THIS AGREEMENT GOVERNS YOUR ACQUISITION AND USE OF JANRAIN, INC. SERVICES.
BY ACCEPTING THIS AGREEMENT, EITHER BY EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT OR BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “YOU” OR “YOUR” AND “CLIENT” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.
You may not access the Services for the purpose of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purpose.
This Agreement is between You and Janrain, Inc., a Delaware corporation with its principal offices located in Portland, Oregon (“Janrain”). Customer and Janrain are each referred to below as a “Party” and together the “Parties.” This Agreement, which is effective as of the date of Customer acceptance, states the general terms and conditions applicable to the Services (defined below) which Janrain will provide to Customer pursuant to the terms herein, the Order Form which incorporates this Agreement by reference, and any related SOW (defined below).
“Client Data” means electronic data pertaining to a User and/or thing and submitted by a User to a Client Property through use of the Subscription Services or provided by Client to Janrain for storage in a Record; “Client Property” means a website or mobile application owned or operated by Client and/or its agent; “Documentation” means the technical documentation made available by Janrain to Client that describes the components, operation, and functionality of the Subscription Services, including such descriptions in a SOW; “ID Providers” are third party social network and other User identity providers from whom Client Data may be processed and shared depending on Client’s desired configuration of the Subscription Services; “Order Form” means the Janrain document used to order Services hereunder, which is mutually executed by the Parties, and constitutes a binding commitment to purchase the Subscription Services ordered therein; “Professional Services” means work performed by Janrain or its permitted subcontractors under a SOW or Order Form, including the provision of any deliverables specified in any such SOW or Order Form; “Record” means a Client Data record stored in a database maintained by Janrain for Client, if Client has ordered a Subscription Service that includes such storage; “SDK” means a software development kit developed by Janrain and made available for Client’s use in connection with Client mobile applications; “Services” means Subscription Services and Professional Services; “SOW” means a Statement of Work prepared by Janrain and executed by the Parties that describes any Professional Services ordered by Client and includes applicable assumptions, deliverables, and a schedule for their delivery; “Subscription Services” means those customer identity and access management and related services ordered by Client under an Order Form and made available online by Janrain as further described in the Order Form and Documentation; “Subscription Term” means the term commencing on the subscription start date stated in the Order Form and continuing for the period stated on the Order Form, subject to any adjustment and/or renewal as described herein; “User” means each unique, individual person authorized by Client to interact with the Subscription Services.
2.1. Order Form. Services are purchased via an Order Form.
2.2. Subscription Services. Subscription Services are purchased as subscriptions to access and use the Subscription Services for the number of Client Online Properties, User or Record capacity, and Subscription Term specified in an Order Form. Janrain will count the number of Users or, if applicable, Records, and display the current total to Client within the Subscription Services online administration dashboard. A User is counted when the User initially uses the Subscription Services to register or log in on a Client Property, and a Record is counted when it is created. Production and non-production (e.g., development and testing) environments owned or operated by Client or Client’s agent for a single Client Property are counted collectively as one Client Property.
2.3. Adding User/Record Capacity and Client Properties for Subscription Services. Subscriptions for additional User or Record capacity or Client Properties may be purchased during a Subscription Term for the pricing stated in the underlying subscription Order Form and any added subscriptions will terminate on the same date as the underlying subscription, unless otherwise specified in the Order Form.
2.4. Subscription Service Renewal. Each subscription for a Subscription Service will automatically renew for a 12-month Subscription Term unless either Party notifies the other at least thirty days prior to the commencement of the renewal term that it does not want the subscription to renew.
3.1. Provisioning. Janrain will provide the Services pursuant to this Agreement, including applicable Order Forms and any SOWs. Subscription Services will be provided 24 hours a day, 7 days a week in accordance with the in the Service Level Agreement (SLA) in Appendix A hereto. Client will provide assistance reasonably requested by Janrain in connection with the provisioning of the Subscription Services. Use of ID Providers services is subject to their availability from ID Providers. Professional Services will be provided in accordance with applicable SOWs. The Parties may change a SOW only by a written change order document signed by the Parties.
