Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

Subscription Agreement



You may not access the Services for the purpose of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purpose.

This Agreement is between You and Janrain, Inc., a Delaware corporation with its principal offices located in Portland, Oregon (“Janrain”). Customer and Janrain are each referred to below as a “Party” and together the “Parties.” This Agreement, which is effective as of the date of Customer acceptance, states the general terms and conditions applicable to the Services (defined below) which Janrain will provide to Customer pursuant to the terms herein, the Order Form which incorporates this Agreement by reference, and any related SOW (defined below).


“Client Data” means electronic data pertaining to a User and/or thing and submitted by a User to a Client Property through use of the Subscription Services or provided by Client to Janrain for storage in a Record; “Client Property” means a website or mobile application owned or operated by Client and/or its agent; “Documentation” means the technical documentation made available by Janrain to Client that describes the components, operation, and functionality of the Subscription Services, including such descriptions in a SOW; “ID Providers” are third party social network and other User identity providers from whom Client Data may be processed and shared depending on Client’s desired configuration of the Subscription Services; “Order Form” means the Janrain document used to order Services hereunder, which is mutually executed by the Parties, and constitutes a binding commitment to purchase the Subscription Services ordered therein; “Professional Services” means work performed by Janrain or its permitted subcontractors under a SOW or Order Form, including the provision of any deliverables specified in any such SOW or Order Form; “Record” means a Client Data record stored in a database maintained by Janrain for Client, if Client has ordered a Subscription Service that includes such storage; “SDK” means a software development kit developed by Janrain and made available for Client’s use in connection with Client mobile applications; “Services” means Subscription Services and Professional Services; “SOW” means a Statement of Work prepared by Janrain and executed by the Parties that describes any Professional Services ordered by Client and includes applicable assumptions, deliverables, and a schedule for their delivery; “Subscription Services” means those customer identity and access management and related services ordered by Client under an Order Form and made available online by Janrain as further described in the Order Form and Documentation; “Subscription Term” means the term commencing on the subscription start date stated in the Order Form and continuing for the period stated on the Order Form, subject to any adjustment and/or renewal as described herein; “User” means each unique, individual person authorized by Client to interact with the Subscription Services.


2.1. Order Form. Services are purchased via an Order Form.

2.2. Subscription Services. Subscription Services are purchased as subscriptions to access and use the Subscription Services for the number of Client Online Properties, User or Record capacity, and Subscription Term specified in an Order Form. Janrain will count the number of Users or, if applicable, Records, and display the current total to Client within the Subscription Services online administration dashboard. A User is counted when the User initially uses the Subscription Services to register or log in on a Client Property, and a Record is counted when it is created. Production and non-production (e.g., development and testing) environments owned or operated by Client or Client’s agent for a single Client Property are counted collectively as one Client Property.

2.3. Adding User/Record Capacity and Client Properties for Subscription Services. Subscriptions for additional User or Record capacity or Client Properties may be purchased during a Subscription Term for the pricing stated in the underlying subscription Order Form and any added subscriptions will terminate on the same date as the underlying subscription, unless otherwise specified in the Order Form.

2.4. Subscription Service Renewal. Each subscription for a Subscription Service will automatically renew for a 12-month Subscription Term unless either Party notifies the other at least thirty days prior to the commencement of the renewal term that it does not want the subscription to renew.


3.1. Provisioning. Janrain will provide the Services pursuant to this Agreement, including applicable Order Forms and any SOWs. Subscription Services will be provided 24 hours a day, 7 days a week in accordance with the in the Service Level Agreement (SLA) in Appendix A hereto. Client will provide assistance reasonably requested by Janrain in connection with the provisioning of the Subscription Services. Use of ID Providers services is subject to their availability from ID Providers. Professional Services will be provided in accordance with applicable SOWs. The Parties may change a SOW only by a written change order document signed by the Parties.

