WorkOS Terms of Service

Last Updated: May 20, 2021

Please read these Subscription Service Terms and Conditions (the “Agreement”) carefully as they are a legal agreement between you (“Subscriber”) and WorkOS, Inc. (“WorkOS”). This Agreement governs Subscriber’s use of WorkOS’ Service (as defined below), unless Subscriber and WorkOS have entered into a separate written agreement. BY INDICATING YOUR ACCEPTANCE TO THIS AGREEMENT OR ACCESSING OR USING THE WORKOS’ SERVICE, SUBSCRIBER AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT.

If you are accessing and using the Service on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Agreement. In that case, “Subscriber” will refer to that company or other legal entity.

1. Definitions.

App End-Users” means the final end users of the Subscriber App(s).

Documentation” means documentation for the WorkOS Integration Code and WorkOS Platform made available to Subscriber through the Site.

Intellectual Property Rights” means any patent, copyright, trademark, service mark, trade name, trade secret, know-how, moral right or other intellectual property right under the laws of any jurisdiction, whether registered, unregistered, statutory, common law or otherwise (including any rights to sue, recover damages or obtain relief for any past infringement, and any rights under any application, assignment, license, legal opinion or search).

Person” means any individual, corporation, partnership, trust, limited liability company, association, governmental authority or other entity.

Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable data privacy and data protection laws, rules and regulations.

Sensitive Personal Data” means a subset of Personal Data which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Data includes Personal Data regarding EU residents that is classified as a “Special Category of Personal Data” under EU law, which consists of the following data elements: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) genetic data; (6) biometric data where processed to uniquely identify a person; (7) health information; (8) sexual orientation or information about the individual’s sex life; or (9) information relating to the commission of a criminal offense.

Service” or “WorkOS Service” means, collectively, the WorkOS Platform and the WorkOS Integration Code.

Service Tier” means the Service tier that Subscriber chooses from the available options provided by WorkOS on the Site.

SSO Connection Data” means data used to create, configure, and maintain Single Sign-On connections to identity providers (IdPs).

Subscriber App(s)” means the Subscriber’s application(s) which Subscriber chooses to use with the Service.

Subscriber Data” means any information, data or content that is submitted, collected, transmitted or otherwise provided by or on behalf of Subscriber through the Service, including data from App End-Users and SSO Connection Data, but excluding, for clarity Aggregate Data and any information, data or content owned or controlled by WorkOS and made available through or in connection with the Service.

Subscription Fees” means the subscription fees for access and use of the Service in accordance with the Service Tier that Subscriber chooses.

Subscription Term” means the period during which Subscriber has agreed to subscribe to the Service.

User” means an employee, independent contractor or consultant of Subscriber authorized by Subscriber to use the Service on behalf of Subscriber.

Workflow” means an enterprise grade business workflow application provided by a third party, not WorkOS.

WorkOS Integration Code” means the executable form of WorkOS’ proprietary software development code downloadable by Subscriber from the WorkOS Platform that is configured by Subscriber and included in the Subscriber App(s) to enable data to be transmitted from the Subscriber App(s) to the WorkOS Platform, as further specified in the Documentation.

WorkOS IP” means the Service, the underlying software provided in connection with the Service, algorithms, interfaces, technology, databases, tools, know-how, processes and methods used to provide or deliver the Service, the Documentation and the look and feel of the Service (including any custom fonts, graphics and button icons), and all improvements, modifications or enhancements to the foregoing, and all Intellectual Property Rights in and to any of the foregoing.

WorkOS Platform” means the cloud-based, hosted service made available through www.workos.com (the “Site”), as further specified in the Documentation.


2. Access to Service; License Grant.

      a. WorkOS Platform. Subject to the terms and conditions of this Agreement (including timely payment of the Subscription Fees),          WorkOS grants Subscriber a limited, revocable, nonexclusive, non-transferable (except in compliance with Section 16(f)) right to          access and use the WorkOS Platform and related Documentation solely for Subscriber’s internal business purposes in connection          with the operation of the Subscriber App(s), and in accordance with, and subject to, the applicable Service Tier. Subscriber is          responsible for obtaining and configuring all required computer hardware, software and telecommunications services to access          the WorkOS Platform.

      b. WorkOS Integration Code. Subject to the terms and conditions of this Agreement (including timely payment of Subscription           Fees), WorkOS hereby grants Subscriber a limited, revocable, non-exclusive and non-transferable (except in compliance with           Section 16(f)), license to: (i) install the WorkOS Integration Code on machines controlled by Subscriber and use the WorkOS           Integration Code and related Documentation and (ii) reproduce and distribute the WorkOS Integration Code solely as embedded           within the Subscriber App(s). Subscriber may use the WorkOS Integration Code solely in connection with Subscriber’s use of the           WorkOS Platform, and in accordance with, and subject to, the applicable Service Tier. WorkOS will deliver the WorkOS           Integration Code to Subscriber electronically. Subject to the terms and conditions of this Agreement, Subscriber may make one           back-up archival copy of the WorkOS Integration Code.

