THIS AGREEMENT GOVERNS YOUR ACQUISITION AND USE OF JANRAIN, INC. SERVICES.
BY ACCEPTING THIS AGREEMENT, EITHER BY EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT OR BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “YOU” OR “YOUR” AND “CLIENT” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.
You may not access the Services for the purpose of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purpose.
This Agreement is between You and Janrain, Inc., a Delaware corporation with its principal offices located in Portland, Oregon (“Janrain”). Customer and Janrain are each referred to below as a “Party” and together the “Parties.” This Agreement, which is effective as of the date of Customer acceptance, states the general terms and conditions applicable to the Services (defined below) which Janrain will provide to Customer pursuant to the terms herein, the Order Form which incorporates this Agreement by reference, and any related SOW (defined below).
“Client Data” means electronic data pertaining to a User and/or thing and submitted by a User to a Client Property through use of the Subscription Services or provided by Client to Janrain for storage in a Record; “Client Property” means a website or mobile application owned or operated by Client and/or its agent; “Documentation” means the technical documentation made available by Janrain to Client that describes the components, operation, and functionality of the Subscription Services, including such descriptions in a SOW; “ID Providers” are third party social network and other User identity providers from whom Client Data may be processed and shared depending on Client’s desired configuration of the Subscription Services; “Order Form” means the Janrain document used to order Services hereunder, which is mutually executed by the Parties, and constitutes a binding commitment to purchase the Subscription Services ordered therein; “Professional Services” means work performed by Janrain or its permitted subcontractors under a SOW or Order Form, including the provision of any deliverables specified in any such SOW or Order Form; “Record” means a Client Data record stored in a database maintained by Janrain for Client, if Client has ordered a Subscription Service that includes such storage; “SDK” means a software development kit developed by Janrain and made available for Client’s use in connection with Client mobile applications; “Services” means Subscription Services and Professional Services; “SOW” means a Statement of Work prepared by Janrain and executed by the Parties that describes any Professional Services ordered by Client and includes applicable assumptions, deliverables, and a schedule for their delivery; “Subscription Services” means those customer identity and access management and related services ordered by Client under an Order Form and made available online by Janrain as further described in the Order Form and Documentation; “Subscription Term” means the term commencing on the subscription start date stated in the Order Form and continuing for the period stated on the Order Form, subject to any adjustment and/or renewal as described herein; “User” means each unique, individual person authorized by Client to interact with the Subscription Services.
2.1. Order Form. Services are purchased via an Order Form.
2.2. Subscription Services. Subscription Services are purchased as subscriptions to access and use the Subscription Services for the number of Client Online Properties, User or Record capacity, and Subscription Term specified in an Order Form. Janrain will count the number of Users or, if applicable, Records, and display the current total to Client within the Subscription Services online administration dashboard. A User is counted when the User initially uses the Subscription Services to register or log in on a Client Property, and a Record is counted when it is created. Production and non-production (e.g., development and testing) environments owned or operated by Client or Client’s agent for a single Client Property are counted collectively as one Client Property.
2.3. Adding User/Record Capacity and Client Properties for Subscription Services. Subscriptions for additional User or Record capacity or Client Properties may be purchased during a Subscription Term for the pricing stated in the underlying subscription Order Form and any added subscriptions will terminate on the same date as the underlying subscription, unless otherwise specified in the Order Form.
2.4. Subscription Service Renewal. Each subscription for a Subscription Service will automatically renew for a 12-month Subscription Term unless either Party notifies the other at least thirty days prior to the commencement of the renewal term that it does not want the subscription to renew.
3.1. Provisioning. Janrain will provide the Services pursuant to this Agreement, including applicable Order Forms and any SOWs. Subscription Services will be provided 24 hours a day, 7 days a week in accordance with the in the Service Level Agreement (SLA) in Appendix A hereto. Client will provide assistance reasonably requested by Janrain in connection with the provisioning of the Subscription Services. Use of ID Providers services is subject to their availability from ID Providers. Professional Services will be provided in accordance with applicable SOWs. The Parties may change a SOW only by a written change order document signed by the Parties.
