Are passkeys the future of identity management? Don’t miss our new webinar to find out. Watch the webinar

Skip to content

Main Navigation

SecureAuth
  • Solutions
    • WORKFORCE IDENTITY MANAGEMENT
      • Overview
      • Capabilities
      • Deployment Options
      • Standards & Compliance
      • Use Cases
      • Free ROI Report
    • Customer Identity Management
      • Overview
      • Capabilities
      • Deployment Options
      • Standards & Compliance
      • Use Cases
      • Free Trial & Login
    • Industry Solutions
      • Energy & Utilities
      • Financial Services
      • Healthcare
      • Public Sector
      • Retail
  • Resources
    • For Everyone
      • All
      • Articles
      • Customer Stories
      • Events
      • Reports
      • Webinars
    • For Customers
      • Support Resources
      • Customer Community
      • What To Expect
    • For Partners
      • Explore Partnerships
  • About
    • Our Story
    • Leadership
    • Careers
    • Newsroom
  • Contact
  • Arculix Log In
Get Your Demo

SecureAuth Cloud Subscription Agreement

Updated: September 3, 2025

SecureAuth Cloud Subscription Agreement

 

This SecureAuth Subscription Agreement (Agreement) is made between SecureAuth Corporation (Company) and the customer executing this Agreement (Customer). This Agreement is effective as of the last date signed.

  1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests or equivalent rights of the subject entity.

“Application” means an application program with the functionality described in the Documentation, including modifications, revisions, upgrades, updates and enhancements, if any. Updates and upgrades do not include products, features and modules that are separately marketed for an additional fee.

“Client Software” means a software component installed at your premises which may be required for use of the Subscription Service. Not all Subscription Services require the use of Client Software.  Client Software may be provided through us as a separately identified item on an Order.

“Commercial Use” means use of a Subscription Service other than in a non-production, internal-use only, development or test environment.

“Confidential Information” means any material, data, or information, in any form or media, that is proprietary or confidential to a disclosing party and is marked as confidential, or by its nature or treatment by its owner should reasonably be considered confidential.

“Customer Data” means Confidential Information, data (whether in an audio, video, image or text format) and personal information (data, either alone or in combination with other information, by which a natural person can be identified or located, or that can be used to identify or locate a natural person) that you, including your customers and end users, transmit to or from the Subscription Service or processes through the Subscription Service. Customer Data does not include information or data regarding usage or performance of the Subscription Service that are not linked to or associated with personal information.

“Documentation” means our or our licensors’ user manuals and other published protocols, standards and technical specifications for use with the Subscription Service, as updated from time to time. With respect to SecureAuth CIAM (formerly Cloudentity) products, Documentation can be found at https://cloudentity.com/developers/.

“Data Processing Addendum” means the Data Processing Addendum set forth on Attachment A hereto, to be executed by the parties and which is incorporated into this Agreement by reference and shall constitute a part hereof.

“Intellectual Property Rights” means current and future worldwide rights under patent, copyright, trade secret, trademark, tradename, moral rights, mask works and other similar rights, whether or not specifically recognized or perfected under the laws of the jurisdiction in which the Subscription Service is used or offered.

“Order” means an ordering document (e.g., quote, schedule, order form, SOW) specifying the Subscription Service(s) to be provided and that is entered into between you and us or any of our Affiliates and which incorporates this Agreement by reference.

“Statement of Work” or “SOW” means a written description entered into under and referencing this Agreement, executed by both parties, detailing professional services or training services to be provided pursuant to Section 9.

“System Availability” means the average percentage of total time during which the production version of the Subscription Service that is hosted and delivered by the Company is available to Customer during a calendar month, excluding (i) any maintenance windows; (ii) delays due to conditions beyond the reasonable control of the Company; (iii) delays caused by systems outside of the Subscription Service, including, but not limited to, Customer’s network, equipment and systems; and (iv) inaccessibility due to Customer’s requests or where Customer approved the same in advance.

“Subscription” means a non-exclusive, non-transferable, non-sublicensable right to access and use the Subscription Service for your internal business operations in the Territory, and when applicable, for the number of Users or assets specified in an Order.

“Subscription Service” means access and use of an Application or other functionality, if any, made available as a subscription-based cloud hosted service, as further specified in an Order. Subscription Services also include access to and use of all Documentation.

“Subscription Term” means the period specified in an Order for the Subscription Services procured thereunder, or any renewal thereof.

“Territory” means worldwide unless otherwise agreed in the Order (subject always to applicable export restrictions) and except for any countries sanctioned, embargoed or prohibited to do business with under U.S. or other applicable laws.

“Users” means (a) a specifically identified individual, machine or service authorized to use the Subscription Service; (b) individuals with a unique user identification who are enabled (e.g., have access to an Application, Subscription Service portal or the Subscription Service) or can be managed by the Subscription Service, including but not limited to those individuals that are designated by you as active or inactive within the Subscription Service’s profile data store, and authorized by you to use the Subscription Service and may include, for example, you and your Affiliates’ employees, consultants, clients, external users, contractors, agents, and third parties with which you do business; or (c) a user as otherwise defined on the Order.

“We”, “us”, or “our” means SecureAuth Corporation, with a place of business at 8845 Irvine Center Dr., Irvine, CA 92618, and/or any of its Affiliates who enter into an Order or provide the license for the Subscription Services under this Agreement.

“You” or “your” means the company or other legal entity entering into this Agreement as the Customer, or any Affiliates of that company or entity that separately executes an Order under this Agreement.