      c. Third-Party Software. The WorkOS Integration Code contains certain third-party components subject to various open source or           free software licenses. Subscriber’s use of such software is subject to and governed by the open source license that           accompanies the software and is not subject to the terms and conditions of this Agreement, except that this Section 2(c) and           Sections 8(b) (Disclaimer) and Section 15 (Limitation of Liability) also govern Subscriber’s use thereof.

      d. Users. Subscriber will not allow any Person other than Users to access and use the Service. Subscriber may permit Users to          access and use the Service, provided that Subscriber ensures each User complies with all applicable terms and conditions of this          Agreement and Subscriber is responsible for acts or omissions by Users in connection with their access and use the Service.          Subscriber will, and will require all Users to, use all reasonable means to secure user names and passwords, hardware and          software used to access the WorkOS Platform in accordance with customary security protocols, and will promptly notify WorkOS          if Subscriber knows or reasonably suspects that any user name and/or password has been compromised.

3. Subscription Fees.

      a. Subscription Fees. In exchange for Subscriber’s rights to use the Service and Documentation during the Subscription Term,           Subscriber agrees to pay the applicable Subscription Fees. The Subscription Fees do not include taxes and Subscriber shall be           responsible for all such taxes, levies or duties under associated with this Agreement, other than taxes based on WorkOS’ net           income. Except as otherwise agreed upon by the parties in writing, WorkOS will charge Subscriber’s selected payment method           (such as a credit card) for any Subscription Fees on the applicable payment date, including any applicable taxes. If WorkOS           cannot charge Subscriber’s selected payment method for any reason (such as expiration or insufficient funds), Subscriber           remains responsible for any uncollected amounts, and WorkOS will attempt to charge the payment method again as Subscriber           may update its payment method information. In accordance with local law, WorkOS may update information regarding           Subscriber’s selected payment method if provided such information by Subscriber’s financial institution.

      b. Payment. All amounts are payable in U.S. Dollars. All payments are nonrefundable. WorkOS may impose interest on late           payments at the lower of 1.5% per month, or the maximum rate allowable by applicable law, and WorkOS may suspend Service           until all payments are made in full.

      c. Free Service Tier. From time to time, WorkOS may offer a free Service tier that allows Subscriber to use the Service and           Documentation free of charge (“Free Service Tier”). Subscriber acknowledges and agrees that the features and functionalities of           the Service on the Free Service Tier may be limited. WorkOS reserves the right to modify or terminate the Free Service Tier at           any time, without notice and in its sole discretion.

4. Workflows.

Workflows compatible with the Service are described in the Documentation. In some instances, as described in the Documentation, enabling a Workflow for use with the Service requires Subscriber to implement the third-party Workflow provider’s own SDK or code on the SubscriberApp(s). Subscriber must license Workflows separately directly from the third-party Workflow provider; WorkOS does not provide access to Workflows to Subscriber and is not responsible for any compatibility issues, errors or bugs in the Service in whole or in part caused by the Workflows.


5. Access and Use Restrictions; Suspension.

Subscriber will not at any time and will not permit any Person (including, without limitation, Users) to, directly or indirectly: (a) copy, distribute, rent, sell, lease, lend, or transfer the Service; (b) make the Service available to any third party, except as expressly permitted by this Agreement; (c) use the Service on a service bureau basis; (d) decompile, reverse engineer, or disassemble any software component of the Service; (e) alter or modify any software component of the Service; (f) create derivative works based on the Service or any components thereof; (g) modify, remove, or obscure any copyright, trademark, patent or other notices or legends that appear with the Service; (h) interfere with or impair the operation of the Service by any means including introduction of malware or excessive usage or network traffic; (i) use any automated methods (including “robots” or “crawlers”) to download or “scrape” any data or materials from the Service, (j) use the Service to collect or process any Sensitive Personal Data, (k) use the Service, Documentation or any other WorkOS Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services, or to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Service, or (l) disclose any performance tests or other performance information related to the Service to any third parties. In the event that WorkOS reasonably believes that Subscriber is using the Service in violation of this Agreement, WorkOS may suspend Subscriber’s access to the Service with or without advanced notice in addition to and without prejudice to any other remedies WorkOS may have.


6. WorkOS Obligations.

      a. Support. WorkOS will provide reasonable informational support about the use and operation of the Service and technical support           for the Service 9am to 5pm EST on business days, by email, Slack-channel or in-app chat.

      b. Security. WorkOS will use commercially reasonable technical and organizational measures designed to secure its systems and           prevent unauthorized access to or use of the Service and to protect Subscriber Data against accidental loss or corruption.           WorkOS shall not be liable for any loss, destruction, alteration, unauthorized disclosure or corruption of Subscriber Data caused           by any third party.

      c. Changes to Service. WorkOS may modify, enhance or remove features or functionality of the Service from time to time. WorkOS           may make these changes to the Service for a variety of reasons, including, without limitation, to expand functionality, comply           with updated industry standards or comply with law. If WorkOS changes the Service, then WorkOS will update the           Documentation to reflect this. These updates will be effective on posting on the Site. If the changes materially reduce the overall           functionality of the Service, then, as Subscriber’s sole and exclusive remedy and WorkOS’ sole and exclusive liability, Subscriber           may terminate this Agreement.