3.2. Support. Support is provided for the Subscription Services as described below. Support services include Client access to the support portal and reporting on any SLA violation as specified in the Support Appendix to the Order Form:

  • Production Technical Support: Production support applies to all Janrain Subscription Services that are in a production environment for Client Properties and covered by the Janrain Service Level Agreement (SLA) at Appendix A hereto. Production Technical Support consists of initial response and resolution of technical issues as indicated in the Production Technical Support Chart below; access to Janrain’s Documentation regarding the installation, function, and operation of the Subscription Services: and Subscription Service releases provided to all Janrain Clients, with the timing of releases at Janrain’s discretion. Production Technical Support does not include Client development issues, debugging code not maintained by Janrain, assistance regarding use of third party components not provided by Janrain, or use of the Subscription Services other than as described in the Documentation. Client is responsible for providing direct support to Users.
  • Development Support: Development support applies to all Janrain Subscription Services that are in a development or staging environment, as well as development changes to production applications. Effort is tracked on an hourly basis. (Development Support is not available at the Bronze support service level.)

Client will initiate all support requests by initiating a support ticket at Janrain will use commercially reasonable efforts to meet the initial response and resolution goal service level objectives specified in the Support Appendix according to the severity level of the particular issue. Resolution times start once Client has notified Janrain of the incident via the Janrain support ticket system and, if requested, provided to Janrain transaction data and reproducible test case data necessary to determine the nature of the error at issue and to isolate any defect(s). Client acknowledges that Janrain’s ability to provide satisfactory support services is dependent on Janrain having the information necessary to replicate the reported problem with the Subscription Services and real-time access to Client personnel who are knowledgeable about the problem. Load testing is prohibited without prior scheduling with Janrain. Client agrees not to run scripts that could endanger the performance of the Subscription Services without Janrain’s prior written permission.

3.3. Administrative Rights. Subscription Services include a restricted-access administrative interface to allow Client’s designated employees or agents (“Administrative Users”) to access the configuration and settings components so they can manage, configure and monitor the Subscription Services for Client benefit. Janrain will provide each Administrative User designated by Client with access to and use of the administrative interface.

3.4. Regulatory Compliance and Protection of Hosted Data. Janrain will provide the Services in compliance with all laws and regulations applicable to it and the Services and with its Security and Privacy Safeguards described in Appendix B.


4.1. Client Responsibilities. Client will (a) establish and apply to Users privacy policies consistent Client’s use of the Subscription Services as permitted under this Agreement, (b) be responsible for ensuring the security and confidentiality of Administrative User access passwords, be solely liable for any damages resulting from Client’s failure to maintain such security and confidentiality, and notify Janrain promptly of any unauthorized access or use, (c) use the Subscription Services only in accordance with all applicable laws and government regulations and Client’s representations to Users, and (d) to the extent Client is using Subscription Services to receive data from any ID Providers, comply with such ID Providers’ API platform policies and terms of use. Client represents that it is not named on any U.S. government denied-party list.

4.2. Restrictions. Client will not (a) use the Subscription Services or make them available for use except as permitted hereunder; (b) sell, rent or lease the Subscription Services, (c) reverse engineer or otherwise attempt to discover the underlying software to the Subscription Services (unless this restriction is not permitted under applicable law); (d) knowingly permit Users to access or use any Service in a country embargoed by the U.S. (currently Cuba, Iran, North Korea, Sudan or Syria) or in violation of any U.S. export law or regulation; or (e) use the Subscription Services to store financial or credit account numbers, social security or other government issued personal identification numbers, driver license numbers, or personal health information.

5. FEES AND Payment.

5.1. Fees. All fees for purchased Services (“Fees”) will be itemized on the applicable Order Form. Except as otherwise specified herein, (a) Fees are based on Services purchased, not actual usage, (b) payment obligations are non-cancellable and Fees are non-refundable, and (c) capacity and quantities purchased cannot be decreased during the relevant Subscription Term.

