Last Updated: May 20, 2021
Please read these Subscription Service Terms and Conditions (the “Agreement”) carefully as they are a legal agreement between you (“Subscriber”) and WorkOS, Inc. (“WorkOS”). This Agreement governs Subscriber’s use of WorkOS’ Service (as defined below), unless Subscriber and WorkOS have entered into a separate written agreement. BY INDICATING YOUR ACCEPTANCE TO THIS AGREEMENT OR ACCESSING OR USING THE WORKOS’ SERVICE, SUBSCRIBER AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT.
If you are accessing and using the Service on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Agreement. In that case, “Subscriber” will refer to that company or other legal entity.
“App End-Users” means the final end users of the Subscriber App(s).
“Documentation” means documentation for the WorkOS Integration Code and WorkOS Platform made available to Subscriber through the Site.
“Intellectual Property Rights” means any patent, copyright, trademark, service mark, trade name, trade secret, know-how, moral right or other intellectual property right under the laws of any jurisdiction, whether registered, unregistered, statutory, common law or otherwise (including any rights to sue, recover damages or obtain relief for any past infringement, and any rights under any application, assignment, license, legal opinion or search).
“Person” means any individual, corporation, partnership, trust, limited liability company, association, governmental authority or other entity.
“Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable data privacy and data protection laws, rules and regulations.
“Sensitive Personal Data” means a subset of Personal Data which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Data includes Personal Data regarding EU residents that is classified as a “Special Category of Personal Data” under EU law, which consists of the following data elements: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) genetic data; (6) biometric data where processed to uniquely identify a person; (7) health information; (8) sexual orientation or information about the individual’s sex life; or (9) information relating to the commission of a criminal offense.
“Service” or “WorkOS Service” means, collectively, the WorkOS Platform and the WorkOS Integration Code.
“Service Tier” means the Service tier that Subscriber chooses from the available options provided by WorkOS on the Site.
“SSO Connection Data” means data used to create, configure, and maintain Single Sign-On connections to identity providers (IdPs).
“Subscriber App(s)” means the Subscriber’s application(s) which Subscriber chooses to use with the Service.
“Subscriber Data” means any information, data or content that is submitted, collected, transmitted or otherwise provided by or on behalf of Subscriber through the Service, including data from App End-Users and SSO Connection Data, but excluding, for clarity Aggregate Data and any information, data or content owned or controlled by WorkOS and made available through or in connection with the Service.
“Subscription Fees” means the subscription fees for access and use of the Service in accordance with the Service Tier that Subscriber chooses.
“Subscription Term” means the period during which Subscriber has agreed to subscribe to the Service.
“User” means an employee, independent contractor or consultant of Subscriber authorized by Subscriber to use the Service on behalf of Subscriber.
“Workflow” means an enterprise grade business workflow application provided by a third party, not WorkOS.
“WorkOS Integration Code” means the executable form of WorkOS’ proprietary software development code downloadable by Subscriber from the WorkOS Platform that is configured by Subscriber and included in the Subscriber App(s) to enable data to be transmitted from the Subscriber App(s) to the WorkOS Platform, as further specified in the Documentation.
“WorkOS IP” means the Service, the underlying software provided in connection with the Service, algorithms, interfaces, technology, databases, tools, know-how, processes and methods used to provide or deliver the Service, the Documentation and the look and feel of the Service (including any custom fonts, graphics and button icons), and all improvements, modifications or enhancements to the foregoing, and all Intellectual Property Rights in and to any of the foregoing.
“WorkOS Platform” means the cloud-based, hosted service made available through www.workos.com (the “Site”), as further specified in the Documentation.
2. Access to Service; License Grant.
a. WorkOS Platform. Subject to the terms and conditions of this Agreement (including timely payment of the Subscription Fees), WorkOS grants Subscriber a limited, revocable, nonexclusive, non-transferable (except in compliance with Section 16(f)) right to access and use the WorkOS Platform and related Documentation solely for Subscriber’s internal business purposes in connection with the operation of the Subscriber App(s), and in accordance with, and subject to, the applicable Service Tier. Subscriber is responsible for obtaining and configuring all required computer hardware, software and telecommunications services to access the WorkOS Platform.
b. WorkOS Integration Code. Subject to the terms and conditions of this Agreement (including timely payment of Subscription Fees), WorkOS hereby grants Subscriber a limited, revocable, non-exclusive and non-transferable (except in compliance with Section 16(f)), license to: (i) install the WorkOS Integration Code on machines controlled by Subscriber and use the WorkOS Integration Code and related Documentation and (ii) reproduce and distribute the WorkOS Integration Code solely as embedded within the Subscriber App(s). Subscriber may use the WorkOS Integration Code solely in connection with Subscriber’s use of the WorkOS Platform, and in accordance with, and subject to, the applicable Service Tier. WorkOS will deliver the WorkOS Integration Code to Subscriber electronically. Subject to the terms and conditions of this Agreement, Subscriber may make one back-up archival copy of the WorkOS Integration Code.