7. Representations and Warranties.

Each party hereby represents and warrants to the other party that: (i) it is duly organized, validly existing and in good standing under its jurisdiction of organization and has the right to enter into this Agreement and (ii) the execution, delivery and performance of this Agreement and the consummation of the transactions contemplated hereby are within the corporate powers of such party and have been duly authorized by all necessary corporate action on the part of such Party, and constitute a valid and binding agreement of such party.


8. Service Warranty; Disclaimer.

      a. Service Warranty. WorkOS warrants that the Service will provide substantially the functionality set forth in the Documentation.           Subscriber’s sole and exclusive remedy, and WorkOS sole and exclusive liability, for breach of this warranty shall be for WorkOS           to modify, replace or reperform the Service at WorkOS’ sole expense so that the Service conforms to this warranty.

      b. Disclaimer. Except as expressly stated herein, the Service is provided “as is” and on an “as available” basis, and WORKOS           MAKES NO WARRANTIES OR REPRESENTATIONS TO SUBSCRIBER, ITS USERS OR TO ANY OTHER PARTY REGARDING THE           WORKOS IP, THE SERVICE OR ANY OTHER SERVICES OR MATERIALS PROVIDED HEREUNDER. TO THE MAXIMUM EXTENT           PERMITTED BY APPLICABLE LAW, WORKOS HEREBY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, WHETHER           EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A           PARTICULAR PURPOSE OR NONINFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF           TRADE. WITHOUT LIMITING THE FOREGOING, WORKOS HEREBY DISCLAIMS ANY WARRANTY THAT USE OF THE SERVICE WILL           BE ERROR-FREE, BUG-FREE OR UNINTERRUPTED.


9. Beta Services; Free Trials.

      a. Beta Services. From time to time, WorkOS may offer services or software, or both, identified as beta, pilot, developer preview,           non-production, evaluation or similar wording (“Beta Services”). Subscriber may accept or decline Beta Services. If accepted by           Subscriber, Subscriber acknowledges and agrees that Beta Services: (a) are provided only for evaluation purposes; (b) may not           be relied on by Subscriber for production use; and (c) may be subject to additional terms. Any Beta Services may be used only           for the trial period specified when they are made available (and, in any event, will expire on the date that a version of the Beta           Services becomes generally available). WorkOS may discontinue Beta Services at any time in its sole discretion and may never           make Beta Services generally available.

      b. Free Trials. WorkOS may offer access to the Service on a free trial basis (“Free Trial”) for a specified period of time. If WorkOS           offers Subscriber a Free Trial, the specific terms (including the duration) of the Free Trial will be provided at signup and/or in the           promotional materials describing the Free Trial and Subscriber’s use of the Free Trial is subject to Subscriber’s compliance with           such specific terms. Free Trials may not be combined with any other offer. WorkOS reserves the right to modify or terminate Free           Trials at any time, without notice and in its sole discretion.

      c. Disclaimer. WorkOS may provide assistance with Beta Services or Free Trials in its discretion, however ALL BETA SERVICES AND           FREE TRIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND. For clarity, the following           Sections of this Agreement do not apply to Subscriber’s use of Beta Services or Free Trials: 6(a) (Support), 8(a) (Service           Warranty) and 13(b) (WorkOS Indemnification). ANY CONFIGURATIONS MADE BY SUBSCRIBER AND ANY SUBSCRIBER DATA
          SUBMITTED BY OR BEHALF OF SUBSCRIBER INTO BETA SERVICES OR INTO THE SERVICE DURING A FREE TRIAL MAY BE           PERMANENTLY LOST (I) IF THE BETA SERVICES ARE SUSPENDED, TERMINATED, OR DISCONTINUED, OR (II) AT THE END OF           THE FREE TRIAL PERIOD, UNLESS SUBSCRIBER PURCHASES A SUBSCRIPTION TO THE SERVICE.


10. Subscriber Data.

      a. License. Subscriber grants WorkOS a non-exclusive, non-transferable (except in compliance with Section 16(f)), worldwide,          fully-paid, royalty-free license during the Subscription Term to, and to permit WorkOS’ subprocessors to, use, copy, distribute,          modify for transmission and display and publicly perform Subscriber Data solely for the purpose of providing the Service to          Subscriber and Users.

      b. Warranty. Subscriber represents and warrants that: (a) the Subscriber Data does not and will not infringe, violate or          misappropriate the Intellectual Property Rights of any third party; (b) Subscriber has complied and will continue to comply with          all laws and regulations applicable to its use of the Subscriber Data under this Agreement, including but not limited to applicable          data privacy protection laws and regulations; (c) Subscriber has obtained and will continue to have all required consents, rights          and permissions for the access to and use the Subscriber Data (including any Personal Data provided or otherwise collected          pursuant to Subscriber’s privacy policy) as contemplated by this Agreement; and (d) WorkOS’ use of the Subscriber Data in          accordance with this Agreement will not violate any applicable laws or regulations or cause a breach of any agreement or          obligations between Subscriber and any third party.

      c. Data Processing Addendum. Each Party will comply with its obligations set forth in the Data Processing Addendum attached          hereto as Exhibit A.

      d. Aggregate Data. WorkOS shall have the right collect and analyze data and other information relating to the provision, use and           performance of various aspects of the Service and related systems and technologies (including, without limitation, information           that is derived or aggregated in deidentified from (i) Subscriber Data, and (ii) Subscriber’s and/or its Users use of the Service,           such as usage data or trends with respect to the Service) (such data and information, collectively, “Aggregate Data”).