5.2. Travel Expenses. Client will reimburse Janrain for reasonable travel expenses, if any, directly related to the performance of the Services under this Agreement, provided that the travel is approved in writing by email in advance of the travel. Approved travel expenses, if any, will be billed separately. In no event will travel time be billable.

5.3. Taxes. Fees do not include any taxes (including any withholding taxes) assessable by any jurisdiction (collectively, “Taxes”). Client is responsible for paying all Taxes associated with its purchases hereunder. If Janrain has the obligation to collect or pay Taxes for which Client is responsible under this Section 5.3, Janrain will invoice such Taxes and Client will pay them to Janrain unless Client provides Janrain with a valid taxation exemption certificate from the relevant taxing authority. Janrain is solely responsible for taxes assessable against Janrain based on its income, property, and employees.

5.4. Payment. All properly invoiced amounts are due and payable in United States currency within thirty (30) days following the invoice date (or thirty (30) days following the renewal date for any renewed Subscription Service) unless a different currency and period is specified in the Order Form. Payment Invoices will be sent to the address included on the invoice unless Client instructs Janrain otherwise in writing. If payment of any properly invoiced amount is not received by Janrain by the due date, then without limiting Janrain’s rights or remedies, (a) the invoiced amount may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and/or (b) Janrain may condition future subscription renewals and Order Forms on payment terms shorter than those specified herein.


Client and its Users may access and use the Subscription Services pursuant to this Agreement. Janrain retains all right, title, and interest in and to the Subscription Services and this Agreement does not grant Client any intellectual property rights in the Subscription Services or its components except as stated otherwise in this section. Client may make a reasonable number of copies of the Documentation and SDKs at no extra charge for its use of the Subscription Services. If Janrain provides to Client any deliverables under a SOW, Client will own such deliverables, except for any Janrain intellectual property contained therein to which Janrain hereby grants to Client and Client’s agents a worldwide, nonexclusive, non-transferable, royalty-free right to use such intellectual property in connection with the Subscription Services. Client will retain ownership of all Client Data and any materials provided by Client for use with the Subscription Services. Janrain will obtain no rights therein, except the right to access and use Client Data and such materials as required to provision the Subscription Services to Client.


7.1. Agreement Term. This Agreement will continue in effect until terminated as set forth herein.

7.2. Termination. This Agreement and any Order Form may be terminated (a) by either Party if the other Party breaches this Agreement and does not cure the breach within thirty (30) days after receiving written notice thereof from the non-breaching Party, or (b) by either Party upon written notice if the other Party becomes the subject of a petition for bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Otherwise, the Agreement will terminate 30 days after the most recent Order Form is no longer in effect.

7.3. Effect of Termination. Upon any termination of this Agreement or an Order Form, without prejudice to any other rights or remedies which the Parties may have, (i) all rights to use the Subscription Services will terminate, (ii) Client will pay to Janrain any outstanding Fees that have accrued hereunder prior to the date of termination, and (iii) if Client terminates the Agreement pursuant to Section 7.2(a) or (b), Janrain will refund to Client any prepaid fees for the terminated period. See Appendix B for Client Data transfer and deletion following Termination.

7.4. Client Data Transfer and Deletion. Upon Client request via the standard support process and made within 30 days after the effective date of Agreement termination or expiration, Janrain will make all Client Data available to Client for transfer via FTP or other secure mechanism agreed upon by the Parties. After that 30-day period, unless the Parties otherwise agree in writing, Janrain will delete all copies of Client Data in Janrain’s systems or otherwise in Janrain’s possession as further described in Section 8 of Agreement Appendix B.


Janrain, at its own expense, will maintain at a minimum the following insurance coverage in US dollar amounts throughout the Agreement term: (a) Commercial General Liability Insurance: $4,000,000 per occurrence combined single limit, (b) Commercial Automobile Liability Insurance: $1,000,000 per occurrence combined single limit, (c) Umbrella/Excess Liability Insurance: $3,000,000 per occurrence combined single limit, (d) Worker’s Compensation Insurance: an amount no less than the statutory limit of coverage within the relevant state of employment, and (e) Errors and Omissions Insurance (also known as Professional Liability and Cyber Liability Insurance): $5,000,000 per occurrence combined single limit. Upon Client’s written request, Janrain will provide Client with a certificate of insurance stating Janrain’s current insurance coverage.