  1. SUBSCRIPTION SERVICE
    • Subscription. We or our Affiliates will provide the Subscription Service(s) to you as specified in an Order, for the specified Subscription Term. New features or functionality added to an Application after the beginning of the Subscription Term are not included in the Subscription Services.
    • Renewal. The Subscription Services will renew automatically for subsequent Subscription Terms of the same duration as the original Subscription Term (a “Renewal Term”), unless either party provides written notice of termination at least 90 days prior to the end of the current Subscription Term.
    • Effective Service Date. Unless otherwise specified in the Order, the effective service date is the date we provide you with administration credentials to access the Subscription Service (the “Effective Service Date”). The Effective Service Date is the date the Subscription Term begins, which is not dependent on a customer launch date, go-live date or the date a Subscription Service is ready for use in a production environment. The Effective Service Date will apply to all the Subscription Services on the Order.
    • Evaluations. If you are provided access to an Evaluation Service, you may access and use the Evaluation Service for the number of Users or assets and length of time specified by us, strictly for internal evaluation purposes and not any commercial or production use. Upon the expiration or termination of the evaluation period, you will no longer have access to the Evaluation Service. Notwithstanding anything otherwise set forth in the Agreement, the Evaluation Service is provided “AS IS”, does not renew, and we do not provide any warranties or Support in connection with an Evaluation Service.
    • Support. We or our designated representative will provide support (“Support”) for the Subscription Service during the initial Subscription Term and any Renewal Terms. Support will be provided in accordance with our maintenance and support policy, as updated from time to time, provided no such update will materially diminish or alter the Support to which a Customer is entitled hereunder. Our current Support polices are available at secureauth.com/legal/support-terms.pdf.
    • Business Continuity and Disaster Recovery. During the term of this Agreement, we will maintain and comply with our then-current Business Continuity and Disaster Recovery Plans. We will test such plans at least annually. Upon written request, we will provide (i) a copy of the table of contents to such plan, and (ii) a summary of its annual testing results.
    • Modifications. We reserve the right to modify the Subscription Service, provided the modification does not materially negatively affect the Subscription Service (e.g., to maintain or improve functionality or security).
    • Beta Versions. We may offer beta, preview or other pre-release Subscription Services or Client Software (“Beta Versions”). Beta Versions may not have been tested or debugged and are experimental, and any documentation may be in draft form. We may change or discontinue Beta Versions at any time without notice.
    • Developer Tier. Company may, in its sole discretion, offer a “Developer Tier” service at a significantly reduced (potentially zero) cost. The Developer Tier service is delivered via Company’s software-as-a-service infrastructure and is subject to the following limitations:
      • Limited Support Coverage. Developer Tier product support is available between the hours of 8 am and 8 pm US Eastern Time.
      • Limitation of Functionality and Performance. Company reserves the right to limit the functionality and performance of Beta Versions using rate limits, throttling and any other methods at its disposal in order to mitigate overuse or abuse of the developer tier service.
      • Limitation of Service Level Agreement. The Developer Tier service level target is 99% uptime for critical functions, provided the Developer Tier service level is not guaranteed and will not result in subscription credits if they are not attained.
      • Right to Adjust Duration and Cost of Use. Company reserves the right to alter the cost and duration of availability for the Developer Tier at any time given 15 days’ notice to Customer.
  1. CUSTOMER RESPONSIBILITIES AND USE
    • Customer Use. You are responsible for all activity occurring under your and your User accounts and logins, the way you and your Users use the Subscription Service, the results obtained and conclusions drawn from your use of the Subscription Service, and the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Furthermore, You will:
      • select, purchase, configure, operate and maintain your equipment, hardware, websites, network and Internet, data and telephone connections necessary for use and support of the Subscription Service;
      • install and use upgrades to Client Software if required;
      • use Client Software (i) provided through us only in combination with the Subscription Services and solely for purposes of using the Subscription Services, and (ii) in accordance with the Documentation;
      • obtain all necessary consents and authorizations (i) to use the Subscription Services to access the computers and network systems and the data contained therein, and (ii) from your Users for the transmission of Customer Data to third parties in connection with the Subscription Services; and
      • use best practices and commercially reasonable efforts to prevent unauthorized access to, or use of, the Subscription Service, including promptly notifying us when you become aware of any unauthorized access or use;
      • use Subscription Services only in accordance with the Agreement, Documentation, and applicable laws and government regulations.
    • Restrictions. The Subscription Service may only be used to administer your internal business operations. You may not and may not permit others to:
      • provide, disclose or make available to, or permit use or access to the Subscription Service by persons other than your employees, consultants, agents, representatives or authorized contractors;
      • sell, resell, license, sublicense, transfer, distribute, lend, rent or lease the Subscription Service to any third party or use the Subscription Service on behalf of any third-party (unless otherwise agreed in writing by us);
      • use any method other than the one approved by us for connection to the Subscription Services;
      • exceed the number of Users or assets for a particular Subscription Service as set forth in an Order;
      • use the Subscription Service (i) to maliciously or negligently cause damage to any third-party’s computer, network systems or data, (ii) to infringe on the Intellectual Property Rights of any third party or any rights of publicity or privacy, (iii) send or store infringing or unlawful material, (iv) to propagate, send or store any virus, worms, Trojan horses, harmful or malicious code, or other programming routine intended to damage any computer, network system or data, or (v) in any application that may involve risks of death, personal injury, severe property damage or environmental damage, or in any life support applications, devices or systems;
      • interfere with or disrupt the integrity or performance of a Subscription Service or our networks, any other of our customer’s use of a Subscription Service, or third party data contained therein;
      • infringe or misappropriate our or our licensors’ Intellectual Property Rights;
      • modify or create derivative works or copy of a Subscription Service or any part, feature, function or user interface thereof, access a Subscription Service to build a competitive product or service, or reverse engineer, disassemble or decompile a Subscription Service or component, or attempt to discover or disclose the source code, underlying ideas or algorithms of the Subscription Service or any component;
      • remove, alter or obscure a Subscription Service’s confidentiality or proprietary rights notices (including copyright and trademark notices);
      • attempt to gain or allow unauthorized access to a Subscription Service or its related systems or networks, or permit direct or indirect access to or use of a Subscription Service in a way that circumvents the limitations on your use of the Subscription Service; or
      • disclose the results of any performance, functionality or other evaluation or benchmarking of the Subscription Service to a third party without our express prior written consent.
    • Software. Except as it relates to Client Software, this Agreement is limited to Subscription Services identified in an Order and does not convey any license or right to use our proprietary software applications in object/binary code (the Software) on any appliances or hardware, including virtual machines or servers.