3.2. Support. Support is provided for the Subscription Services as described below. Support services include Client access to the support portal and reporting on any SLA violation as specified in the Support Appendix to the Order Form:
Client will initiate all support requests by initiating a support ticket at https://support.janrain.com/. Janrain will use commercially reasonable efforts to meet the initial response and resolution goal service level objectives specified in the Support Appendix according to the severity level of the particular issue. Resolution times start once Client has notified Janrain of the incident via the Janrain support ticket system and, if requested, provided to Janrain transaction data and reproducible test case data necessary to determine the nature of the error at issue and to isolate any defect(s). Client acknowledges that Janrain’s ability to provide satisfactory support services is dependent on Janrain having the information necessary to replicate the reported problem with the Subscription Services and real-time access to Client personnel who are knowledgeable about the problem. Load testing is prohibited without prior scheduling with Janrain. Client agrees not to run scripts that could endanger the performance of the Subscription Services without Janrain’s prior written permission.
3.3. Administrative Rights. Subscription Services include a restricted-access administrative interface to allow Client’s designated employees or agents (“Administrative Users”) to access the configuration and settings components so they can manage, configure and monitor the Subscription Services for Client benefit. Janrain will provide each Administrative User designated by Client with access to and use of the administrative interface.
3.4. Regulatory Compliance and Protection of Hosted Data. Janrain will provide the Services in compliance with all laws and regulations applicable to it and the Services and with its Security and Privacy Safeguards described in Appendix B.
4.2. Restrictions. Client will not (a) use the Subscription Services or make them available for use except as permitted hereunder; (b) sell, rent or lease the Subscription Services, (c) reverse engineer or otherwise attempt to discover the underlying software to the Subscription Services (unless this restriction is not permitted under applicable law); (d) knowingly permit Users to access or use any Service in a country embargoed by the U.S. (currently Cuba, Iran, North Korea, Sudan or Syria) or in violation of any U.S. export law or regulation; or (e) use the Subscription Services to store financial or credit account numbers, social security or other government issued personal identification numbers, driver license numbers, or personal health information.
5.1. Fees. All fees for purchased Services (“Fees”) will be itemized on the applicable Order Form. Except as otherwise specified herein, (a) Fees are based on Services purchased, not actual usage, (b) payment obligations are non-cancellable and Fees are non-refundable, and (c) capacity and quantities purchased cannot be decreased during the relevant Subscription Term.
5.2. Travel Expenses. Client will reimburse Janrain for reasonable travel expenses, if any, directly related to the performance of the Services under this Agreement, provided that the travel is approved in writing by email in advance of the travel. Approved travel expenses, if any, will be billed separately. In no event will travel time be billable.
5.3. Taxes. Fees do not include any taxes (including any withholding taxes) assessable by any jurisdiction (collectively, “Taxes”). Client is responsible for paying all Taxes associated with its purchases hereunder. If Janrain has the obligation to collect or pay Taxes for which Client is responsible under this Section 5.3, Janrain will invoice such Taxes and Client will pay them to Janrain unless Client provides Janrain with a valid taxation exemption certificate from the relevant taxing authority. Janrain is solely responsible for taxes assessable against Janrain based on its income, property, and employees.
5.4. Payment. All properly invoiced amounts are due and payable in United States currency within thirty (30) days following the invoice date (or thirty (30) days following the renewal date for any renewed Subscription Service) unless a different currency and period is specified in the Order Form. Payment Invoices will be sent to the address included on the invoice unless Client instructs Janrain otherwise in writing. If payment of any properly invoiced amount is not received by Janrain by the due date, then without limiting Janrain’s rights or remedies, (a) the invoiced amount may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and/or (b) Janrain may condition future subscription renewals and Order Forms on payment terms shorter than those specified herein.
Client and its Users may access and use the Subscription Services pursuant to this Agreement. Janrain retains all right, title, and interest in and to the Subscription Services and this Agreement does not grant Client any intellectual property rights in the Subscription Services or its components except as stated otherwise in this section. Client may make a reasonable number of copies of the Documentation and SDKs at no extra charge for its use of the Subscription Services. If Janrain provides to Client any deliverables under a SOW, Client will own such deliverables, except for any Janrain intellectual property contained therein to which Janrain hereby grants to Client and Client’s agents a worldwide, nonexclusive, non-transferable, royalty-free right to use such intellectual property in connection with the Subscription Services. Client will retain ownership of all Client Data and any materials provided by Client for use with the Subscription Services. Janrain will obtain no rights therein, except the right to access and use Client Data and such materials as required to provision the Subscription Services to Client.