“Confidential Information” means, with respect to a Party disclosing information (the “Disclosing Party”), information that pertains to such Party’s business, including, without limitation, technical, marketing, financial, pricing and other information. Confidential Information will be designated and/or marked as confidential when disclosed, provided that any information that the Party receiving such information (the “Receiving Party”) knew or reasonably should have known under the circumstances, was considered confidential or proprietary by the Disclosing Party, will be considered the Disclosing Party’s Confidential Information even if not designated or marked as such. Client Data will be considered Client’s Confidential Information. To protect a Disclosing Party’s Confidential Information, the Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own Confidential Information of like kind (but no less than reasonable care). The Receiving Party will use Disclosing Party’s Confidential Information only to exercise rights and perform obligations under this Agreement and will disclose it only to those employees and contractors of the Receiving Party with a need to know such information and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. The Receiving Party will not be liable to the Disclosing Party for the release of Confidential Information if such information: (a) was known to the Receiving Party on or before the Agreement effective date without restriction as to use or disclosure; (b) is released into the public domain through no fault of the Receiving Party; (c) was independently developed solely by the employees of the Receiving Party who have not had access to Confidential Information; or (d) is disclosed as required by legal process, provided that, to the extent legally permissible, the Receiving Party will notify the Disclosing Party promptly of such required disclosure and reasonably assists the Disclosing Party in efforts to limit such required disclosure.


Each Party represents and warrants that it has the legal power to enter into and perform its obligations under this Agreement. Janrain warrants that (a) during the Subscription Term the Subscription Services will perform materially as described in the Documentation; (b) Subscription Services contain no viruses or other computer instructions or technological means intended to disrupt, damage, or interfere with the use of computers or related systems; (c) Professional Services will be performed in a professional and workmanlike manner; (d) the Services will comply with all applicable laws; and (e) it is the owner of the Subscription Services and every component thereof or the recipient of a valid license thereto, and will maintain the authority to grant the intellectual property and other rights granted in this Agreement. In the event of a breach of the warranty at Section 10.(a) or 10.(c), Janrain will diligently remedy any deficiencies that cause the Services to not conform to the foregoing warranty promptly after its receipt of written notice from Client. In the event of a breach of the warranty at Section 10.(d), Janrain, at its own expense, will (i) secure the right for Client’s continued access and use of the Subscription Service; (ii) modify the Subscription Service to make it noninfringing, provided that the same material functionality is maintained; or (iii) terminate Client’s subscription for that Subscription Service upon 30 days written notice and refund Client any prepaid fees covering the remainder of the term of the terminated subscription. Janrain will not be liable to the extent that any breach of the foregoing warranties is caused by use of the Subscription Services in breach of this Agreement or Viruses introduced by Client or its agents. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WArranties, including ANY warranties of merchantability and fitness for a particular purpose, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.


11.1. Indemnification by Janrain. Janrain will defend and indemnify Client against any “Claim Against Client,” meaning any third party claim, suit, or proceeding brought against Client alleging (a) that the use of a Service in accordance with this Agreement infringes any intellectual property right or violates applicable law, (b) injury to or death of any individual, or any loss of or damage to real or tangible personal property caused by the act or omission of Janrain or any of its agents, subcontractors, or employees, or (c) disclosure or exposure of personally identifiable information caused by a Janrain violation of its obligations under this Agreement. This indemnification will be for any damages, attorney fees and costs finally awarded against Client as a result of, or for amounts paid by Client under a court-approved settlement of, a Claim Against Client, provided Client (i) promptly gives Janrain written notice of the Claim Against Client, (ii) gives Janrain sole control of the defense and settlement of the Claim Against Client (except that Janrain may not settle any Claim Against Client unless it unconditionally releases Client of all liability), and (iii) gives Janrain all reasonable assistance, at Janrain’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Client arises from Client’s violation of the law or breach of this Agreement.