    • Third-Party Software. Any third-party software we may provide in connection with an Application or the Subscription Services (Third-Party Software) which may include Client Software, will be a separately identified item on an Order and is governed strictly by the third-party’s (i) clickwrap agreement, which requires you to “Accept” and/or “Agree” before utilizing and/or installing the software; (ii) the terms and conditions referenced via a universal resource locator (URL) indicated on an applicable Order or Transaction Document; or (iii) terms and conditions contained within a text file (g., .txt), which accompanies the Third-Party Software. Third-Party Software may only be used with the Subscription Services. Third-Party Software is not to be construed as Software under this Agreement. The owner of the Third-Party Software may be deemed a third-party beneficiary with respect to your use of that software.
  2. INTELLECTUAL PROPERTY RIGHTS. Except as expressly set forth in this Agreement, this Agreement does not grant (a) us any Intellectual Property Rights in Customer Data or (b) you any Intellectual Property Rights in the Subscription Services or our trademarks. Title and full ownership, trade secrets, copyright, patent rights and all other Intellectual Property Rights to the Subscription Services remains with us, whether or not any portion thereof is or may be validly copyrighted or patented. We will own all rights in any copy, translation, modification, adaptation or derivation of the Subscription Services, including any improvement or development thereof. You are only granted the limited rights to the Subscription Services as described in this Agreement. All rights not specifically granted in this Agreement to you are exclusively reserved to us or our licensors. You agree to treat the Subscription Services as our proprietary information. You grant us a perpetual, irrevocable, unlimited, worldwide, sublicensable, transferable, royalty-free right and license to exploit and include in the Subscription Services, our products and other services, any suggestions, enhancement requests, feedback, recommendations or other information provided by you, your employees, contractors and Users to us without any obligation to you.
  3. CUSTOMER DATA
    • Ownership. You control and own all right, title, and interest in and to Customer Data and at all times remain the data controller under this Agreement and applicable data protection laws and regulations. We obtain no rights to Customer Data except as set forth in this Agreement. You represent and warrant that you have complied with all relevant laws in collecting, using and disclosing the Customer Data.
    • Customer Data Responsibilities. You are responsible for: (a) entering Customer Data and its content, accuracy, quality, reliability, legality and means by which you acquired the Customer Data; (b) obtaining the right and consent to use the Customer Data and your decisions concerning the processing and use of the Customer Data; (c) complying with the Data Processing Addendum and all applicable data privacy laws and regulations; and (d) uploading, sharing, withdrawal, management and deletion (unless an automatic deletion period is specified for the Subscription Service) of Customer Data.
    • Data License. You grant us, our licensors and subcontractors a non-exclusive and limited license to access, copy, store, process, transmit and display Customer Data for the purposes of (a) performing our obligations under this Agreement, (b) preventing or addressing service or technical problems, and responding to your requests in connection with Support matters, (c) communicating to and with you and your Users regarding the Subscription Services, (d) enforcing this Agreement, and (e) complying with laws. We will not disclose Customer Data to a third party except to the extent necessary to carry out the terms of this Agreement or as permitted or required by law.
  4. SECURITY
    • Safeguards. We will maintain commercially reasonable and appropriate technical and organizational measures designed to secure Customer Data against unauthorized and unlawful loss, access or disclosure. We will maintain physical, electronic and procedural safeguards in compliance with our then current security policies and applicable privacy laws, to protect Customer Data, including, but not limited to: (a) the maintenance of appropriate safeguards to restrict access to Customer Data to the employees, agents, licensors or service providers of ours who need that information to carry out our obligations under this Agreement; (b) procedures and practices for the safe transmission or transportation of the Customer Data; (c) the maintenance of appropriate safeguards to prevent the unauthorized access of the Customer Data; and (d) procedures and practices for the safe disposal of Customer Data. We provide production environment Subscription Services to our customers uniformly, and all appropriate and then current technical and organizational measures apply to our entire customer base subscribed to the same Subscription Service. You understand and agree that the technical and organizational measures are subject to technical progress, development and improvements for the protection of personal information and we reserve the right to update the technical and organizational security measures provided the technical and organizational security measures will not materially decrease.
    • Notification. If we discover that Customer Data has been acquired by an unauthorized person or otherwise been the subject of an unauthorized disclosure, we will promptly notify you as allowed by applicable law.
    • Customer Responsibilities. You are responsible for maintaining the security of your Subscription Service login credentials, user passwords and access to the Subscription Service from your network. Log-in credentials are for your internal use only and you may not sell, transfer, or sublicense them to any other entity or person. You will: (a) use commercially reasonable efforts to prevent unauthorized access to or use of the Subscription Service; and (b) contact us promptly if you believe there is unauthorized access or use of your Subscription Service account, if your Subscription Service account information is lost or stolen, or if you are aware of another breach of security related to the Subscription Service.
  5. ORDERS AND PAYMENT
    • Orders. By sending us an Order you will be deemed to have placed a binding commitment to purchase and pay for the Subscription Services and other services identified therein, subject to our acceptance of such Order. You agree that your purchases are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written comments made by us, our distributors or resellers regarding future functionality or features of the Subscription Services.
    • Affiliate Orders. Your Affiliates located in the Territory may execute an Order subject to this Agreement and will be entitled to all the rights and be bound by all the obligations of you under this Agreement, any amendments whenever made, and the Order executed by the Affiliate. You will (a) remain obligated to perform your commitments (including payment obligations) under the Agreement with respect to any Subscription Services provided to your Affiliates; and (b) act as the single point-of-contact with us with respect to the Subscription Services provided to your Affiliates.
    • Fees Generally. You will pay us for the Subscription Services and related expenses at the rates set forth on the Order. Invoiced amounts will be due and payable net 30 days from the invoice date or other period (if any) as may be indicated in the invoice. Fees are nonrefundable and your payment obligation is not cancelable. You are responsible for providing us with your complete and accurate billing and contact information and notifying us of any changes to your billing and contact information.
    • Subscription Service Fees. You are responsible for payment of the fees at all times during the Subscription Term. Fees based on the number of Users or other quantity as indicated on an Order, will not be decreased during the Subscription Term or Renewal Term, as applicable.
    • Usage Verification. You will cooperate with us to ascertain your usage and compliance with this Agreement. If your use of any Subscription Service is found to exceed the scope of this Agreement, you will be charged additional fees at our then-current rates, for each instance of additional use in excess of the rights granted and payment is due 30 days from the date of the invoice.
    • Price Increases. Fees charged may be updated by Company up to once per year upon at least 30 days’ advance written notice.
    • Overdue Charges. Subject to the “Payment Disputes” section, if any invoiced amount is not received by us by the due date, then without limiting our rights or remedies, those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower. You will pay to us all reasonable costs and expenses for collection of overdue amounts, including legal fees. In addition, we may condition future purchases on payment terms shorter than those specified in this Section 7.
    • Payment Disputes. We will not exercise our rights under the “Overdue Charges” section above if you are disputing the applicable charges reasonably and in good faith and are cooperating diligently to resolve the dispute. You must provide written notice to us of your good faith dispute within 15 days of invoice receipt. We will promptly review and respond to the notice. After the dispute is resolved, you will immediately pay the invoice. If you fail to provide notice to us within the 15-day period, then your right to dispute the invoice will be deemed waived.