7.1. Agreement Term. This Agreement will continue in effect until terminated as set forth herein.
7.2. Termination. This Agreement and any Order Form may be terminated (a) by either Party if the other Party breaches this Agreement and does not cure the breach within thirty (30) days after receiving written notice thereof from the non-breaching Party, or (b) by either Party upon written notice if the other Party becomes the subject of a petition for bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Otherwise, the Agreement will terminate 30 days after the most recent Order Form is no longer in effect.
7.3. Effect of Termination. Upon any termination of this Agreement or an Order Form, without prejudice to any other rights or remedies which the Parties may have, (i) all rights to use the Subscription Services will terminate, (ii) Client will pay to Janrain any outstanding Fees that have accrued hereunder prior to the date of termination, and (iii) if Client terminates the Agreement pursuant to Section 7.2(a) or (b), Janrain will refund to Client any prepaid fees for the terminated period. See Appendix B for Client Data transfer and deletion following Termination.
7.4. Client Data Transfer and Deletion. Upon Client request via the standard support process and made within 30 days after the effective date of Agreement termination or expiration, Janrain will make all Client Data available to Client for transfer via FTP or other secure mechanism agreed upon by the Parties. After that 30-day period, unless the Parties otherwise agree in writing, Janrain will delete all copies of Client Data in Janrain’s systems or otherwise in Janrain’s possession as further described in Section 8 of Agreement Appendix B.
Janrain, at its own expense, will maintain at a minimum the following insurance coverage in US dollar amounts throughout the Agreement term: (a) Commercial General Liability Insurance: $4,000,000 per occurrence combined single limit, (b) Commercial Automobile Liability Insurance: $1,000,000 per occurrence combined single limit, (c) Umbrella/Excess Liability Insurance: $3,000,000 per occurrence combined single limit, (d) Worker’s Compensation Insurance: an amount no less than the statutory limit of coverage within the relevant state of employment, and (e) Errors and Omissions Insurance (also known as Professional Liability and Cyber Liability Insurance): $5,000,000 per occurrence combined single limit. Upon Client’s written request, Janrain will provide Client with a certificate of insurance stating Janrain’s current insurance coverage.
“Confidential Information” means, with respect to a Party disclosing information (the “Disclosing Party”), information that pertains to such Party’s business, including, without limitation, technical, marketing, financial, pricing and other information. Confidential Information will be designated and/or marked as confidential when disclosed, provided that any information that the Party receiving such information (the “Receiving Party”) knew or reasonably should have known under the circumstances, was considered confidential or proprietary by the Disclosing Party, will be considered the Disclosing Party’s Confidential Information even if not designated or marked as such. Client Data will be considered Client’s Confidential Information. To protect a Disclosing Party’s Confidential Information, the Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own Confidential Information of like kind (but no less than reasonable care). The Receiving Party will use Disclosing Party’s Confidential Information only to exercise rights and perform obligations under this Agreement and will disclose it only to those employees and contractors of the Receiving Party with a need to know such information and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. The Receiving Party will not be liable to the Disclosing Party for the release of Confidential Information if such information: (a) was known to the Receiving Party on or before the Agreement effective date without restriction as to use or disclosure; (b) is released into the public domain through no fault of the Receiving Party; (c) was independently developed solely by the employees of the Receiving Party who have not had access to Confidential Information; or (d) is disclosed as required by legal process, provided that, to the extent legally permissible, the Receiving Party will notify the Disclosing Party promptly of such required disclosure and reasonably assists the Disclosing Party in efforts to limit such required disclosure.