11.2. Indemnification by Client. Client will defend and indemnify Janrain against any “Claim Against Janrain,” meaning any third party claim, suit, or proceeding brought against Janrain arising from Client’s use of the Services in violation of the Agreement or applicable law. This indemnification will be for any damages, attorney fees and costs finally awarded against Janrain as a result of, or for amounts paid by Janrain under a court-approved settlement of, a Claim Against Janrain, provided Janrain (i) promptly gives Client written notice of the Claim Against Janrain, (ii) gives Client sole control of the defense and settlement of the Claim Against Janrain (except that Client may not settle any Claim Against Janrain unless it unconditionally releases Janrain of all liability), and (iii) gives Client all reasonable assistance, at Client’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Janrain arises from Janrain’s violation of the law or breach of this Agreement.

11.3. Exclusive Remedy. This Section 11 states the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other party for any type of claim described in this Section 11.





Client will cooperate with Janrain’s request to review drafts of all appropriate press releases and other public announcements relating to the subject matter of this agreement and the relationship between the parties, but neither Party will issue any such announcement without the other party’s prior written consent, which will not be unreasonably withheld or delayed. Client grants Janrain the right to use Client’s name and logo on Janrain’s website and/or in Janrain’s marketing materials, solely to identify Client as a Janrain client.


Janrain may compile, use, and publicly disclose information related to the use and performance of its Subscription Services by its clients and their users (e.g., social log in trends), provided that such information does not include personally identifiable information or Client Confidential Information, or identify Client or any User.


Neither Party may assign this Agreement or any of its rights or obligations hereunder without the other Party’s prior written consent, except that either Party may assign this Agreement to the surviving party in a merger of that Party into another entity or in an acquisition of all or substantially all that Party’s assets, provided that the assignee agrees in writing to be bound by all the assigning Party’s rights and obligations stated in the Agreement. Any attempted assignment, transfer or delegation in violation of the foregoing will be null and void. Except to this extent forbidden in this Section 15, this Agreement will be binding upon and inure to the benefit of the parties’ respective successors and assigns


The Parties acknowledge that each Subscription Service and each Party’s Confidential Information is a unique property, and the unauthorized use thereof will cause the injured Party irreparable harm that may not be adequately compensated by monetary damages. Accordingly, the Parties agree that the injured Party will, in addition to other remedies available to it at law or in equity, be entitled to seek injunctive relief to enforce the terms of this Agreement, including to prevent any actual or threatened unauthorized use of each Party’s Confidential Information, the Subscription Services, or any information or data contained therein.


This Agreement will be governed by and interpreted in accordance with the laws of the State of Oregon and controlling United States law without regard to Oregon’s choice of law rules, and any legal action or proceeding arising out of or related to this Agreement will be brought exclusively in the courts located in Portland, Multnomah County, Oregon. The prevailing Party in any lawsuit will be entitled to recover payment of its reasonable attorney’s fees from the other Party in addition to any other relief to which the prevailing Party may be entitled. The United Nations Convention on Contracts for the International Sale of Goods will not apply to the interpretation or enforcement of this Agreement.


This Agreement includes its Appendices A and B and incorporates herein by reference each Order Form, SOW, and any schedules, appendices, amendments, or change orders thereto signed by the Parties. This Agreement constitutes the complete agreement between the Parties and supersedes all prior and contemporaneous agreements, proposals or representations, whether oral or written, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement will be effective unless it specifically refers to this Agreement, is in writing, and is signed by the Parties.


If any provision of this Agreement is held to be null, void or otherwise ineffective or invalid by a court of competent jurisdiction, (a) such provision will be deemed to be restated to reflect as nearly as possible the original intentions of the Parties in accordance with applicable law, and (b) the remaining terms, provisions, covenants and restrictions of this Agreement will remain in full force and effect.