3.2. Support. Support is provided for the Subscription Services as described below. Support services include Client access to the support portal and reporting on any SLA violation as specified in the Support Appendix to the Order Form:
Client will initiate all support requests by initiating a support ticket at https://support.janrain.com/. Janrain will use commercially reasonable efforts to meet the initial response and resolution goal service level objectives specified in the Support Appendix according to the severity level of the particular issue. Resolution times start once Client has notified Janrain of the incident via the Janrain support ticket system and, if requested, provided to Janrain transaction data and reproducible test case data necessary to determine the nature of the error at issue and to isolate any defect(s). Client acknowledges that Janrain’s ability to provide satisfactory support services is dependent on Janrain having the information necessary to replicate the reported problem with the Subscription Services and real-time access to Client personnel who are knowledgeable about the problem. Load testing is prohibited without prior scheduling with Janrain. Client agrees not to run scripts that could endanger the performance of the Subscription Services without Janrain’s prior written permission.
3.3. Administrative Rights. Subscription Services include a restricted-access administrative interface to allow Client’s designated employees or agents (“Administrative Users”) to access the configuration and settings components so they can manage, configure and monitor the Subscription Services for Client benefit. Janrain will provide each Administrative User designated by Client with access to and use of the administrative interface.
3.4. Regulatory Compliance and Protection of Hosted Data. Janrain will provide the Services in compliance with all laws and regulations applicable to it and the Services and with its Security and Privacy Safeguards described in Appendix B.
4.2. Restrictions. Client will not (a) use the Subscription Services or make them available for use except as permitted hereunder; (b) sell, rent or lease the Subscription Services, (c) reverse engineer or otherwise attempt to discover the underlying software to the Subscription Services (unless this restriction is not permitted under applicable law); (d) knowingly permit Users to access or use any Service in a country embargoed by the U.S. (currently Cuba, Iran, North Korea, Sudan or Syria) or in violation of any U.S. export law or regulation; or (e) use the Subscription Services to store financial or credit account numbers, social security or other government issued personal identification numbers, driver license numbers, or personal health information.
5.1. Fees. All fees for purchased Services (“Fees”) will be itemized on the applicable Order Form. Except as otherwise specified herein, (a) Fees are based on Services purchased, not actual usage, (b) payment obligations are non-cancellable and Fees are non-refundable, and (c) capacity and quantities purchased cannot be decreased during the relevant Subscription Term.
5.2. Travel Expenses. Client will reimburse Janrain for reasonable travel expenses, if any, directly related to the performance of the Services under this Agreement, provided that the travel is approved in writing by email in advance of the travel. Approved travel expenses, if any, will be billed separately. In no event will travel time be billable.
5.3. Taxes. Fees do not include any taxes (including any withholding taxes) assessable by any jurisdiction (collectively, “Taxes”). Client is responsible for paying all Taxes associated with its purchases hereunder. If Janrain has the obligation to collect or pay Taxes for which Client is responsible under this Section 5.3, Janrain will invoice such Taxes and Client will pay them to Janrain unless Client provides Janrain with a valid taxation exemption certificate from the relevant taxing authority. Janrain is solely responsible for taxes assessable against Janrain based on its income, property, and employees.
5.4. Payment. All properly invoiced amounts are due and payable in United States currency within thirty (30) days following the invoice date (or thirty (30) days following the renewal date for any renewed Subscription Service) unless a different currency and period is specified in the Order Form. Payment Invoices will be sent to the address included on the invoice unless Client instructs Janrain otherwise in writing. If payment of any properly invoiced amount is not received by Janrain by the due date, then without limiting Janrain’s rights or remedies, (a) the invoiced amount may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and/or (b) Janrain may condition future subscription renewals and Order Forms on payment terms shorter than those specified herein.
7.1. Agreement Term. This Agreement will continue in effect until terminated as set forth herein.
7.2. Termination. This Agreement and any Order Form may be terminated (a) by either Party if the other Party breaches this Agreement and does not cure the breach within thirty (30) days after receiving written notice thereof from the non-breaching Party, or (b) by either Party upon written notice if the other Party becomes the subject of a petition for bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Otherwise, the Agreement will terminate 30 days after the most recent Order Form is no longer in effect.