    • Taxes. Our fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, Taxes). You are responsible for paying all Taxes (including taxes which may be applicable to online transactions in your state) associated with your purchases. If we have the legal obligation to pay or collect Taxes for which you are responsible, we will invoice you and you will pay that amount, unless you provide us with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, we are solely responsible for taxes assessable against us based on our income, property and employees.
  6. TERMINATION
    • Subscription Service Termination. A party may terminate the Agreement, an Order or a Subscription Service for cause upon 30 days’ written notice to the other party of a material breach, including untimely payment, if the breach remains uncured at the expiration of the 30-day period. Consent to extend the cure period will not be unreasonably withheld, so long as the breaching party has commenced cure during the 30-day notice period and pursues cure of the breach in good faith. We may terminate the Agreement, an Order and/or a Subscription Service: (a) immediately if (i) you cease your business operations or become subject to insolvency proceedings and the proceedings are not dismissed within 90 days, (ii) you are using the Subscription Services for illegal purposes; or (iii) you are infringing on our or our licensors’ Intellectual Property Rights; and (b) with at least 30 days prior notice if a change in law comes into effect which renders our provision of the Subscription Service illegal, impossible or would materially adversely affect our ability to provide the Subscription Service.
    • Temporary Suspension. We may, without liability to you, suspend the Subscription Services, including access by all or some of your Users in the event the we deem, in good faith, suspension is necessary: (a) following an actual, attempted, or aborted security breach or cyber-attack on us; (b) to protect our systems and their integrity; or (c) if required by a governmental or regulatory entity or law enforcement agency. We will notify you of the cause of the suspension to the extent and in the manner, that we provide a notification to all of our affected customers. The suspension will only remain in place for the minimum amount of time necessary to cure the cause of the suspension, if possible.
    • Effect of Termination.
      • If the Agreement or Subscription Service is terminated by you in accordance with Section 8.1, we will refund to you any prepaid fees for the remainder of the Subscription Term after the effective date of termination.
      • If the Agreement or Subscription Service is terminated by us in accordance with Section 8.1, you will pay any unpaid fees for the Subscription Services as set forth on the applicable Order, as well as any other fees due and owing, including fees for professional services that have been provided as of the date of the termination.
      • Termination of this Agreement, Order or any Subscription Service will not prevent either party from pursuing all available legal remedies. Any payment obligations as of the termination of the Agreement, Order or Subscription Service will remain in effect.
      • Upon termination of the Agreement, Order or Subscription Service: (i) your Subscription Service and access to it will immediately cease and your license to use Client Software will immediately terminate; (ii) we have no obligation to maintain any Customer Data except as otherwise specified in Section 8.4; and (iii) you must, in accordance with our directions, return or destroy our Confidential Information, Client Software and Documentation, and provide written certification of destruction.
    • Return of Customer Data after Termination. Upon your request within 10 days after the effective date of termination or expiration of this Agreement or a Subscription Service, we will make Customer Data available to you for export or download for a period of thirty (30) days. After the 10-day period, we will have no obligation to maintain or provide any Customer Data and will thereafter delete or destroy all copies of Customer Data in our systems or otherwise in its possession or control, unless legally prohibited.
    • Survival. Any terms of this Agreement that by their nature extend beyond the Agreement termination remain in effect until fulfilled, and apply to both parties’ respective successors and assigns, including the Sections titled “Intellectual Property Rights”, “Orders and Payment”, “Effect of Termination”, “Return of Customer Data after Termination”, “Confidentiality”, “Indemnification”, “Limitation of Liability” and “General”; provided however, the obligations under Section 10 shall only survive for one year following the termination of this Agreement.
  7. PROFESSIONAL SERVICES AND TRAINING
    • Professional Services. In the absence of a separate written agreement between the parties, professional services will be provided in accordance with the terms and conditions of the Professional Services Agreement at secureauth.com/legal/professional-services-terms.pdf. We offer professional services for standard consulting, installation, integration, configuration, tailoring, architectural review, value added modules and other time and materials services as may be agreed in a SOW. You are responsible for establishing your access to the Subscription Services and installing any Client Software as permitted under this Agreement unless you purchase professional services and execute a Statement of Work with us with regard thereto.
    • Training. Training and education services may be purchased in accordance with terms and conditions of the Education and Training Terms at secureauth.com/legal/training-terms.pdf.
  8. CONFIDENTIALITY
    • Confidential Information. Confidential Information means all information disclosed by a party (Disclosing Party) to the other party (Receiving Party), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information of each party includes the terms and conditions of this Agreement, all Orders (including pricing), as well as the Subscription Services, business and marketing plans, financial information, strategies, data, technology and technical information, research and development, product plans and designs, and business processes disclosed by a party. However, Confidential Information does not include any information that (a) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (c) is received from a third party without breach of any obligation owed to the Disclosing Party, or (d) was independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information.
    • Protection of Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to (a) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (b) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have confidentiality agreements with the Receiving Party containing protections not materially less protective of the Confidential Information than those in this Agreement. Neither party will disclose the terms of this Agreement or Order to any third party other than its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes any such disclosure to its Affiliate, legal counsel or accountants will remain responsible for the Affiliate’s, legal counsel’s or accountant’s compliance with Section 10 (Confidentiality).
    • Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party: (a) gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted); (b) reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure; and (c) discloses only the information required by law.
  9. WARRANTIES AND DISCLAIMERS
    • General Warranty. Each party represents and warrants that it has validly entered into this Agreement and has the legal power to do so.
    • Warranty. We warrant that: (a) the Subscription Service will perform in substantial accordance with the Documentation; and (b) except as specified in the Documentation and to the best of our knowledge, the Subscription Service does not contain any program routine, device, or other undisclosed feature, including, without limitation, malicious logic, worm, or Trojan horse. If the Subscription Service fails to fulfill or is not in compliance with one or more of the warranties set forth in this Section, then you must inform us in writing and provide information and materials, reasonably requested by us, to document and reproduce the noncompliance. Your exclusive remedy under this provision will be to have us, at our expense and sole option, either modify or replace the nonconforming Subscription Service with other services offering comparable functionality; and if we are unable to correct the warranty issue after a reasonable opportunity, you may terminate the Subscription Service and we will refund any prepaid fees covering the remainder of the Subscription Term for the applicable Subscription Service. If refunded, your access to the defective Subscription Service will be terminated. This warranty does not apply to problems caused by (i) abuse, misuse, alteration, neglect, accident, unauthorized repair or installation, or acts or omissions of any party other than us; (ii) your hardware, software, networks or systems; (iii) your failure to promptly install or allow an installation of a revision, update or release provided by us or our licensor; or (iv) use of the Subscription Service not in accordance with the Documentation or the Agreement. For products, acquired from a third-party on behalf of you by us, then you agree to look solely to the manufacturer of those products for all warranties made by manufacturer regarding those products.
    • Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN SECTION 11.2, THE Subscription Service (INCLUDING BUT NOT LIMITED TO ALL EVALUATION services) ARE OFFERED “AS IS” AND “AS AVAILABLE” AND YOU RECEIVE NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. WE, OUR AFFILIATES AND LICENSORS SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT; AND ANY WARRANTY ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE. WE DO NOT WARRANT THAT THE USE OR OPERATION OF ANY OF THE Subscription Services WILL BE SECURE, UNINTERRUPTED, FREE OF HARMFUL CODE OR ERROR FREE OR THAT THE Subscription Service WILL FUNCTION OR OPERATE IN CONJUNCTION WITH ANY OTHER PRODUCT, SOFTWARE, EQUIPMENT OR HARDWARE (EXCEPT IF AND TO THE EXTENT EXPRESSLY SET FORTH IN THE DOCUMENTATION), OR THAT THE Subscription Service WILL NOT CAUSE ANY LOSS OR CORRUPTION OF DATA, OR THAT THE Subscription Service WILL MEET YOUR OR ANY OTHER PERSON’S REQUIREMENTS. NO EMPLOYEE, AGENT, REPRESENTATIVE OR AFFILIATE OF SECUREAUTH HAS THE AUTHORITY TO BIND US TO ANY ORAL REPRESENTATIONS OR WARRANTY CONCERNING THE SUBSCRIPTION SERVICES AND ANY APPLICATION. ANY WRITTEN REPRESENTATIONS OR WARRANTIES NOT EXPRESSLY CONTAINED IN THIS AGREEMENT ARE UNENFORCEABLE. SUBSCRIPTION SERVICE MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET, TELEPHONIC AND ELECTRONIC COMMUNICATIONS AND we are NOT RESPONSIBLE FOR DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE AS A RESULT.
    • We warrant at least ninety-nine and nine-tenths percent (99.9%) System Availability over any calendar month. Should the Subscription Service fail to achieve this warranty over a calendar month, the Subscription Term will be extended by an additional day for each one-half percent (0.5%) by which the Subscription Service failed to achieve such level for such month. In addition, for failure to achieve this warranty in 2 or more consecutive months, or in any three (3) months during a single calendar year, Customer shall have the right to terminate the Agreement and receive a pro rata refund of the prepaid unused fees as of the date of the termination. This section sets forth  Customer’s sole and exclusive remedy for any breach of this service level warranty.  Claims under this service level warranty must be made in good faith and by notifying the Company in writing within ten (10) business days after the end of the relevant month.
  10. INDEMNIFICATION
    • Indemnifications. We agree to indemnify, defend and hold you harmless from and against any claim or legal action brought by or on behalf of an unaffiliated third party alleging: (a) that the Subscription Service as made available to you by us infringe any United States patent, copyright or trademark (IP Indemnity); or (b) death, bodily injury or the damage to or loss of any real or tangible personal property to the extent arising out of our gross negligence or willful misconduct in the performance of this Agreement. You agree to indemnify, defend and hold us and our licensors harmless from and against any unaffiliated third-party claim or legal action arising from or in connection with your breach of this Agreement.
    • Procedure. The party seeking indemnification will promptly notify the other party of the claim and cooperate in defending the claim. Failure to provide timely notice or reasonable assistance will relieve the indemnifying party of its obligations under Section 12 to the extent the indemnifying party has been materially prejudiced. The indemnifying party will have full control and authority over the defense, including appeals, negotiations and any settlement, except that: (a) it may not make an admission of fault on behalf of the other party without written consent, (b) any settlement requiring the party seeking indemnification to admit liability requires prior written consent, not to be unreasonably withheld or delayed, and (c) the other party may join in the defense with its own counsel at its own expense. The indemnifying party will (i) retain and pay attorneys and court costs as part of its defense obligation, (ii) reimburse the other party for reasonable out‐of‐pocket expenses that it incurs in providing assistance, and (iii) pay the amount of any resulting adverse final judgment (including any award of attorney’s fees and costs), penalties, sanctions or settlement. Section 12 states the sole liabilitIES and exclusive remedIES for claimS described in Section 12.
    • Exceptions. We have no obligation to indemnify you for an IP Indemnity to the extent that any claim or allegation arises from: (a) your use of the Subscription Service contrary to this Agreement or the Documentation; (b) use of a Subscription Service in combination any other services, technology, content or material not provided or approved by us if infringement would not occur without the combination, unless contemplated by this Agreement or the Documentation expressly authorizes a combination with other services, technology, content or material; (c) modification of the Subscription Service by anyone other than us, or modification made by us for non-standard features or functionality for you or according to your direction if the infringement would not have occurred without your requested modifications; (d) your failure to install or allow an installation of a revision, update or release made available or provided by us or our licensors that would have eliminated the infringement; or (e) if the fees due from you for the Subscription Service have not been paid.
    • Possible Infringement. In the event that we, in our sole discretion, reasonably determine, that the Subscription Service, or any portion thereof, infringes or misappropriates, or may infringe or misappropriate, any third-party Intellectual Property Right, we will, as your sole and exclusive remedy (but without limitation of our indemnification obligations under Section 12), and at our sole discretion, either: (a) obtain the right, at reasonable cost, for you to continue using the Subscription Service, or portion thereof; (b) modify the Subscription Service while retaining substantively equivalent functionality; (c) provide a non-infringing, functionally equivalent replacement; or (d) terminate the applicable Subscription Service in whole or in part and give you a refund for any unused, prepaid fees for the infringing Subscription Service covering the remainder of the Subscription Term, after the date of termination.
  11. LIMITATION OF LIABILITY
    • DAMAGES. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES OR LICENSORS HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING FOR THE LOSS, WHETHER DIRECT OR INDIRECT, OF USE, PROFIT, REVENUE, BUSINESS, OPPORTUNITY, GOODWILL OR DATA, OR FOR BUSINESS INTERRUPTION OR COST OF COVER), HOWEVER CAUSED, AND UNDER WHATEVER CAUSE OF ACTION OR THEORY OF LIABILITY (INCLUDING UNDER ANY CONTRACT, NEGLIGENCE, TORT OR OTHER THEORY OF LIABILITY) EVEN IF THE PARTY OR ITS AFFILIATES KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE OR REASONABLY FORESEEABLE AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
    • LIMITATION. The aggregate liability for all claims under this Agreement is limited to direct damages up to: (a) the amount paid by you to us under this Agreement during the 12 months prior to the event giving rise to liability if the breaching party is us; or (b) the amount due from you under this Agreement during the 12 months prior to the event giving rise to liability if the breaching party is you. This limitation applies to any damage, however caused, and on any theory or liability, whether for breach of contract, tort, misrepresentation, negligence (active or otherwise), the use or performance of the SUBSCRIPTION SERVICES, or otherwise and regardless of whether the damages were foreseeable or not. Notwithstanding the above, our cumulative liability arising out of or related to an Evaluation SERVICE will not exceed $100. Neither party will be liable for any claim brought by the other party more than 12 months after the other party became aware of the claim.
    • Exceptions to Limitations. The limits of liability in Section 13.2 apply to the fullest extent permitted by law, except with regard to: (a) violation of the other party’s Intellectual Property Rights; (b) your failure to comply with your payment obligations; or (c) breach of a party’s obligations under Section 10 (Confidentiality) or Section 12 (Indemnification). Notwithstanding anything to the contrary in the Agreement, our aggregate liability with respect to Customer Data will be limited to the amounts in Section 13.2.
  12. USAGE VERIFICATION. You will cooperate with us to ascertain your usage of the Subscription Service and compliance with this Agreement. If your use of any Subscription Service is found to exceed the scope of your Subscription, you will be charged additional fees at then-current rates, for each instance of additional use in excess of the rights granted and payment is due 30 days from the date of the invoice therefore.