In the event of any inconsistency between an Order Form and other parts of this Agreement, the terms of the Order Form will be controlling. The terms on any purchase order or similar Client document submitted to Janrain will have no effect on this Agreement and are hereby rejected.


The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.


The Parties do not intend to confer, and this Agreement shall not be construed to confer, any rights or benefits to any person, firm, group, corporation or entity other than the Parties.


All notices under this Agreement must be delivered in writing in person, by courier, or by certified or registered mail (postage prepaid and return receipt requested) to the other Party at its address stated at the beginning of this Agreement and to the person designated in the latest Order Form to receive such notice. Notices will be deemed effective upon receipt. Either Party may change the recipient or its address for notices by providing notice to the other Party as specified herein.


No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right.


All provisions of this Agreement that must survive this Agreement to fulfill their essential purpose will so survive.



1. Applicable Definitions
  • “Availability” means the period following deployment in a production environment when the Subscription Services are not affected by Downtime.
  • “Availability Commitment” means a monthly Availability of 99.95% or higher for Identity Service and Global Identity Service and of 99.90% or higher for Authentication Service and Registration Service.
  • “Downtime” means the period when none of Client’s Users are able to register or log in to Client Properties. In addition, with regard to a Janrain Extension Service running on Janrain’s infrastructure only, Downtime means the period that such Extension Service is not available for use by Client for reasons directly attributable to Janrain or its hosting services provider. Downtime begins when detected by Janrain.
  • “Force Majeure Event” means an event beyond the reasonable control of Janrain or its hosting service provider, including, but not limited to programming errors or security deficiencies in Client’s or third party applications; software bugs or other malfunction within Client’s applications or operating system, or any patches supplied by a third party vendor; earthquakes and floods and other acts of nature, terrorism, interruption or failure of telecommunication or digital transmission links, denial of service and other hostile network attacks, network congestion; and the failure or unavailability of one or more third-party social networking sites or other sites which are supported by the Subscription Services (e.g., Facebook, Google, etc.).
  • “Qualifying Downtime” means Downtime minus the period of Downtime attributable to a Force Majeure Event or any scheduled maintenance. (Scheduled maintenance is rare, and Janrain will notify Client at least 72 hours prior to any scheduled maintenance and will use commercially reasonable efforts to minimize its impact on Subscription Services availability.)
Service Credits

If Janrain fails to meet its Availability Commitment in any calendar month and the total Qualifying Downtime during such month does not exceed four hours, per each hour or part thereof, Client will be eligible for a service credit of 5% of the subscription Fee for the unavailable Subscription Service (for the affected instance(s), if Client has multiple instances running) pro-rated for that month; but if the total Qualifying Downtime during a calendar month exceeds four hours, Client will be eligible for a service credit of 50% of such subscription Fee pro-rated for that month. Service Credits will be issued as credits against subscription renewal Fees or, if the subscription is not renewed, the credits will be paid to Client in the form of a refund within 30 days after the subscription termination date. To receive a service credit hereunder, Client must provide written notice to Janrain of its service credit claim within 10 business days following the end of the applicable month. All Service Credit claims are subject to verification by Janrain. Service credits are Client’s sole and exclusive remedy for any failure to meet the Availability Commitment. Service credits are not available for any Subscription Service provided without charge.



This Appendix B highlights the administrative, physical and logical security and privacy safeguards and features (“Safeguards”), which Janrain provides under the Agreement to help protect the security, confidentiality, and integrity of Client Data and protect User privacy. These Safeguards are applicable to all facilities and systems that store and transmit Client Data. Janrain provides security at the systems and applications layers while its cloud provider, Amazon Web Services (“AWS”), provides security for its infrastructure and data centers.

1. Audited Security Controls and Certified Privacy Practices.

Janrain undergoes the following examinations on an annual basis and will provide proof of certification or compliance upon Client’s request.