7.3. Effect of Termination. Upon any termination of this Agreement or an Order Form, without prejudice to any other rights or remedies which the Parties may have, (i) all rights to use the Subscription Services will terminate, (ii) Client will pay to Janrain any outstanding Fees that have accrued hereunder prior to the date of termination, and (iii) if Client terminates the Agreement pursuant to Section 7.2(a) or (b), Janrain will refund to Client any prepaid fees for the terminated period. See Appendix B for Client Data transfer and deletion following Termination.
7.4. Client Data Transfer and Deletion. Upon Client request via the standard support process and made within 30 days after the effective date of Agreement termination or expiration, Janrain will make all Client Data available to Client for transfer via FTP or other secure mechanism agreed upon by the Parties. After that 30-day period, unless the Parties otherwise agree in writing, Janrain will delete all copies of Client Data in Janrain’s systems or otherwise in Janrain’s possession as further described in Section 8 of Agreement Appendix B.
11.1. Indemnification by Janrain. Janrain will defend and indemnify Client against any “Claim Against Client,” meaning any third party claim, suit, or proceeding brought against Client alleging (a) that the use of a Service in accordance with this Agreement infringes any intellectual property right or violates applicable law, (b) injury to or death of any individual, or any loss of or damage to real or tangible personal property caused by the act or omission of Janrain or any of its agents, subcontractors, or employees, or (c) disclosure or exposure of personally identifiable information caused by a Janrain violation of its obligations under this Agreement. This indemnification will be for any damages, attorney fees and costs finally awarded against Client as a result of, or for amounts paid by Client under a court-approved settlement of, a Claim Against Client, provided Client (i) promptly gives Janrain written notice of the Claim Against Client, (ii) gives Janrain sole control of the defense and settlement of the Claim Against Client (except that Janrain may not settle any Claim Against Client unless it unconditionally releases Client of all liability), and (iii) gives Janrain all reasonable assistance, at Janrain’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Client arises from Client’s violation of the law or breach of this Agreement.
11.2. Indemnification by Client. Client will defend and indemnify Janrain against any “Claim Against Janrain,” meaning any third party claim, suit, or proceeding brought against Janrain arising from Client’s use of the Services in violation of the Agreement or applicable law. This indemnification will be for any damages, attorney fees and costs finally awarded against Janrain as a result of, or for amounts paid by Janrain under a court-approved settlement of, a Claim Against Janrain, provided Janrain (i) promptly gives Client written notice of the Claim Against Janrain, (ii) gives Client sole control of the defense and settlement of the Claim Against Janrain (except that Client may not settle any Claim Against Janrain unless it unconditionally releases Janrain of all liability), and (iii) gives Client all reasonable assistance, at Client’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Janrain arises from Janrain’s violation of the law or breach of this Agreement.
11.3. Exclusive Remedy. This Section 11 states the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other party for any type of claim described in this Section 11.
12.1. Limit. JANRAIN’S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE ANNUAL SUBSCRIPTION FEE, EXCEPT THAT JANRAIN’S LIABILITY TO INDEMNIFY CLIENT PURSUANT TO SECTION 11 (INDEMNITY) WILL NOT EXCEED TWO TIMES THE ANNUAL SUBSCRIPTION FEE.
12.2. No Consequential Damages. NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OR ANY LOST REVENUE OR PROFITS WHETHER AN ACTION IS IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY AND WHETHER THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
If Janrain fails to meet its Availability Commitment in any calendar month and the total Qualifying Downtime during such month does not exceed four hours, per each hour or part thereof, Client will be eligible for a service credit of 5% of the subscription Fee for the unavailable Subscription Service (for the affected instance(s), if Client has multiple instances running) pro-rated for that month; but if the total Qualifying Downtime during a calendar month exceeds four hours, Client will be eligible for a service credit of 50% of such subscription Fee pro-rated for that month. Service Credits will be issued as credits against subscription renewal Fees or, if the subscription is not renewed, the credits will be paid to Client in the form of a refund within 30 days after the subscription termination date. To receive a service credit hereunder, Client must provide written notice to Janrain of its service credit claim within 10 business days following the end of the applicable month. All Service Credit claims are subject to verification by Janrain. Service credits are Client’s sole and exclusive remedy for any failure to meet the Availability Commitment. Service credits are not available for any Subscription Service provided without charge.
