the Agreement for any claim arising from any action or omission by OneLogin that resulted from the Subscriber’s instructions or from Subscriber’s failure to comply with its obligations under the CCPA.
1.7 Data Protection. OneLogin shall act as a data processor (the “Data Processor”) in as far as any personal data are collected, processed or used by OneLogin in the course of providing the OneLogin Services, and Subscriber shall be the responsible data controller (the “Data Controller”) with regard to the personal data of Subscriber. The rights and obligations of the parties and any applicable safeguards for such collection, processing or use of personal data are specified in a separate Data Processing Addendum.
1.8 Protection against Unauthorized Use. Safeguarding the security of Subscriber Data (as defined in Section 2.1 below) that resides within the OneLogin Services is a shared responsibility between OneLogin (as the Data Processor) and the Subscriber (as the Data Controller) and, consequently: (a) OneLogin is responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store and/or process any Subscriber Data that can be traced back to OneLogin’s personnel or OneLogin’s security control failure, and (b) in case of Subscriber’s fault, Subscriber is responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store and/or process any Subscriber Data that can be traced back to Subscriber’s personnel or Subscriber’s security control failure. Furthermore, OneLogin is responsible for properly configuring and administering the OneLogin Services and taking appropriate measures to maintain the security, protection and backup of Subscriber Data, including using encryption technology to protect Subscriber Data, and to routinely archive Subscriber Data. Subscriber shall be responsible for Subscriber Data that is added, modified, and removed from its OneLogin Services account and for maintaining the security of its systems that interface with the OneLogin Services and any account access passwords relevant to the OneLogin Services, and will use reasonable efforts to prevent any unauthorized use of the OneLogin Services and Documentation and immediately notify OneLogin in writing of any unauthorized use that comes to Subscriber’s attention. If there is unauthorized use by anyone who obtained access to the OneLogin Services directly or indirectly through Subscriber, Subscriber will take all steps reasonably necessary to terminate the unauthorized use. Subscriber will cooperate and assist with any actions taken by OneLogin to prevent or terminate unauthorized use of the OneLogin Services or Documentation.
1.9 Incident Management. In the event that OneLogin or Subscriber becomes aware that the security of the OneLogin Services is adversely impacted, and this event subsequently leads to Subscriber Data in OneLogin’s control being subject to use or disclosure not authorized by this Agreement (a “Security Incident”), the knowledgeable party will promptly (but in any case not later than seventy-two (72) hours after becoming aware of such Security Incident): (a) assess the nature and scope of the Security Incident; (b) identify the Subscriber Data involved, if any; (c) take appropriate steps to contain, control and stop the Security Incident; and (d) collaborate with the other party in providing relevant information that can be used to address and mitigate the impact of the Security Incident, subject to any request by law enforcement or other government agency to withhold such notice pending the completion of an investigation, except if required otherwise by Articles 33 or 34 of Regulation (EU) 2016/679. The obligation to notify a personal data breach to the supervisory authority according to Article 33 of Regulation (EU) 2016/679 as well as the obligation to communicate a personal data breach to the data subject according to Article 34 of Regulation (EU) 2016/679 remain unaffected.
1.10 Reservation of Rights. OneLogin reserves to itself all rights in and to the OneLogin Services and Documentation not expressly granted to Subscriber under this Agreement.
2.1 Confidentiality. In connection with this Agreement, each party will have access to certain non-public information provided by and regarding the other party that is marked or otherwise should reasonably be understood to be treated as confidential (“Confidential Information”) including, for Subscriber, its user email addresses, user names and passwords (“Subscriber Data”). Except as otherwise permitted by this Agreement or as reasonably required for OneLogin to provide the OneLogin Services, each party shall keep confidential and not intentionally disclose to any third party (other than its directors, officers, employees, agents and representatives on a need-to-know basis) or use any Confidential Information of the other party; provided, however, that neither party shall be prohibited from disclosing or using Confidential Information that: (i) is publicly available or becomes publicly available through no act or omission of the receiving party, (ii) is or has been disclosed to such party by a third party who is not under an obligation of confidentiality with respect thereto, (iii) is or has been independently developed by such party, without use or reference to the other party’s Confidential Information, or (iv) must be used or disclosed under court order or applicable law, provided such use or disclosure is to the minimum extent required by such court order or applicable law. OneLogin will operate the OneLogin Services using reputable third party web service providers, co-location facilities and the like.