c. Third-Party Software. The WorkOS Integration Code contains certain third-party components subject to various open source or free software licenses. Subscriber’s use of such software is subject to and governed by the open source license that accompanies the software and is not subject to the terms and conditions of this Agreement, except that this Section 2(c) and Sections 8(b) (Disclaimer) and Section 15 (Limitation of Liability) also govern Subscriber’s use thereof.
d. Users. Subscriber will not allow any Person other than Users to access and use the Service. Subscriber may permit Users to access and use the Service, provided that Subscriber ensures each User complies with all applicable terms and conditions of this Agreement and Subscriber is responsible for acts or omissions by Users in connection with their access and use the Service. Subscriber will, and will require all Users to, use all reasonable means to secure user names and passwords, hardware and software used to access the WorkOS Platform in accordance with customary security protocols, and will promptly notify WorkOS if Subscriber knows or reasonably suspects that any user name and/or password has been compromised.
3. Subscription Fees.
a. Subscription Fees. In exchange for Subscriber’s rights to use the Service and Documentation during the Subscription Term, Subscriber agrees to pay the applicable Subscription Fees. The Subscription Fees do not include taxes and Subscriber shall be responsible for all such taxes, levies or duties under associated with this Agreement, other than taxes based on WorkOS’ net income. Except as otherwise agreed upon by the parties in writing, WorkOS will charge Subscriber’s selected payment method (such as a credit card) for any Subscription Fees on the applicable payment date, including any applicable taxes. If WorkOS cannot charge Subscriber’s selected payment method for any reason (such as expiration or insufficient funds), Subscriber remains responsible for any uncollected amounts, and WorkOS will attempt to charge the payment method again as Subscriber may update its payment method information. In accordance with local law, WorkOS may update information regarding Subscriber’s selected payment method if provided such information by Subscriber’s financial institution.
b. Payment. All amounts are payable in U.S. Dollars. All payments are nonrefundable. WorkOS may impose interest on late payments at the lower of 1.5% per month, or the maximum rate allowable by applicable law, and WorkOS may suspend Service until all payments are made in full.
c. Free Service Tier. From time to time, WorkOS may offer a free Service tier that allows Subscriber to use the Service and Documentation free of charge (“Free Service Tier”). Subscriber acknowledges and agrees that the features and functionalities of the Service on the Free Service Tier may be limited. WorkOS reserves the right to modify or terminate the Free Service Tier at any time, without notice and in its sole discretion.
Workflows compatible with the Service are described in the Documentation. In some instances, as described in the Documentation, enabling a Workflow for use with the Service requires Subscriber to implement the third-party Workflow provider’s own SDK or code on the SubscriberApp(s). Subscriber must license Workflows separately directly from the third-party Workflow provider; WorkOS does not provide access to Workflows to Subscriber and is not responsible for any compatibility issues, errors or bugs in the Service in whole or in part caused by the Workflows.
5. Access and Use Restrictions; Suspension.
Subscriber will not at any time and will not permit any Person (including, without limitation, Users) to, directly or indirectly: (a) copy, distribute, rent, sell, lease, lend, or transfer the Service; (b) make the Service available to any third party, except as expressly permitted by this Agreement; (c) use the Service on a service bureau basis; (d) decompile, reverse engineer, or disassemble any software component of the Service; (e) alter or modify any software component of the Service; (f) create derivative works based on the Service or any components thereof; (g) modify, remove, or obscure any copyright, trademark, patent or other notices or legends that appear with the Service; (h) interfere with or impair the operation of the Service by any means including introduction of malware or excessive usage or network traffic; (i) use any automated methods (including “robots” or “crawlers”) to download or “scrape” any data or materials from the Service, (j) use the Service to collect or process any Sensitive Personal Data, (k) use the Service, Documentation or any other WorkOS Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services, or to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Service, or (l) disclose any performance tests or other performance information related to the Service to any third parties. In the event that WorkOS reasonably believes that Subscriber is using the Service in violation of this Agreement, WorkOS may suspend Subscriber’s access to the Service with or without advanced notice in addition to and without prejudice to any other remedies WorkOS may have.