Each Party represents and warrants that it has the legal power to enter into and perform its obligations under this Agreement. Janrain warrants that (a) during the Subscription Term the Subscription Services will perform materially as described in the Documentation; (b) Subscription Services contain no viruses or other computer instructions or technological means intended to disrupt, damage, or interfere with the use of computers or related systems; (c) Professional Services will be performed in a professional and workmanlike manner; (d) the Services will comply with all applicable laws; and (e) it is the owner of the Subscription Services and every component thereof or the recipient of a valid license thereto, and will maintain the authority to grant the intellectual property and other rights granted in this Agreement. In the event of a breach of the warranty at Section 10.(a) or 10.(c), Janrain will diligently remedy any deficiencies that cause the Services to not conform to the foregoing warranty promptly after its receipt of written notice from Client. In the event of a breach of the warranty at Section 10.(d), Janrain, at its own expense, will (i) secure the right for Client’s continued access and use of the Subscription Service; (ii) modify the Subscription Service to make it noninfringing, provided that the same material functionality is maintained; or (iii) terminate Client’s subscription for that Subscription Service upon 30 days written notice and refund Client any prepaid fees covering the remainder of the term of the terminated subscription. Janrain will not be liable to the extent that any breach of the foregoing warranties is caused by use of the Subscription Services in breach of this Agreement or Viruses introduced by Client or its agents. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WArranties, including ANY warranties of merchantability and fitness for a particular purpose, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
11.1. Indemnification by Janrain. Janrain will defend and indemnify Client against any “Claim Against Client,” meaning any third party claim, suit, or proceeding brought against Client alleging (a) that the use of a Service in accordance with this Agreement infringes any intellectual property right or violates applicable law, (b) injury to or death of any individual, or any loss of or damage to real or tangible personal property caused by the act or omission of Janrain or any of its agents, subcontractors, or employees, or (c) disclosure or exposure of personally identifiable information caused by a Janrain violation of its obligations under this Agreement. This indemnification will be for any damages, attorney fees and costs finally awarded against Client as a result of, or for amounts paid by Client under a court-approved settlement of, a Claim Against Client, provided Client (i) promptly gives Janrain written notice of the Claim Against Client, (ii) gives Janrain sole control of the defense and settlement of the Claim Against Client (except that Janrain may not settle any Claim Against Client unless it unconditionally releases Client of all liability), and (iii) gives Janrain all reasonable assistance, at Janrain’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Client arises from Client’s violation of the law or breach of this Agreement.
11.2. Indemnification by Client. Client will defend and indemnify Janrain against any “Claim Against Janrain,” meaning any third party claim, suit, or proceeding brought against Janrain arising from Client’s use of the Services in violation of the Agreement or applicable law. This indemnification will be for any damages, attorney fees and costs finally awarded against Janrain as a result of, or for amounts paid by Janrain under a court-approved settlement of, a Claim Against Janrain, provided Janrain (i) promptly gives Client written notice of the Claim Against Janrain, (ii) gives Client sole control of the defense and settlement of the Claim Against Janrain (except that Client may not settle any Claim Against Janrain unless it unconditionally releases Janrain of all liability), and (iii) gives Client all reasonable assistance, at Client’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Janrain arises from Janrain’s violation of the law or breach of this Agreement.
11.3. Exclusive Remedy. This Section 11 states the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other party for any type of claim described in this Section 11.
12.1. Limit. JANRAIN’S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE ANNUAL SUBSCRIPTION FEE, EXCEPT THAT JANRAIN’S LIABILITY TO INDEMNIFY CLIENT PURSUANT TO SECTION 11 (INDEMNITY) WILL NOT EXCEED TWO TIMES THE ANNUAL SUBSCRIPTION FEE.
12.2. No Consequential Damages. NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OR ANY LOST REVENUE OR PROFITS WHETHER AN ACTION IS IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY AND WHETHER THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
Client will cooperate with Janrain’s request to review drafts of all appropriate press releases and other public announcements relating to the subject matter of this agreement and the relationship between the parties, but neither Party will issue any such announcement without the other party’s prior written consent, which will not be unreasonably withheld or delayed. Client grants Janrain the right to use Client’s name and logo on Janrain’s website and/or in Janrain’s marketing materials, solely to identify Client as a Janrain client.
Janrain may compile, use, and publicly disclose information related to the use and performance of its Subscription Services by its clients and their users (e.g., social log in trends), provided that such information does not include personally identifiable information or Client Confidential Information, or identify Client or any User.
Neither Party may assign this Agreement or any of its rights or obligations hereunder without the other Party’s prior written consent, except that either Party may assign this Agreement to the surviving party in a merger of that Party into another entity or in an acquisition of all or substantially all that Party’s assets, provided that the assignee agrees in writing to be bound by all the assigning Party’s rights and obligations stated in the Agreement. Any attempted assignment, transfer or delegation in violation of the foregoing will be null and void. Except to this extent forbidden in this Section 15, this Agreement will be binding upon and inure to the benefit of the parties’ respective successors and assigns
The Parties acknowledge that each Subscription Service and each Party’s Confidential Information is a unique property, and the unauthorized use thereof will cause the injured Party irreparable harm that may not be adequately compensated by monetary damages. Accordingly, the Parties agree that the injured Party will, in addition to other remedies available to it at law or in equity, be entitled to seek injunctive relief to enforce the terms of this Agreement, including to prevent any actual or threatened unauthorized use of each Party’s Confidential Information, the Subscription Services, or any information or data contained therein.