11. Term and Termination.

      a. Term. This Agreement is effective as of the date on which Subscriber first accesses the Service through any online provisioning,           registration or order process. This Agreement will govern Subscriber’s initial subscription to the Service on the Effective Date as           well as any subsequent renewals. Unless this Agreement is terminated in accordance with this Section 11 or otherwise agreed by           the parties in writing, (i) Subscriber’s subscription to the Service will renew for a Subscription Term equivalent in length to the           then expiring Subscription Term and (ii) the Subscription Fees applicable to the subsequent Subscription Term shall be WorkOS’           fees for the applicable Service Tier at the time such subsequent Subscription Term commences. Either party may elect to           terminate this Agreement and Subscriber’s subscription to the Service as of the end of the then current Subscription Term by           providing notice to the other party no less than thirty (30) days prior to the end of such Subscription Term.

      b. Termination for Breach. Either party may terminate this Agreement upon notice if the other party materially breaches this           Agreement, provided that: (i) such party gives notice to the breaching party describing the manner in which this Agreement has           been breached, and (ii) the breach is not cured within 30 days as of receipt of such notice. WorkOS may further immediately           terminate this Agreement if Subscriber fails to pay any Subscription Fees when due.

      c. Effect of Termination or Expiration. Upon expiration or termination of this Agreement: (i) the rights granted pursuant to Sections           2(a) and 2(b) will terminate; (ii) WorkOS may irrevocably delete any and all information associated with Subscriber’s account,           including Subscriber Data; (iii) Subscriber will return or destroy, at WorkOS’ sole option, all copies of the WorkOS Integration           Code and all WorkOS Confidential Information in its possession or control, including permanent removal of such WorkOS           Confidential Information (consistent with customary industry practice for data destruction) from any storage devices or other           hosting environments that are in Subscriber’s possession or under Subscriber’s control, and at WorkOS’ request, certify in writing           to WorkOS that the WorkOS Integration Code and WorkOS Confidential Information has been returned, destroyed or, in the case           of electronic communications, deleted. Notwithstanding the foregoing, WorkOS will assist Subscriber in exporting Subscriber           Data from the Service for up to thirty (30) days following the termination or expiration of this Agreement, if Subscriber requests           this assistance prior to the termination or expiration of this Agreement. No expiration or termination will affect Subscriber’s           obligation to pay all Subscription Fees that may have become due or otherwise accrued through the effective date of expiration           or termination, or entitle Subscriber to any refund.

      d. Survival. This Section 11(d) (Survival) and Sections 2(c) (Third-Party Software), 2(d) (Users), 3 (Subscription Fees), 8(b)          (Disclaimer), 10(d) (Aggregate Data), 11(c) (Effect of Termination or Expiration), 12 (Confidential Information), 13(a) (Proprietary          Rights), 13(b) (Reservation of Rights), 13(d) (Feedback), 14 (Indemnification), 15 (Limitation of Liability) and 16 (General          Provisions), survive any termination or expiration of this Agreement.


12. Confidential Information.

      a. Definition.Confidential Information” means any information that one party (the “Disclosing Party”) provides to the other Party          (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that          reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure.          For clarity: (a) all Subscriber Data is Confidential Information of Subscriber, and (b) any and all non-public features of the Service          and Documentation including and all pages and materials on the WorkOS website that are accessible only after logging in are         Confidential Information of WorkOS. Notwithstanding the foregoing, Confidential Information does not include information that: (i)         was rightfully known by the Receiving Party prior to receiving such information or materials from the Disclosing Party; (ii) is         independently developed by Receiving Party without use of or reference to the Disclosing Party’s Confidential Information; (iii)         becomes known publicly, before or after disclosure, through no act or failure to act by the Receiving Party; or (iv) is approved for         release in writing by the Disclosing Party.

      b. Confidentiality Restrictions. The Receiving Party will maintain the Disclosing Party’s Confidential Information in strict confidence,          and will not use the Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its          rights under this Agreement; provided that WorkOS may use and modify Confidential Information of Subscriber in deidentified          form for purposes of developing and deriving Aggregate Data. The Receiving Party will not disclose or cause to be disclosed any          Confidential Information of the Disclosing Party, except (i) to those employees, representatives, or contractors of the Receiving          Party who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by          written agreements with use and nondisclosure restrictions at least as protective as those set forth in this Agreement, or (ii) as          such disclosure may be required by the order or requirement of a court, administrative agency or other governmental body,          subject to the Receiving Party providing to the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a          protective order or otherwise contest the disclosure.

      c. Term. Each party’s obligations of non-disclosure with regard to Confidential Information will expire five (5) years from the date          first disclosed to the Receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade          secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this          Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.