  • ISO 27001:2013-Certified Information Security Management System
    Janrain has implemented, maintains, and updates as necessary on no less than an annual basis, a cross-company, formal Information Security Management System (“InfoSec System”) of written policies, procedures, and practices designed to secure Client Data and confidential information and to effectively assess, manage, and respond to information security risks. Among other controls Janrain has implemented as part of this InfoSec System are asset management, access management, change management, software development lifecycle management, and vendor security screening. An accredited third party auditor has certified this InfoSec System as meeting ISO 27001:2013 standards.
  • Service Organization Controls (SOC) 2 Type II-Compliant Platform System
    An accredited third party auditor has confirmed that Janrain’s processes, procedures and controls related to our Customer Identity and Access Management platform are in accordance with the Security, Availability and Confidentiality Trust Principles and Criteria established by the American Institute of Certified Public Accountants. This confirms that the Janrain platform is designed and managed to safeguard and maintain the confidentiality of Client Data.
  • HIPAA Security Rule Compliance
    An accredited third party auditor has provided an attestation that Janrain complies with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (PHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Under the Health Information Technology For Economic and Clinical Health Act (HITECH), the HIPAA Security Rule applies to covered entity business associates, including PHI processors.
  • Privacy Shield Certification and TRUSTe®-Certified Privacy Practices
    Janrain has implemented a privacy program to help Janrain maintain compliance with its contractual commitments and applicable laws. The program includes the practice of privacy by design and default so that Janrain can consider and address privacy concerns at an early stage of product development. Janrain acknowledges that Client is the owner and controller of Client Data and that Janrain is the processor of Client Data. Janrain will process Client Data as instructed by Client in accordance with this Agreement and will not will transfer or disclose Client Data to any third party in the absence of Client’s prior written direction, except if required by legal process, in which event, and to the extent legally permissible, Janrain promptly will notify Client of the receipt of such legal process and reasonably assist Client in efforts to limit such required disclosure. Client may choose to have Client Data hosted in a particular region where Janrain offers hosting by specifying the hosting region in writing at the time Client orders Services. Janrain will certify itself as a participant in the E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks and maintain its certification once and as long as the frameworks are recognized by the European Union and Switzerland respectively as providing adequate assurance of data security. TRUSTe® has certified Janrain’s privacy practices.
2. Physical Security

All hosting locations employ industry best practices, including badge and/or biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside any AWS data center and all accesses are logged. For details on the best practice physical security and other controls, which AWS has implemented, and its ISO 27001:2013; SOC 1; SOC 2; and other certifications, see Amazon Compliance. Janrain operations offices are secured with key and camera systems and visitor access is controlled.

3. Employee Hiring, Training, and Awareness

Janrain employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired. Janrain trains all new employees about their confidentiality, privacy and information security obligations as part of their new employee training. We require all our employees and contractors to sign confidentiality agreements to protect confidential information. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. In addition, Janrain communicates with all personnel about privacy and information security awareness through regular newsletters.

4. Protecting Data in Transit

All social and conventional (user ID/password) logins and retrieval queries will be encrypted using transport layer security (TLS), ensuring a secure connection to the Subscription Services and Client Data. We will provision, manage and renew all SSL certificates (of at least 2048-bits) on behalf of Client to secure Client communications with the Subscription Services. For Janrain single sign-on, which passes Client authentication state data (and optionally, identity information) between sites within a predefined circle of trust, Janrain will manage a hardened whitelist that will be verified at the time of transaction prior to passing any sensitive Client Data. To protect personally identifiable information (PII) and all other Client Data, access to Client Data retrieved via the Subscription Services is possible only with a valid access token, which is delivered to a User during authentication.

5. Protecting Data at Rest

Each Subscription Service application instance deployed for Client and associated Client Data will be isolated in their own logically discrete production environment. Unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access. Data at rest in development, production, and backup environments are encrypted with full disk encryption. Passwords stored in Client databases are one-way hashed.