2.2 Feedback. If Subscriber provides any feedback to OneLogin concerning the functionality or performance of the OneLogin Services (including identifying potential errors and improvements), Subscriber hereby assigns to OneLogin all right, title, and interest in and to the feedback, and OneLogin is free to use and disclose the feedback without payment or restriction. However, in connection with its use of feedback, OneLogin will not disclose any information that identifies Subscriber or any of its users to any third party, and will not use Subscriber’s trademarks and logos without Subscriber’s prior written consent.
Subscriber acknowledges that Subscriber is purchasing, has purchased, or will purchase the OneLogin Services from one of OneLogin’s authorized resellers (“Reseller”). Accordingly, payment-related terms for the OneLogin Services, including subscription term, price per user, number of users and the like, are determined solely by and between Subscriber and Reseller. Subscriber will pay Reseller for use of the OneLogin Services as agreed with Reseller. As between OneLogin and Subscriber, Subscriber will be responsible for all taxes associated with the OneLogin Services, other than U.S. taxes based on OneLogin’s net income.
4. TERM AND TERMINATION
4.1 Term. Unless otherwise agreed between Subscriber and Reseller, this Agreement will commence upon the effective date of the agreement entered into between Subscriber and Reseller and continue for a period of one (1) year (the “Term”), and will automatically renew for additional, successive one-year periods (each, a “Renewal Term”) unless Subscriber provides Reseller with notice of non-renewal at least thirty (30) days prior to the end of the then-current period or unless terminated earlier in accordance with the terms of this Agreement. The Term together with any and all Renewal Terms is the “Contract Term.”
4.2 Termination. If Subscriber fails to timely pay any fees to Reseller or otherwise breaches any term or condition of this Agreement, OneLogin may, without limitation to any of its other rights or remedies, immediately suspend the OneLogin Services with notice to Subscriber until Subscriber cures the applicable breach. The right to extraordinary termination due to important reason remains unaffected. Further, this Agreement will automatically terminate upon termination of Subscriber’s agreement with Reseller for the use of OneLogin Services, unless otherwise agreed by Subscriber and OneLogin in writing.
4.3 Post-Termination Obligations. If this Agreement is terminated for any reason or otherwise expires (a) OneLogin will, within thirty (30) days, delete all information uploaded by Subscriber or its users to the OneLogin Services from its (and its subcontractors’) active and passive instances of the OneLogin Services, which shall include any archived information, backups and log files (it being understood that this information cannot be retrieved by Subscriber after such termination or expiration), (b) each party will remove all of the other party’s Confidential Information from its (and its subcontractors’) systems, (c) Subscriber will discontinue the use of all copies of the software provided with the OneLogin Services and all related Documentation and will destroy, and document in writing such destruction of, any embodiments of these materials stored in or on a reusable electronic or similar medium, including but not limited to memory, disk packs, tapes and other peripheral devices, and (d) upon request by OneLogin, Subscriber will provide OneLogin with a written certification signed by an authorized Subscriber representative certifying that all Subscriber’s use of the OneLogin Services and Documentation has been discontinued. The provisions of Sections 2, 3, 4.3, 6 and 7 will survive any termination or expiration of this Agreement.
5. WARRANTIES; DISCLAIMER; THIRD PARTY SERVICES
5.1 Warranties. Each party represents and warrants to the other that this Agreement constitutes a valid and binding agreement enforceable against such party in accordance with its terms.
5.2 Initial Defects. OneLogin’s liability regardless of fault due to initial defects (§ 536a (1) Alt. 1 BGB) is excluded, unless OneLogin acted intentionally.
5.3 Expiry of Warranty Claims. Any warranty claims against OneLogin shall expire after one (1) year, provided that OneLogin did not cause a defect intentionally or in case of breach of a guarantee.
5.4 Third Party Services. OneLogin provides connectors, which are configured by and at the Subscriber’s discretion, for the OneLogin Services that interact with third party applications, and OneLogin may or may not have a commercial or contractual relationship with the providers of those applications. OneLogin monitors the working condition of these connectors and will use commercially reasonable efforts to resolve any issues that may arise from such a provider changing the login procedure of its application. However, Subscriber acknowledges and agrees that OneLogin is not responsible for any changes to or functionality or defect of any third-party applications and that interoperability with the OneLogin Services can be broken temporarily or permanently at any time.