13. Intellectual Property.

      a. Proprietary Rights.
            i. Ownership by WorkOS. The WorkOS IP is the exclusive property of WorkOS. Subject to the limited rights expressly granted in                this Agreement, WorkOS reserves and, as between the parties will solely own, all right, title and interest in and to the WorkOS                IP.

            ii. Ownership by Subscriber. WorkOS asserts no ownership rights in Subscriber Data. As between the parties, subject to the                 limited rights granted to WorkOS in this Agreement, Subscriber owns all right, title and interest in and to the Subscriber Data,                 including all Intellectual Property Rights therein.

      b. Reservation of Rights. No rights are granted to either party hereunder (whether by implication, estoppel, exhaustion or           otherwise) except as expressly set forth in this Agreement.

      c. Logo Usage. During the Subscription Term, WorkOS may use Subscriber’s name, logos and trademarks in listings of WorkOS’           customers on WorkOS’ website and in other public statements or disclosures for the purposes of marketing the Service. All           goodwill and improved reputation generated by WorkOS’ use of the Subscriber’s name, logos and trademarks inures to the           exclusive benefit of Subscriber. WorkOS will use Subscriber’s name, logos and trademarks in the form stipulated by Subscriber           and will conform to and observe such standards as Subscriber prescribes from time to time in connection with the right granted           hereunder.

      d. Feedback. From time to time Subscriber or its employees, contractors, or representatives may provide WorkOS with           suggestions, comments, feedback or the like with regard to the Service (collectively, “Feedback”). Subscriber hereby grants           WorkOS a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with           WorkOS’ business purposes, including, without limitation, the testing, development, maintenance and improvement of the           Service.


14. Indemnification.

      a. Subscriber Indemnification. Subject to Section 14(d), Subscriber will defend WorkOS against any claim, suit or proceeding          brought by a third party (“Claims”) arising from (i) any Subscriber Data, including, without limitation, (A) any Claim that the          Subscriber Data infringes, misappropriates or otherwise violates any third party’s Intellectual Property Rights or privacy or other          rights; or (B) any Claim that the use, provision, transmission, display or storage of Subscriber Data violates any applicable law,          rule or regulation or any Subscriber’s privacy policy; (ii) any of Subscriber’s products or services (including the Subscriber          App(s)); and (iii) use of the Service by Subscriber or its Users in a manner that is not in accordance with this Agreement or the          Documentation, including, without limitation, any breach of the license restrictions in Section 5 (Access and Use Restrictions;          Suspension), and in each case, will indemnify and hold harmless WorkOS against any damages and costs awarded against          WorkOS or agreed in settlement by Subscriber (including reasonable attorneys’ fees) resulting from such Claim.

      b. WorkOS Indemnification. Subject to Section 14(d), WorkOS will defend Subscriber against Claims alleging that Subscriber’s use          of the Service infringes or misappropriates such third party’s Intellectual Property Rights, and will indemnify and hold harmless          Subscriber against any damages and costs awarded against Subscriber or agreed in settlement by WorkOS (including          reasonable attorneys’ fees) resulting from such Claim. WorkOS’ obligations under this Section 14(b) will not apply if the          underlying third-party Claim arises from or as a result of: (i) Subscriber’s breach of this Agreement, negligence, willful          misconduct or fraud; (ii) any Subscriber Data; (iii) Subscriber’s failure to use any enhancements, modifications, or updates to the          Service that have been provided by WorkOS; (iv) modifications to the Service by anyone other than WorkOS; or (v) combinations          of the Service with software, data or materials not provided or approved by WorkOS.

      c. IP Remedies. If WorkOS reasonably believes the Service (or any component thereof) could infringe any third party’s Intellectual          Property Rights, WorkOS may, at its sole option and expense, use commercially reasonable efforts to: (i) modify or replace the          Service, or any component or part thereof, to make it non-infringing; or (ii) procure the right for Subscriber to continue using the          Service. If WorkOS determines that neither alternative is commercially practicable, WorkOS may terminate this Agreement, in its          entirety or with respect to the affected component, by providing written notice to Subscriber. The rights and remedies set forth in          this Section 14 will constitute Subscriber’s sole and exclusive remedy and WorkOS’ sole and exclusive liability for any infringement          or misappropriation of Intellectual Property Rights in connection with the Service.

      d. Indemnification Procedure. The party seeking defense and indemnity (the “Indemnified Party”) will promptly (and in any event          no later than thirty (30) days after becoming aware of facts or circumstances that could reasonably give rise to any Claim) notify          the other party (the “Indemnifying Party”) of the Claim for which indemnity is being sought, and will reasonably cooperate with          the Indemnifying Party in the defense and/or settlement thereof. The Indemnifying Party will have the sole right to conduct the          defense of any Claim for which the Indemnifying Party is responsible hereunder (provided that the Indemnifying Party may not          settle any Claim without the Indemnified Party’s prior written approval unless the settlement is for a monetary amount,          unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the          Indemnified Party, and does not place restrictions upon the Indemnified Party’s business, products or services). The Indemnified          Party may participate in the defense or settlement of any such Claim at its own expense and with its own choice of counsel or, if          the Indemnifying Party refuses to fulfill its obligation of defense, the Indemnified Party may defend itself and seek reimbursement          from the Indemnifying Party.