6. Other Technical Measures to Reduce Risk

In both the development process and the production environment, Janrain seeks to protect against attacks on or disruption of the Subscription Services or attempts to compromise of the privacy and confidentiality of Client Data. Technical measures deployed include (1) firewalls for all data entering Janrain’s internal data network from any external source; (2) virus protection programs and techniques to prevent harmful software code from affecting the Subscription Services or Client Data, (3) continuous monitoring of systems used throughout the Subscription Services, and (4) annual penetration and vulnerability testing by a reputable third party vendor.

7. Restricted Access to Systems and Client Data

Only authorized operations personnel have access to Janrain production systems, for which multi-factor authentication is required. Access credentials to production systems are not shared. We maintain audit trails for all production access and restrict and monitor physical access at production facilities. Janrain employee access to Client Data is restricted to legitimate business use only, including activities needed to support Client’s use of the Subscription Services. Janrain Subscription Services enable Client to easily provide their partners, customer service representatives and other members of their organization with selective access to Client Data while continuing to protect sensitive User information. Subscription Services dashboard access is scoped and enforced via roles.

8. Redundancy, Disaster Recovery, Backups, and Deletion

Janrain services are highly scalable and redundant, permitting fluctuations in usage while reducing the threat of significant outages. All client data is stored in secure AWS data centers with quick replication feasible in the event of a disaster. Janrain operates under a Business Continuity and Disaster Recovery Plan and conducts full Business Continuity testing annually. Janrain backs up Client Data on a daily basis to servers in different locations than where Client Data in production is hosted. All backups are fully encrypted. Pursuant to Section 7.4 of the Agreement, Janrain will delete all Client Data applications and directories and the underlying data blocks will be overwritten, so they are not recoverable. When no longer useful, all electronic media once utilized to store Client Data are degaussed and physically destroyed in accordance with best practices. Printed confidential information is disposed of in secure containers and shredded on a regular basis.

9. Information Security Event Management and Breach Notification

Janrain will maintain a formal security event monitoring, reporting and response capability to identify, report and appropriately respond to known or suspected security events. In the event of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Data or Client Confidential Information (“Information Security Breach”), Janrain will (i) as soon as possible after its discovery, but within 48 hours, notify Client of the Information Security Breach and its effect on Client Data, (ii) promptly investigate and remediate the Information Security Breach and provide Client regular updates during the investigative and remedial phases, and (iii) take all reasonable measures to prevent the breach from occurring again.

10. Privacy-Facilitating Technology

Users may submit personal data to Client Online Properties through the use of the Subscription Services. Janrain’s Subscription Services facilitate compliance with the EU General Data Protection Regulation and other privacy statutes. For example, personal data is submitted with notice to, and the consent of, the individual User via permission screens. In addition, email opt-out/opt-in options are configurable as part of our User registration flows. Client may, at any time, access Client Data, while Users have the ability to update their personal data. The Subscription Services include tools that permit Client to manage the privacy settings of select data fields and optionally delete Client Data in a particular Record. Janrain maintains an audit trail detailing changes to Records. In addition, Janrain provides the ability for Client to receive real time notification of User Record changes and deletions.

11. Client Audits

Because Janrain, and its underlying hosting services provider, Amazon Web Services (AWS), each submit to third party audits and make audit information as well as penetration test reports available to Clients, any security or privacy-related audit requested by Client shall not occur more than once a year for a Fee of $14,500 and the schedule and scope for such an audit will be specified in a SOW with Client to bear its own costs. Pursuant to such a SOW, Janrain will allow Client or a designated third party, access to Janrain’s facilities, systems, books and records in order to audit and ascertain compliance by Janrain with the terms of this Agreement. Janrain will reasonably cooperate with such audits. Before undertaking any audit, Client will first consider the results of the most recent independent certifications and reviews of Janrain’s and AWS security-related systems and processes, which will be made available to Client upon request, subject to Client’s execution of any required non-disclosure agreement required by AWS. Because of security concerns raised by visits to its facilities, the audit rights granted herein do not extend to AWS sites, systems, and processes.