This Agreement will be governed by and interpreted in accordance with the laws of the State of Oregon and controlling United States law without regard to Oregon’s choice of law rules, and any legal action or proceeding arising out of or related to this Agreement will be brought exclusively in the courts located in Portland, Multnomah County, Oregon. The prevailing Party in any lawsuit will be entitled to recover payment of its reasonable attorney’s fees from the other Party in addition to any other relief to which the prevailing Party may be entitled. The United Nations Convention on Contracts for the International Sale of Goods will not apply to the interpretation or enforcement of this Agreement.
This Agreement includes its Appendices A and B and incorporates herein by reference each Order Form, SOW, and any schedules, appendices, amendments, or change orders thereto signed by the Parties. This Agreement constitutes the complete agreement between the Parties and supersedes all prior and contemporaneous agreements, proposals or representations, whether oral or written, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement will be effective unless it specifically refers to this Agreement, is in writing, and is signed by the Parties.
If any provision of this Agreement is held to be null, void or otherwise ineffective or invalid by a court of competent jurisdiction, (a) such provision will be deemed to be restated to reflect as nearly as possible the original intentions of the Parties in accordance with applicable law, and (b) the remaining terms, provisions, covenants and restrictions of this Agreement will remain in full force and effect.
In the event of any inconsistency between an Order Form and other parts of this Agreement, the terms of the Order Form will be controlling. The terms on any purchase order or similar Client document submitted to Janrain will have no effect on this Agreement and are hereby rejected.
The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.
The Parties do not intend to confer, and this Agreement shall not be construed to confer, any rights or benefits to any person, firm, group, corporation or entity other than the Parties.
All notices under this Agreement must be delivered in writing in person, by courier, or by certified or registered mail (postage prepaid and return receipt requested) to the other Party at its address stated at the beginning of this Agreement and to the person designated in the latest Order Form to receive such notice. Notices will be deemed effective upon receipt. Either Party may change the recipient or its address for notices by providing notice to the other Party as specified herein.
No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right.
All provisions of this Agreement that must survive this Agreement to fulfill their essential purpose will so survive.
If Janrain fails to meet its Availability Commitment in any calendar month and the total Qualifying Downtime during such month does not exceed four hours, per each hour or part thereof, Client will be eligible for a service credit of 5% of the subscription Fee for the unavailable Subscription Service (for the affected instance(s), if Client has multiple instances running) pro-rated for that month; but if the total Qualifying Downtime during a calendar month exceeds four hours, Client will be eligible for a service credit of 50% of such subscription Fee pro-rated for that month. Service Credits will be issued as credits against subscription renewal Fees or, if the subscription is not renewed, the credits will be paid to Client in the form of a refund within 30 days after the subscription termination date. To receive a service credit hereunder, Client must provide written notice to Janrain of its service credit claim within 10 business days following the end of the applicable month. All Service Credit claims are subject to verification by Janrain. Service credits are Client’s sole and exclusive remedy for any failure to meet the Availability Commitment. Service credits are not available for any Subscription Service provided without charge.
This Appendix B highlights the administrative, physical and logical security and privacy safeguards and features (“Safeguards”), which Janrain provides under the Agreement to help protect the security, confidentiality, and integrity of Client Data and protect User privacy. These Safeguards are applicable to all facilities and systems that store and transmit Client Data. Janrain provides security at the systems and applications layers while its cloud provider, Amazon Web Services (“AWS”), provides security for its infrastructure and data centers.
Janrain undergoes the following examinations on an annual basis and will provide proof of certification or compliance upon Client’s request.
All hosting locations employ industry best practices, including badge and/or biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside any AWS data center and all accesses are logged. For details on the best practice physical security and other controls, which AWS has implemented, and its ISO 27001:2013; SOC 1; SOC 2; and other certifications, see Amazon Compliance. Janrain operations offices are secured with key and camera systems and visitor access is controlled.
Janrain employees are required to provide specific documents verifying identity and undergo federal and state criminal background checks prior to being hired. Janrain trains all new employees about their confidentiality, privacy and information security obligations as part of their new employee training. We require all our employees and contractors to sign confidentiality agreements to protect confidential information. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. In addition, Janrain communicates with all personnel about privacy and information security awareness through regular newsletters.