15. Limitation of Liability.

      a. Waiver of Indirect Damages. IN NO EVENT WILL WORKOS BE LIABLE FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE          OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR THE          COST OF COVER OR SUBSTITUTE SERVICES OR OTHER ECONOMIC LOSS, ARISING OUT OF OR IN CONNECTION WITH THIS          AGREEMENT, THE WORKOS IP OR THE PROVISION OF THE SERVICE, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM          BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE.

      b. Cap on Liability. IN NO EVENT WILL WORKOS BE LIABLE FOR AGGREGATE DAMAGES IN EXCESS OF (A) THE TOTAL           SUBSCRIPTION FEES PAID BY SUBSCRIBER TO WORKOS DURING THE SIX (6) MONTHS PRIOR TO THE EVENT GIVING RISE TO           LIABILITY, OR (B) ONE HUNDRED DOLLARS ($100), IF SUBSCRIBER HAS NOT HAD ANY PAYMENT OBLIGATIONS TO WORKOS,           AS APPLICABLE, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED.

      c. Independent Allocation of Risk. THE EXCLUSIONS AND LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL          ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN WORKOS AND SUBSCRIBER.


16. General Provisions.

      a. Governing Law; Venue. This Agreement shall be governed by the laws of the State of California without regard to conflict of law          principles. Subscriber and WorkOS agree to submit to the personal and exclusive jurisdiction of the state courts and federal          courts located in San Francisco, California for the purpose of litigating all claims or disputes, and waive any and all objections          regarding venue or inconvenient forum in such courts.

      b. Amendments. WorkOS may amend this Agreement from time to time upon written notice to Subscriber (which may be provided          on the Site). Subscriber’s continued use of the Service following the effective date of any such amendment will mean that          Subscriber has accepted and agreed to the changes.

      c. Waiver. A party’s failure to require performance of any provision of this Agreement shall not affect its right to require performance          at any time thereafter, nor shall a waiver of any breach or default constitute a waiver of any subsequent breach or default.

      d. Severability. If any part of this Agreement is determined to be invalid or unenforceable, then the invalid or unenforceable          provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original          provision and the remainder of this Agreement will continue in effect.

      e. Headings. Use of paragraph headers in this Agreement is for convenience only and shall not have any impact on the          interpretation of particular provisions.

      f. Assignment. Neither party may assign this Agreement without the other party’s express written consent, except that WorkOS         may assign this Agreement to its successor by way of merger, acquisition, reorganization, or sale of stock or assets. Any attempt         to assign or transfer this Agreement in violation of this Section will be void. Subject to the foregoing, this Agreement is binding         upon and will inure to the benefit of each of the parties and their respective successors and permitted assigns.

      g. Notices. All notices required or permitted under this Agreement will be in writing, will reference this Agreement, and will be          deemed given: (i) one (1) business day after deposit with a nationally-recognized express courier, with written confirmation of          receipt; (ii) when sent by email, on the date the email was sent if sent during normal business hours of the receiving party, and on          the next business day if sent after normal business hours of the receiving party; or (iii) three (3) business days after having been          sent by registered or certified mail, return receipt requested, postage prepaid. All such notices will be sent to: (i) if to WorkOS,          548 Market St, PMB 86125, San Francisco, CA 94104, [email protected], or (ii) if to Subscriber, to the address and email          provided by Subscriber on its account with the Service; or to such other address as may be specified by either party to the other          party in accordance with this Section. Subscriber’s questions or communications regarding the Service can be sent to          [email protected] but will not serve as notice under this Agreement.

      h. Independent Contractors. The relationship between the parties is that of independent contractors. Neither party is nor will          represent itself as the agent of the other.

      i. Force Majeure. To the extent caused by hurricane, earthquake, other natural disaster or act of God, terrorism, war, labor unrest,         general failure of the Internet or of communications systems, or other forces beyond the performing party’s reasonable control         (collectively, “Force Majeure”), no delay, failure, or default, other than Subscriber’s failure to make payments when due, will         constitute a breach of this Agreement. The performing party shall use reasonable efforts to minimize the delays, to notify the         other party promptly, and to inform the other party of its plans to resume performance.

      j. Injunctions. Each party agrees that breach or threatened breach by such party of any of its obligations under Section 12         (Confidentiality) or, in the case of Subscriber, Section 5 (Access and Use Restrictions; Suspension) would cause the injured         irreparable injury for which monetary relief would not provide adequate compensation, and that in addition to any other remedies         available, the injured party will be entitled to injunctive relief against such breach or threatened breach, without the necessity of         proving actual damages or posting a bond or other security. Such remedies are not exclusive and are in addition to all other         remedies that may be available at law, in equity or otherwise. This Section shall not be taken to limit either party’s right to         injunctive relief related to breach of a section of this Agreement not listed in this Section.

      k. Entire Agreement. This Agreement constitutes the entire and exclusive understanding and agreement between Subscriber and          WorkOS regarding Subscriber’s use of and access to the Service. This Agreement supersedes all prior or contemporaneous          writings, negotiations, and discussions with respect to the subject matter hereof.

      l. No Third-Party Beneficiaries. No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations, or         liabilities hereunder upon any Person other than the parties and their respective successors and assigns.