  13. GENERAL
    • Entire Agreement. The Agreement, any attached specific Subscription Service terms, Order(s), and any amendments contain the entire agreement with respect to the subject matter of this Agreement and supersede and replace all prior or contemporaneous proposals, understandings, agreements, negotiations and representations, oral or written. Any pricing, payment and term length conditions in an Order that are inconsistent with the Agreement will control for that Order only. Any inconsistent or additional terms of your purchase order or similar document are excluded regardless of us accepting the purchase order or other Customer document for payment purposes. All headings are for reference purposes only and must not affect the interpretation of the Agreement.
    • Assignment. Neither party may assign, transfer or delegate any of its rights or obligations under this Agreement, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, we may assign this Agreement in its entirety, without your consent, to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all our assets. For purposes of the foregoing, an assignment shall include the sale or acquisition of you by another entity, any transaction in which the holders of your outstanding equity prior to such transaction cease to hold at least 65% of the outstanding equity of the combined entity following such transaction, or an exclusive license to your business or assets. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.
    • Severability. If any provision of this Agreement is held by a court of competent jurisdiction or arbitrator to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.
    • Waiver. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right. Any waiver, amendment or other modification of this Agreement must be in writing and signed by an authorized representative of both parties.
    • Notices. Notice or approval must be in writing, signed by a party’s authorized representative. Notices will be deemed to have been given upon: (a) personal delivery, (b) the second business day after mailing, or (c) the first business day after sending by email (provided email will not be sufficient for notices of termination or an indemnifiable claim). Billing-related notices to you will be addressed to the relevant billing contact designated by you. All other notices to you will be addressed to the relevant contact administrator designated by you.
    • Force Majeure. Neither party will be responsible for any failure or delay in its performance under this Agreement (except for the payment obligations) due to causes beyond its reasonable control, including, but not limited to, labor disputes, strikes, lockouts, shortages of or inability to obtain labor, energy, raw materials or supplies, internet failure, communication line failure and power failures, war, acts of terror, riot, acts of God or governmental action (including the passage of laws or regulations or other acts of government that impact the delivery of the Subscription Service).
    • Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes. We do not undertake to perform any of your regulatory obligations or assume any responsibility for your business or operations.
    • Dispute Resolution. The parties will attempt in good faith to resolve any controversy or claim promptly through business discussions and will, upon written request, escalate a dispute to executive management for resolution. If the parties fail to resolve the dispute within 30 days of written request, or any longer period agreed to in writing, the parties may pursue the remedies to which they are entitled. This Section does not restrict either party’s right to seek injunctive relief.
    • Governing Law; Arbitration. This Agreement is to be governed by and interpreted in accordance with the laws of the State of Delaware, U.S.A., without giving effect to its principles of conflict of laws. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Transactions Act, as adopted by any state or governing body, do not apply to this Agreement. Any action or proceeding arising out of or relating to this Agreement will be resolved by arbitration in Orange County, California in accordance with the Commercial Dispute Resolution Procedures of the American Arbitration Association and, in the event either party seeks injunctive or provisional relief, the Optional Rules for Emergency Measures of Protection. The arbitration will be heard and determined by a single arbitrator experienced in the software industry. The arbitrator’s decision in any arbitration will be final and binding upon the parties and may be enforced in any court of competent jurisdiction. The prevailing party will be entitled to recover its attorneys’ fees and arbitration costs from the other party. The parties agree that the arbitration will be kept confidential and that the existence of the proceeding and any element of it (including, but not limited to, any pleadings, briefs or other documents submitted or exchanged and any testimony or other oral submissions and awards) will not be disclosed beyond the arbitration panel, except as may lawfully be required in judicial proceedings relating to the arbitration or by disclosure rules and regulations of securities regulatory authorities or other governmental agencies.
    • Injunctive Relief. Each party acknowledges that money damages may not be sufficient compensation for a breach of Sections 2-5 or 10. Each party agrees that the other will have the right, in addition to its other rights and remedies, to seek injunctive relief in accordance with this Agreement for any violation or threatened violation of Sections 2-5 or 10 and waives any requirement that the party seeking injunctive relief post a bond or any other security.
    • S. Government Customer Rights. Where the United States Government is the Customer, the Government acquires the Subscription Service with only those rights set forth in this Agreement, and any use of the Subscription Service by the Government constitutes agreement by the Government that that the Subscription Service is a “commercial items”, “commercial computer software”, “commercial computer software documentation” and “technical data” as defined in the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement. If for any reason any Subscription Service is not considered commercial or the terms of this Agreement are otherwise deemed not applicable, the Subscription Service will be deemed to have been provided with “restricted rights.”
    • Compliance with Laws. Each party will comply with the laws and regulations applicable to it in connection with its obligations and performance under this Agreement. You are responsible for ensuring that your use of the Subscription Service is in accordance with laws and regulations that apply to you.
    • Export. Each party is responsible for ensuring that its actions with respect to the Subscription Service comply with the export control laws of the United States. You will not, directly or indirectly, export, re-export, transfer, re-transfer, sell, supply, or allow access to or use of the Subscription Service to, in, by, or for sanctioned, embargoed, or prohibited countries, persons, or end uses under U.S. or other applicable law (collectively, Prohibited Uses). You are responsible for screening for Prohibited Uses and obtaining any required licenses, governmental approval, or other authorizations.
    • Anti-Corruption. Neither party has received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from an employee or agent of the other party in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction.
    • Marketing. We may use your company name, logo, trademark, trade name, service mark, or other commercial designation to indicate the existence of a customer relationship between you and us. We may place your name and/or logo in audio and online presentations to potential and current customers and business partners and use your name in a press release.
    • Mutual Non-Solicitation. During the term of the Agreement and for a period of 12 months thereafter, neither party will, either directly or indirectly (whether through its respective employees, independent contractors, consultants or otherwise), employ or engage, or solicit for employment or engagement, any employee, independent contractor, consultant, agent or representative of the other party who is directly involved with the performance of the Professional Services. Nothing in this Section restricts general advertisements of employment or the rights of any employee of one party, on that employee’s own initiative or in response to any general advertisement(s), to seek employment from the other party nor, under those circumstances, for the advertising party to hire that employee
    • Counterparts. This Agreement may be entered into in separate counterparts, each of which when so executed will be deemed an original and taken together will constitute one fully executed The parties’ consent to use electronic signatures and the Agreement may not be invalidated on the basis that the documents and signatures were electronically provided.