This Appendix B highlights the administrative, physical and logical security and privacy safeguards and features (“Safeguards”), which Janrain provides under the Agreement to help protect the security, confidentiality, and integrity of Client Data and protect User privacy. These Safeguards are applicable to all facilities and systems that store and transmit Client Data. Janrain provides security at the systems and applications layers while its cloud provider, Amazon Web Services (“AWS”), provides security for its infrastructure and data centers.
Janrain undergoes the following examinations on an annual basis and will provide proof of certification or compliance upon Client’s request.
Janrain has implemented, maintains, and updates as necessary on no less than an annual basis, a cross-company, formal Information Security Management System (“InfoSec System”) of written policies, procedures, and practices designed to secure Client Data and confidential information and to effectively assess, manage, and respond to information security risks. Among other controls Janrain has implemented as part of this InfoSec System are asset management, access management, change management, software development lifecycle management, and vendor security screening. An accredited third party auditor has certified this InfoSec System as meeting ISO 27001:2013 standards.
An accredited third party auditor has confirmed that Janrain’s processes, procedures and controls related to our Customer Identity and Access Management platform are in accordance with the Security, Availability and Confidentiality Trust Principles and Criteria established by the American Institute of Certified Public Accountants. This confirms that the Janrain platform is designed and managed to safeguard and maintain the confidentiality of Client Data.
An accredited third party auditor has provided an attestation that Janrain complies with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (PHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Under the Health Information Technology For Economic and Clinical Health Act (HITECH), the HIPAA Security Rule applies to covered entity business associates, including PHI processors.
Janrain has implemented a privacy program to help Janrain maintain compliance with its contractual commitments and applicable laws. The program includes the practice of privacy by design and default so that Janrain can consider and address privacy concerns at an early stage of product development. Janrain acknowledges that Client is the owner and controller of Client Data and that Janrain is the processor of Client Data. Janrain will process Client Data as instructed by Client in accordance with this Agreement and will not will transfer or disclose Client Data to any third party in the absence of Client’s prior written direction, except if required by legal process, in which event, and to the extent legally permissible, Janrain promptly will notify Client of the receipt of such legal process and reasonably assist Client in efforts to limit such required disclosure. Client may choose to have Client Data hosted in a particular region where Janrain offers hosting by specifying the hosting region in writing at the time Client orders Services. Janrain will certify itself as a participant in the E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks and maintain its certification once and as long as the frameworks are recognized by the European Union and Switzerland respectively as providing adequate assurance of data security. TRUSTe® has certified Janrain’s privacy practices.
All hosting locations employ industry best practices, including badge and/or biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside any AWS data center and all accesses are logged. For details on the best practice physical security and other controls, which AWS has implemented, and its ISO 27001:2013; SOC 1; SOC 2; and other certifications, see Amazon Compliance. Janrain operations offices are secured with key and camera systems and visitor access is controlled.
Janrain employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired. Janrain trains all new employees about their confidentiality, privacy and information security obligations as part of their new employee training. We require all our employees and contractors to sign confidentiality agreements to protect confidential information. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. In addition, Janrain communicates with all personnel about privacy and information security awareness through regular newsletters.
All social and conventional (user ID/password) logins and retrieval queries will be encrypted using transport layer security (TLS), ensuring a secure connection to the Subscription Services and Client Data. We will provision, manage and renew all SSL certificates (of at least 2048-bits) on behalf of Client to secure Client communications with the Subscription Services. For Janrain single sign-on, which passes Client authentication state data (and optionally, identity information) between sites within a predefined circle of trust, Janrain will manage a hardened whitelist that will be verified at the time of transaction prior to passing any sensitive Client Data. To protect personally identifiable information (PII) and all other Client Data, access to Client Data retrieved via the Subscription Services is possible only with a valid access token, which is delivered to a User during authentication.