Exhibit A

Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Subscription Service Terms and Conditions (“Agreement”) between Subscriber and WorkOS. 

     1. Subject Matter and Duration.

            a) Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing                of Subscriber Personal Data in connection with WorkOS’s execution of the Agreement. All capitalized terms that are not                expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in                this Addendum or any of its attachments conflicts with the Agreement, this Addendum shall control.

            b) Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement. WorkOS will                Process Subscriber Personal Data until the relationship terminates as specified in the Agreement.

      2. Definitions.

      For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

            a) “Subscriber Personal Data” means Subscriber Data that is Personal Data Processed by WorkOS on behalf of Subscriber.

            b) “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to                which the Subscriber Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California                Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).

            c) “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal                Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or                alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or                combination, restriction, erasure, or destruction.

            d) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration,                unauthorized disclosure of, or access to Subscriber Personal Data attributable to WorkOS. 

            e) “Subprocessor(s)means WorkOS’s authorized vendors and third party service providers that Process Subscriber Personal                Data.

      3. Data Use and Processing.

            a) Documented Instructions. WorkOS shall Process Subscriber Personal Data to provide the Service in accordance with the                Agreement, this Addendum, and any instructions agreed upon by the parties. WorkOS will, unless legally prohibited from                doing so, inform Subscriber in writing if it reasonably believes that there is a conflict between Subscriber’s instructions and                applicable law or otherwise seeks to Process Subscriber Personal Data in a manner that is inconsistent with Subscriber’s                instructions.

           b) Authorization to Use Subprocessors. To the extent necessary to fulfill WorkOS’s contractual obligations under the Agreement,               Subscriber hereby authorizes WorkOS to engage Subprocessors.

           c) WorkOS and Subprocessor Compliance. WorkOS agrees to (i) enter into a written agreement with Subprocessors regarding               such Subprocessors’ Processing of Subscriber Personal Data that imposes on such Subprocessors data protection               requirements for Subscriber Personal Data that are consistent with this Addendum; and (ii) remain responsible to Subscriber               for WorkOS’s Subprocessors’ failure to perform their obligations with respect to the Processing of Subscriber Personal Data. 

           d) Right to Object to Subprocessors. Where required by Data Protection Laws, WorkOS will notify Subscriber prior to               engaging any new Subprocessors by updating following website: www.workos.com/legal/subprocessors. WorkOS will allow                Subscriber two (2) calendar days to object to the new Subprocessor after notice is given. It is Subscriber's responsibility to                check this website regularly for updates. If Subscriber emails [email protected] with legitimate objections to the                appointment of any new Subprocessor within the objection period set forth above, the parties will work together in good faith                to resolve the grounds for the objection.

            e) Confidentiality. Any person authorized to Process Subscriber Personal Data must contractually agree to maintain the                confidentiality of such information or be under an appropriate statutory obligation of confidentiality. 

            f) Personal Data Inquiries and Requests. Where required by Data Protection Laws, WorkOS agrees to provide reasonable               assistance and comply with reasonable instructions from Subscriber related to any requests from individuals exercising their               rights in Subscriber Personal Data granted to them under Data Protection Laws.

            g) Sale of Subscriber Personal Data Prohibited. WorkOS shall not sell Subscriber Personal Data as the term "sell" is defined by                the CCPA. 

            h) Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, WorkOS agrees to                provide reasonable assistance at Subscriber’s expense to Subscriber where, in Subscriber’s judgement, the type of                Processing performed by WorkOS requires a data protection impact assessment and/or prior consultation with the relevant                data protection authorities.

            i) Demonstrable Compliance. WorkOS agrees to provide information reasonably necessary to demonstrate compliance with this               Addendum upon Subscriber’s reasonable request.

            j) Limitation on Disclosure of Subscriber Personal Data. To the extent legally permitted, WorkOS shall: (i) promptly notify               Subscriber in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production               of Subscriber Personal Data to any third party, including, but not limited to the United States government for surveillance               and/or other purposes; and (ii) not disclose Subscriber Personal Data to the third party without providing Subscriber at least               forty-eight (48) hours’ notice, so that Subscriber may, at its own expense, exercise such rights as it may have under applicable               laws to prevent or limit such disclosure.

            k) Service Optimization. Where permitted by Data Protection Laws, WorkOS may Process Subscriber Personal Data: (i) for its                internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against                fraudulent or illegal activity.

      4. Cross-Border Transfers of Personal Data. 

            a) Cross-Border Transfers of Personal Data. Subscriber authorizes WorkOS and its Subprocessors to transfer Subscriber                Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United                Kingdom to the United States. 

            b) Standard Contractual Clauses. If Subscriber Personal Data originating in the European Economic Area, Switzerland, and/or the                United Kingdom is transferred by Subscriber to WorkOS in a country that has not been found to provide an adequate level of                protection under Data Protection Laws, the parties agree that the terms of the transfer shall be governed by the Standard                Contractual Clauses attached hereto as Attachment 1. The parties agree that: (i) the audits described in Clause 5(f) and                Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum; (ii)                pursuant to Clause 5(h) and Clause 11 of the Standard Contractual Clauses, WorkOS may engage new Subprocessors in                accordance with Section 3(b) – (d) of this Addendum; and (iii) the Subprocessor agreements referenced in Clause 5(j) and                certification of deletion referenced in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon                Subscriber ’s written request. Each party’s acceptance of the Agreement shall be considered a signature to the Standard                Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

      5. Information Security Program.

            a) Security Measures. WorkOS shall implement and maintain reasonable administrative, technical, and physical safeguards                designed to protect Subscriber Personal Data in accordance with WorkOS’s Information Security Standards attached hereto                as Attachment 2. 