Attachment A

Data Processing Addendum

 

This Data Processing Addendum (DPA) forms part of the SecureAuth Corporation Subscription Services Agreement between SecureAuth Corporation (SecureAuth) and the customer executing this Agreement (Customer) dated as of or about the same date hereof (the Agreement). All capitalized terms not defined in this DPA have the meaning set forth in the Agreement.

 

  1. Definitions

 

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

 

Authorized Affiliate means any of Customer’s Affiliate(s) which is (a) subject to applicable data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom; (b) permitted to use the Services pursuant to the Agreement between Customer and SecureAuth, if and to the extent SecureAuth processes Personal Data for which such Affiliate(s) qualify as the Controller.

 

CCPA means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

 

Controller means the entity who determines the purposes and means of the Processing of Personal Data.

 

Customer Data means what is defined in the Agreement as “Customer Data”, provided that such data is electronic data and information submitted by or for Customer to the Services.

 

Data Protection Laws and Regulations means the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, United Kingdom and United States, regarding the Processing of Personal Data under the Agreement.

 

Data Subject means the identified or identifiable person to whom Personal Data relates.

 

GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

 

Personal Data means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

 

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Processor means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

 

Standard Contractual Clauses means the agreement executed by and between Customer and SecureAuth Corporation or its Affiliates and attached as Exhibit B pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

 

Sub-processor means any Processor engaged by SecureAuth or its Affiliates to Process Customer Data.

 

Supervisory Authority means an independent public authority, which is established by an EU Member State pursuant to the GDPR.

 

  1. Processing of Personal Data

 

  • Role of the Parties. For purposes of this DPA, with respect to Customer Data and the Processing of Personal Data, Customer is the Controller and SecureAuth is the Processor. SecureAuth or its Affiliates will only engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.

 

  • Customer’s Processing of Personal Data. Customer will only use the Services to Process Personal Data in accordance with Data Protection Laws and Regulations. Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.

 

  • SecureAuth’s Processing of Personal Data. SecureAuth will treat Personal Data as Confidential Information and will only Process Personal Data for the following purposes: (i) Processing as necessary to provide the Services and in accordance with the Agreement and applicable Order form(s); (ii) Processing initiated by Users in their use of the Services; (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing to support or troubleshoot the Services; and (v) Processing for the purpose of enabling Sub-Processors in accordance with Section 5 below. Customer appoints SecureAuth as a Processor to process Customer Data on behalf of, and in accordance with, Customer instructions and as specified in this DPA, in the Agreement, or as otherwise instructed by Customer. Customer is responsible for ensuring that its instructions comply with all applicable laws or regulations that apply to Customer, including the GDPR and Data Protection Laws and Regulations.

 

  • Details of Processing. The subject-matter of Processing of Personal Data by SecureAuth is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Exhibit A (Description of Processing Activities) to this DPA.

 

  1. Rights of Data Subjects

 

Data Subject Requests. SecureAuth will, to the extent legally permitted, promptly notify Customer if SecureAuth receives a request from a Data Subject to exercise the following Data Subject right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (each, a Data Subject Request). SecureAuth will not respond to a Data Subject Request without Customer’s prior written consent, except that SecureAuth may respond to the Data Subject to confirm that the request relates to Customer. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, SecureAuth may, upon Customer’s request, provide commercially reasonable assistance to facilitate the Data Subject Request, to the extent SecureAuth is legally permitted to do so and provided that the Data Subject Request is exercised in accordance with Data Protection Laws and Regulations. To the extent legally permitted, Customer will be responsible for any costs arising from SecureAuth’s provision of such assistance.

 

  1. SecureAuth Personnel

 

  • SecureAuth will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. SecureAuth will ensure that the confidentiality obligations survive the termination of the personnel engagement.

 

  • SecureAuth will take commercially reasonable steps to ensure the reliability of any SecureAuth personnel engaged in the Processing of Personal Data.

 

  • Limitation of Access. SecureAuth will ensure that SecureAuth’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

 

  1. Sub-Processors

 

  • Appointment of Sub-processors. Customer agrees that (a) SecureAuth’s Affiliates may be retained as Sub-processors; and (b) SecureAuth and SecureAuth’s Affiliates, respectively, may engage third-party Sub-processors in connection with the provision of the Services so long as SecureAuth or the SecureAuth Affiliate have entered into a written agreement with each Sub-processor containing data protection obligations with respect to the protection of Customer Data to the extent applicable to the nature of the services provided to Customer by such Sub- processor.

 

  • List of Current Sub-processors and Notification of New Sub-processors. SecureAuth will provide the current list of Sub-processors for the Services, including the identities of the Sub-processors and their country of location (Sub-processor Lists). SecureAuth will provide Customer with notification of new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.

 

  • Objection Right for New Sub-processors. Customer may object to SecureAuth’s use of a new Sub-processor, if Customer reasonably believes that making Personal Data available to the Sub-processor violates applicable Data Protection Laws and Regulations, by notifying SecureAuth in writing within ten (10) business days after SecureAuth’s notice of new Sub-Processor under Section 5.2. Customer’s notice must explain the reasonable grounds for the objection. SecureAuth will use commercially reasonable efforts to make available to Customer a change in the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If SecureAuth is unable to make available such change, either party may terminate the applicable Order form(s) with respect only to those Services affected by the use of the new Sub-processor.

 

  • SecureAuth will be liable for the acts and omissions of its Sub-processors to the same extent SecureAuth would be liable if performing the services of each Sub-processor directly under the terms of this DPA except as otherwise set forth in the Agreement.

 

  1. Security

 

  • Controls for the Protection of Customer Data. SecureAuth will maintain appropriate technical and organizational measures, which are designed to protect the security, confidentiality and integrity of Customer Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), including as appropriate: (a) the encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing. SecureAuth will not materially decrease the overall security of the Services during a subscription term.