All social and conventional (user ID/password) logins and retrieval queries will be encrypted using transport layer security (TLS), ensuring a secure connection to the Subscription Services and Client Data. We will provision, manage and renew all SSL certificates (of at least 2048-bits) on behalf of Client to secure Client communications with the Subscription Services. For Janrain single sign-on, which passes Client authentication state data (and optionally, identity information) between sites within a predefined circle of trust, Janrain will manage a hardened whitelist that will be verified at the time of transaction prior to passing any sensitive Client Data. To protect personally identifiable information (PII) and all other Client Data, access to Client Data retrieved via the Subscription Services is possible only with a valid access token, which is delivered to a User during authentication.
Each Subscription Service application instance deployed for Client and associated Client Data will be isolated in their own logically discrete production environment. Unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access. Data at rest in development, production, and backup environments are encrypted with full disk encryption. Passwords stored in Client databases are one-way hashed.
In both the development process and the production environment, Janrain seeks to protect against attacks on or disruption of the Subscription Services or attempts to compromise of the privacy and confidentiality of Client Data. Technical measures deployed include (1) firewalls for all data entering Janrain’s internal data network from any external source; (2) virus protection programs and techniques to prevent harmful software code from affecting the Subscription Services or Client Data, (3) continuous monitoring of systems used throughout the Subscription Services, and (4) annual penetration and vulnerability testing by a reputable third party vendor.
Only authorized operations personnel have access to Janrain production systems, for which multi-factor authentication is required. Access credentials to production systems are not shared. We maintain audit trails for all production access and restrict and monitor physical access at production facilities. Janrain employee access to Client Data is restricted to legitimate business use only, including activities needed to support Client’s use of the Subscription Services. Janrain Subscription Services enable Client to easily provide their partners, customer service representatives and other members of their organization with selective access to Client Data while continuing to protect sensitive User information. Subscription Services dashboard access is scoped and enforced via roles.
Janrain services are highly scalable and redundant, permitting fluctuations in usage while reducing the threat of significant outages. All client data is stored in secure AWS data centers with quick replication feasible in the event of a disaster. Janrain operates under a Business Continuity and Disaster Recovery Plan and conducts full Business Continuity testing annually. Janrain backs up Client Data on a daily basis to servers in different locations than where Client Data in production is hosted. All backups are fully encrypted. Pursuant to Section 7.4 of the Agreement, Janrain will delete all Client Data applications and directories and the underlying data blocks will be overwritten, so they are not recoverable. When no longer useful, all electronic media once utilized to store Client Data are degaussed and physically destroyed in accordance with best practices. Printed confidential information is disposed of in secure containers and shredded on a regular basis.
Janrain will maintain a formal security event monitoring, reporting and response capability to identify, report and appropriately respond to known or suspected security events. In the event of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Data or Client Confidential Information (“Information Security Breach”), Janrain will (i) as soon as possible after its discovery, but within 48 hours, notify Client of the Information Security Breach and its effect on Client Data, (ii) promptly investigate and remediate the Information Security Breach and provide Client regular updates during the investigative and remedial phases, and (iii) take all reasonable measures to prevent the breach from occurring again.
Users may submit personal data to Client Online Properties through the use of the Subscription Services. Janrain’s Subscription Services facilitate compliance with the EU General Data Protection Regulation and other privacy statutes. For example, personal data is submitted with notice to, and the consent of, the individual User via permission screens. In addition, email opt-out/opt-in options are configurable as part of our User registration flows. Client may, at any time, access Client Data, while Users have the ability to update their personal data. The Subscription Services include tools that permit Client to manage the privacy settings of select data fields and optionally delete Client Data in a particular Record. Janrain maintains an audit trail detailing changes to Records. In addition, Janrain provides the ability for Client to receive real time notification of User Record changes and deletions.
Because Janrain, and its underlying hosting services provider, Amazon Web Services (AWS), each submit to third party audits and make audit information as well as penetration test reports available to Clients, any security or privacy-related audit requested by Client shall not occur more than once a year for a Fee of $14,500 and the schedule and scope for such an audit will be specified in a SOW with Client to bear its own costs. Pursuant to such a SOW, Janrain will allow Client or a designated third party, access to Janrain’s facilities, systems, books and records in order to audit and ascertain compliance by Janrain with the terms of this Agreement. Janrain will reasonably cooperate with such audits. Before undertaking any audit, Client will first consider the results of the most recent independent certifications and reviews of Janrain’s and AWS security-related systems and processes, which will be made available to Client upon request, subject to Client’s execution of any required non-disclosure agreement required by AWS. Because of security concerns raised by visits to its facilities, the audit rights granted herein do not extend to AWS sites, systems, and processes.