      6. Security Incidents. 

            a) Notice. Upon becoming aware of a Security Incident, WorkOS agrees to provide written notice without undue delay and within                the time frame required under Data Protection Laws to Subscriber.  Where possible, such notice will include all available                details required under Data Protection Laws for Subscriber to comply with its own notification obligations to regulatory                authorities or individuals affected by the Security Incident. 

      7. Audits. 

            a) Subscriber Audit. Where Data Protection Laws afford Subscriber an audit right, Subscriber (or its appointed representative)                may carry out an audit of WorkOS’s policies, procedures, and records relevant to the Processing of Subscriber Personal Data                by having WorkOS complete a data protection questionnaire of reasonable length. Any audit shall be: (i) be limited to once per                year; and (ii) subject to reasonable confidentiality procedures. 

      8. Data Deletion. 

            a) Data Deletion. At the expiry or termination of the Agreement, WorkOS will delete all Subscriber Personal Data (excluding any                back-up or archival copies which shall be deleted in accordance with WorkOS’ data retention schedule), except where                WorkOS is required to retain copies under applicable laws, in which case WorkOS will isolate and protect that Subscriber                Personal Data from any further Processing except to the extent required by applicable laws.

      9. Processing Details. 

            a) Subject Matter. The subject matter of the Processing is the Service pursuant to the Agreement. 

            b) Duration. The Processing will continue until the expiration or termination of the Agreement. 

            c) Categories of Data Subjects. Data subjects whose Subscriber Personal Data will be Processed pursuant to the Agreement. 

            d) Nature and Purpose of the Processing. The purpose of the Processing of Subscriber Personal Data by WorkOS is the                performance of the Service. 

            e) Types of Subscriber Personal Data. Subscriber Personal Data that is Processed pursuant to the Agreement.


Exhibit A – Attachment 1

Standard Contractual Clauses (Processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. 


Name of the data exporting organisation: Subscriber.

(the data exporter)

And


Name of the data importing organisation: WorkOS. 

(the data importer)

each a “party”; together “the parties”,


HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1
Definitions

For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; 

(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary. 

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. 

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. 

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants: 

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement. 

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. 

Clause 12
Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is: Subscriber. 

Data importer

The data importer is: WorkOS. 

Data subjects

The personal data transferred concern the following categories of data subjects: As set forth in Section 9(c) of the Addendum. 

Categories of data

The personal data transferred concern the following categories of data: As set forth in Section 9(e) of the Addendum. 

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data: As set forth in Section 9(e) of the Addendum. 

Processing operations

The personal data transferred will be subject to the following basic processing activities: Processing to carry out the Service pursuant to the Agreement. 


Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed by the parties. 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

WorkOS will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Subscriber Personal Data in accordance with the Addendum. 



Exhibit A – Attachment 2

WorkOS Information Security Standards

WorkOS shall implement and maintain an information security program (“Information Security Program”) that: (i) is consistent with industry standard practices taking into consideration the sensitivity of the relevant Subscriber Personal Data, and the nature and scope of the Service to be provided; (ii) includes reasonable administrative, technical and physical safeguards designed to protect Subscriber Personal Data; and (iii) complies with Data Protection Laws. At a minimum, the Information Security Program shall include:

  1. Information Security Policy. WorkOS shall maintain a written information security policy applicable to all authorized personnel.
  2. Training. WorkOS shall provide information security awareness training to all employees annually.
  3. Access Control. WorkOS shall maintain access control procedures and controls consistent with industry standard practices. WorkOS shall limit access to Subscriber Personal Data to those employees and Subprocessors with a need-to-know. 
  4. Logical Separation. WorkOS shall ensure Subscriber Personal Data is logically separated from other WorkOS client data. 
  5. Encryption. Where appropriate, WorkOS shall encrypt Subscriber Personal Data in-transit and at rest using industry standard encryption technologies. 
  6. Password Management. WorkOS shall maintain a password management policy designed to ensure strong passwords consistent with industry standard practices. 
  7. Incident Response Plan. WorkOS shall maintain an incident response plan that addresses Security Incident handling. 
  8. Malware Protection. WorkOS shall maintain up-to-date malware prevention measures designed to protect against malicious code and viruses. 
  9. Backups of Subscriber Personal Data. WorkOS shall maintain an industry standard backup system and backup of Subscriber Personal Data to facilitate timely recovery in the event of a service interruption.
  10. Disaster Recovery and Business Continuity Plans. WorkOS shall maintain disaster recovery and business continuity plans consistent with industry standard practices.

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.