 

  • Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, SecureAuth will make available to Customer a copy or attestation letter of SecureAuth’s then most recent third-party audits or certifications, as applicable.

 

  1. Customer Data Incident Management and Notification

 

SecureAuth maintains security incident management policies and procedures and will notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by SecureAuth or its Sub-processors of which SecureAuth becomes aware (a Customer Data Incident). SecureAuth will make reasonable efforts to identify the cause of the Customer Data Incident and take those steps SecureAuth deems necessary and reasonable to remediate the cause of a Customer Data Incident to the extent the remediation is within SecureAuth’s reasonable control. The obligations in this DPA do not apply to incidents that are caused by Customer or Customer’s Users.

 

  1. Return and Deletion of Customer Data

 

SecureAuth will return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

 

  1. Limitation of Liability

 

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and SecureAuth, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

 

  1. European Specific Provisions

 

  • SecureAuth will Process Personal Data in accordance with those GDPR requirements which are directly applicable to SecureAuth’s provision of its Services.

 

  • Data Protection Impact Assessment. Upon Customer’s request, when processing is likely to result in a high risk to the rights and freedoms of natural persons, SecureAuth will provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent the information included in this DPA does not provide sufficient detail. SecureAuth will provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.

 

  • Transfer Mechanisms. SecureAuth self-certifies to and complies with the E.U.-U.S. Privacy Shield Framework, as administered by the U.S. Department of Commerce. For transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such applicable Data Protection Laws and Regulations: (a) SecureAuth’s EU-U.S. Privacy Shield Framework self-certification applies; and (b) the Standard Contractual Clauses set forth in Exhibit B to this DPA apply, subject to Exhibit B.

 

  1. Legal Effect

 

This DPA only becomes legally binding between Customer and SecureAuth when the formalities steps set out in the Section “HOW TO EXECUTE THIS DPA” above have been fully completed.

 

 

List of Exhibits

 

Exhibit A              DESCRIPTION OF PROCESSING ACTIVITIES

Exhibit B              STANDARD CONTRACTUAL CLAUSES

 

 

EXHIBIT A

DESCRIPTION OF PROCESSING ACTIVITIES

 

NATURE AND PURPOSE OF PROCESSING

SecureAuth will Process Personal Data as necessary to perform the Services purchased by Customer under the Agreement, as further specified in any Order forms, and as further instructed by Customer in its use of the Services.

 

DURATION OF PROCESSING

Subject to Section 8 of the DPA, SecureAuth will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon

in writing.

 

CATEGORIES OF DATA SUBJECTS

Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners, and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners, and vendors
  • Employees, agents, advisors, of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services

 

TYPES OF PERSONAL DATA

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • Localization data
  • Connection data
  • Localization data
  • Any Personal Data comprised in Customer Data, as defined in the Agreement

 

 

 

EXHIBIT B

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

 

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection the data exporter and data importer each a “party”; together “the parties”,

 

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1

Definitions

For the purposes of the Clauses:

  • ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • ‘the data exporter’ means the controller who transfers the personal data;
  • ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 

Clause 2

 

Details of the transfer

 

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

 

Clause 3

 

Third-party beneficiary clause

 

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

 

  1. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

 

  1. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 

  1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

 

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  • that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  • that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
  • that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • that it will ensure compliance with the security measures;
  • that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • that it will ensure compliance with Clause 4(a) to (i).

 

Clause 5

 

Obligations of the data importer

 

The data importer agrees and warrants:

 

  • to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
  • that it will promptly notify the data exporter about:
    • any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    • any accidental or unauthorized access, and

 

  • any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

 

  • to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  • that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  • to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

 

Liability

 

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

 

  1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 

Clause 7

 Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
  • to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
  • to refer the dispute to the courts in the Member State in which the data exporter is established.
  1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

 

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

 

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

 

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

DATA EXPORTER

Data Exporter is (i) the legal entity identified in the Agreement, including the DPA, and (ii) any Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) that have purchased the Services on the basis of one or more Order form(s)

 

DATA IMPORTER

The data importer is SecureAuth Inc. and its Affiliates, provider of services for identity access management

 

DATA SUBJECTS

The personal data transferred concern the following categories of data subjects (please specify):

 

Data exporter’s authorized users. The data importer will receive any Personal Data that the data exporter instructs it to process through the Services.

 

CATEGORIES OF DATA

The Personal Data that the data exporter will transfer to the data importer is determined and controlled solely by the data exporter, but may include some or all of the following categories of data:

 

  • User first name, last name, e-mail address, social media handle, telephone number
  • Communication data (such as the content or body of messages sent and received). Communication data may include professional or personal data, information about business transactions or similar kinds of communications
  • Log data or activities undertaken by authorized users of the Services (such as messages reviewed, escalated, log in times/dates)
  • Business information such as position, employer, contact information

 

SPECIAL CATEGORIES OF DATA (IF APPROPRIATE)

The personal data transferred concern the following special categories of data (please specify):

Data exporter may process special categories of data via the Services, the extent of which is determined and controlled by

the data exporter in its sole discretion. The data exporter is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.

 

PROCESSING OPERATIONS:

The personal data transferred will be subject to the following basic processing activities (please specify):

 

Depending on the Services purchased, the receipt of communications data from various platforms or communication channels, as instructed by Customer, programmable communication products and services,

 

 

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

 Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

 

Data importer will maintain appropriate technical and organizational measures, which are designed to protect the security, confidentiality and integrity of Customer Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), including as appropriate:

  • the encryption of Personal Data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

Data Importer will not materially decrease the overall security of the Services during a subscription term.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

See why more security doesn’t always mean more obstacles.

Get Your Demo
SecureAuth
Solutions
Workforce Identity Management
  • Overview
  • Capabilities
  • Deployment Options
  • Standards & Compliance
  • Use Cases
  • Free ROI Report
Customer Identity Management
  • Overview
  • Capabilities
  • Deployment Options
  • Standards & Compliance
  • Use Cases
  • Free Trial & Login
Industry Solutions
  • Energy & Utilities
  • Financial Services
  • Healthcare
  • Public Sector
  • Retail
Resources
For Everyone
  • All
  • Articles
  • Customer Stories
  • Events
  • Reports
  • Webinars
For Customers
  • Support Resources
  • Customer Community
  • What To Expect
For Partners
  • Explore Partnerships
About
  • Our Story
  • Leadership
  • Careers
  • Newsroom
  • Contact
  • Arculix Log In

Copyright © 2024 SecureAuth Corporation. All Rights Reserved.Privacy Policy|Data Privacy Framework Statement|Vulnerability Disclosure Policy|Terms of Use|Cloud Subscription Agreement