Each Subscription Service application instance deployed for Client and associated Client Data will be isolated in their own logically discrete production environment. Unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access. Data at rest in development, production, and backup environments are encrypted with full disk encryption. Passwords stored in Client databases are one-way hashed.
In both the development process and the production environment, Janrain seeks to protect against attacks on or disruption of the Subscription Services or attempts to compromise of the privacy and confidentiality of Client Data. Technical measures deployed include (1) firewalls for all data entering Janrain’s internal data network from any external source; (2) virus protection programs and techniques to prevent harmful software code from affecting the Subscription Services or Client Data, (3) continuous monitoring of systems used throughout the Subscription Services, and (4) annual penetration and vulnerability testing by a reputable third party vendor.
Only authorized operations personnel have access to Janrain production systems, for which multi-factor authentication is required. Access credentials to production systems are not shared. We maintain audit trails for all production access and restrict and monitor physical access at production facilities. Janrain employee access to Client Data is restricted to legitimate business use only, including activities needed to support Client’s use of the Subscription Services. Janrain Subscription Services enable Client to easily provide their partners, customer service representatives and other members of their organization with selective access to Client Data while continuing to protect sensitive User information. Subscription Services dashboard access is scoped and enforced via roles.
Janrain services are highly scalable and redundant, permitting fluctuations in usage while reducing the threat of significant outages. All client data is stored in secure AWS data centers with quick replication feasible in the event of a disaster. Janrain operates under a Business Continuity and Disaster Recovery Plan and conducts full Business Continuity testing annually. Janrain backs up Client Data on a daily basis to servers in different locations than where Client Data in production is hosted. All backups are fully encrypted. Pursuant to Section 7.4 of the Agreement, Janrain will delete all Client Data applications and directories and the underlying data blocks will be overwritten, so they are not recoverable. When no longer useful, all electronic media once utilized to store Client Data are degaussed and physically destroyed in accordance with best practices. Printed confidential information is disposed of in secure containers and shredded on a regular basis.
Janrain will maintain a formal security event monitoring, reporting and response capability to identify, report and appropriately respond to known or suspected security events. In the event of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Data or Client Confidential Information (“Information Security Breach”), Janrain will (i) as soon as possible after its discovery, but within 48 hours, notify Client of the Information Security Breach and its effect on Client Data, (ii) promptly investigate and remediate the Information Security Breach and provide Client regular updates during the investigative and remedial phases, and (iii) take all reasonable measures to prevent the breach from occurring again.
Users may submit personal data to Client Online Properties through the use of the Subscription Services. Janrain’s Subscription Services facilitate compliance with the EU General Data Protection Regulation and other privacy statutes. For example, personal data is submitted with notice to, and the consent of, the individual User via permission screens. In addition, email opt-out/opt-in options are configurable as part of our User registration flows. Client may, at any time, access Client Data, while Users have the ability to update their personal data. The Subscription Services include tools that permit Client to manage the privacy settings of select data fields and optionally delete Client Data in a particular Record. Janrain maintains an audit trail detailing changes to Records. In addition, Janrain provides the ability for Client to receive real time notification of User Record changes and deletions.
Because Janrain, and its underlying hosting services provider, Amazon Web Services (AWS), each submit to third party audits and make audit information as well as penetration test reports available to Clients, any security or privacy-related audit requested by Client shall not occur more than once a year for a Fee of $14,500 and the schedule and scope for such an audit will be specified in a SOW with Client to bear its own costs. Pursuant to such a SOW, Janrain will allow Client or a designated third party, access to Janrain’s facilities, systems, books and records in order to audit and ascertain compliance by Janrain with the terms of this Agreement. Janrain will reasonably cooperate with such audits. Before undertaking any audit, Client will first consider the results of the most recent independent certifications and reviews of Janrain’s and AWS security-related systems and processes, which will be made available to Client upon request, subject to Client’s execution of any required non-disclosure agreement required by AWS. Because of security concerns raised by visits to its facilities, the audit rights granted herein do not extend to AWS sites, systems, and processes.