6. LIMITATIONS OF LIABILITY
6.1 Disclaimer of Indirect Damages. ONELOGIN WILL BE LIABLE WITHOUT LIMITATION IN THE EVENT OF CLAIMS FOR DAMAGES ON THE BASIS OF GROSS NEGLIGENCE OR WILFUL INTENT, AS WELL AS IN CASES WHERE A GUARANTEE OF QUALITY HAS BEEN ASSUMED OR ANY DEFECTS HAVE BEEN CONCEALED WITH MALICIOUS INTENT. MOREOVER, ONELOGIN WILL BE LIABLE WITHOUT LIMITATION IN THE EVENT OF A CULPABLE INJURY TO LIFE, LIMB OR HEALTH. IN THE CASE OF SLIGHT NEGLIGENCE, ONELOGIN WILL BE LIABLE ONLY IF AN OBLIGATION IS VIOLATED AND THE FULFILMENT OF THIS OBLIGATION IS OF ESSENTIAL IMPORTANCE TO THE ATTAINMENT OF THE PURPOSE OF THE CONTRACT (“CARDINAL OBLIGATION”). ONELOGIN’S LIABILITY BASED ON THE GERMAN PRODUCT LIABILITY ACT REMAINS UNAFFECTED. ANY FURTHER LIABILITY OF ONELOGIN IS EXCLUDED. THE LIMITATION PERIOD FOR CLAIMS FOR DAMAGES AGAINST ONELOGIN EXPIRES AFTER ONE (1) YEAR; EXCEPT FOR SUCH CASES COVERED BY SENTENCES 1 OR 2.
7.1 Relationship. No agency, partnership, or joint venture is created as a result of this Agreement and neither party has any authority of any kind to bind the other party. OneLogin may use Subscriber’s company name and logo as a reference for marketing or promotional purposes on its website and in other communication with existing or potential customers.
7.2 Assignability. Neither party may assign its right, duties, and obligations under this Agreement without the other party’s prior written consent, except that OneLogin may assign this Agreement to a successor to all or substantially all of OneLogin’s related assets or business.
7.3 Subcontractors. OneLogin may utilize a subcontractor or other third party to perform its duties under this Agreement so long as OneLogin remains responsible for all of its obligations under this Agreement.
7.4 Notices. Any notice required or permitted to be given in accordance with this Agreement will be effective if it is in writing and sent by certified or registered mail, or insured courier, return receipt requested, to the appropriate party at: (a) in the case of OneLogin, the address for its U.S. headquarters listed on its website, and (b) in the case of Subscriber, at the address set forth in Subscriber’s agreement with Reseller, with the appropriate postage prepaid. Either party may change its address for receipt of notice by notice to the other party in accordance with this Section 7.4. Notices are deemed given two (2) business days following the date of mailing or one (1) business day following delivery to a courier.
7.5 Force Majeure. Neither party will be liable for, or be considered to be in breach of or default under this Agreement (other than with respect to payment obligations) on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond its reasonable control, including denial-of-service attacks, strikes, shortages, widespread security breaches (e.g., heartbleed bug), riots, fires, flood, storm, earthquakes, explosions, acts of God, war, terrorism, and governmental action (“Force Majeure”).
7.6 Governing Law. This Agreement will be interpreted, construed, and enforced in all respects in accordance with the local laws of Germany, without reference to its conflicts of law rules and not including the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods. Both parties agree to submit to the exclusive personal jurisdiction of the courts located in Munich, Germany for the purpose of resolving any dispute relating to this Agreement or the relationship between the parties. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover its reasonable costs and attorneys’ fees.
7.7 Severability. If any part of this Agreement is found to be illegal, unenforceable, or invalid, the remaining portions of this Agreement will remain in full force and effect. If any material limitation or restriction on the use of the OneLogin Services under this Agreement is found to be illegal, unenforceable, or invalid, Subscriber’s right to use the OneLogin Services will immediately terminate.
7.8 Entire Agreement. This Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. All waivers and modifications to this Agreement must be in a written agreement signed by an authorized agent of both parties. OneLogin will not be bound by, and specifically objects to, any term, condition, or other provision that is different from or in addition to this Agreement (whether or not it would materially alter this Agreement) that is proffered by Subscriber in any receipt, acceptance, confirmation, correspondence, or otherwise, unless OneLogin specifically agrees to such provision in writing and signed by an authorized agent of OneLogin.