6. WorkOS Obligations.
a. Support. WorkOS will provide reasonable informational support about the use and operation of the Service and technical support for the Service 9am to 5pm EST on business days, by email, Slack-channel or in-app chat.
b. Security. WorkOS will use commercially reasonable technical and organizational measures designed to secure its systems and prevent unauthorized access to or use of the Service and to protect Subscriber Data against accidental loss or corruption. WorkOS shall not be liable for any loss, destruction, alteration, unauthorized disclosure or corruption of Subscriber Data caused by any third party.
c. Changes to Service. WorkOS may modify, enhance or remove features or functionality of the Service from time to time. WorkOS may make these changes to the Service for a variety of reasons, including, without limitation, to expand functionality, comply with updated industry standards or comply with law. If WorkOS changes the Service, then WorkOS will update the Documentation to reflect this. These updates will be effective on posting on the Site. If the changes materially reduce the overall functionality of the Service, then, as Subscriber’s sole and exclusive remedy and WorkOS’ sole and exclusive liability, Subscriber may terminate this Agreement.
7. Representations and Warranties.
Each party hereby represents and warrants to the other party that: (i) it is duly organized, validly existing and in good standing under its jurisdiction of organization and has the right to enter into this Agreement and (ii) the execution, delivery and performance of this Agreement and the consummation of the transactions contemplated hereby are within the corporate powers of such party and have been duly authorized by all necessary corporate action on the part of such Party, and constitute a valid and binding agreement of such party.
8. Service Warranty; Disclaimer.
a. Service Warranty. WorkOS warrants that the Service will provide substantially the functionality set forth in the Documentation. Subscriber’s sole and exclusive remedy, and WorkOS sole and exclusive liability, for breach of this warranty shall be for WorkOS to modify, replace or reperform the Service at WorkOS’ sole expense so that the Service conforms to this warranty.
b. Disclaimer. Except as expressly stated herein, the Service is provided “as is” and on an “as available” basis, and WORKOS MAKES NO WARRANTIES OR REPRESENTATIONS TO SUBSCRIBER, ITS USERS OR TO ANY OTHER PARTY REGARDING THE WORKOS IP, THE SERVICE OR ANY OTHER SERVICES OR MATERIALS PROVIDED HEREUNDER. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WORKOS HEREBY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, WORKOS HEREBY DISCLAIMS ANY WARRANTY THAT USE OF THE SERVICE WILL BE ERROR-FREE, BUG-FREE OR UNINTERRUPTED.
9. Beta Services; Free Trials.
a. Beta Services. From time to time, WorkOS may offer services or software, or both, identified as beta, pilot, developer preview, non-production, evaluation or similar wording (“Beta Services”). Subscriber may accept or decline Beta Services. If accepted by Subscriber, Subscriber acknowledges and agrees that Beta Services: (a) are provided only for evaluation purposes; (b) may not be relied on by Subscriber for production use; and (c) may be subject to additional terms. Any Beta Services may be used only for the trial period specified when they are made available (and, in any event, will expire on the date that a version of the Beta Services becomes generally available). WorkOS may discontinue Beta Services at any time in its sole discretion and may never make Beta Services generally available.
b. Free Trials. WorkOS may offer access to the Service on a free trial basis (“Free Trial”) for a specified period of time. If WorkOS offers Subscriber a Free Trial, the specific terms (including the duration) of the Free Trial will be provided at signup and/or in the promotional materials describing the Free Trial and Subscriber’s use of the Free Trial is subject to Subscriber’s compliance with such specific terms. Free Trials may not be combined with any other offer. WorkOS reserves the right to modify or terminate Free Trials at any time, without notice and in its sole discretion.
c. Disclaimer. WorkOS may provide assistance with Beta Services or Free Trials in its discretion, however ALL BETA SERVICES AND FREE TRIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND. For clarity, the following Sections of this Agreement do not apply to Subscriber’s use of Beta Services or Free Trials: 6(a) (Support), 8(a) (Service Warranty) and 13(b) (WorkOS Indemnification). ANY CONFIGURATIONS MADE BY SUBSCRIBER AND ANY SUBSCRIBER DATA
SUBMITTED BY OR BEHALF OF SUBSCRIBER INTO BETA SERVICES OR INTO THE SERVICE DURING A FREE TRIAL MAY BE PERMANENTLY LOST (I) IF THE BETA SERVICES ARE SUSPENDED, TERMINATED, OR DISCONTINUED, OR (II) AT THE END OF THE FREE TRIAL PERIOD, UNLESS SUBSCRIBER PURCHASES A SUBSCRIPTION TO THE SERVICE.
10. Subscriber Data.
a. License. Subscriber grants WorkOS a non-exclusive, non-transferable (except in compliance with Section 16(f)), worldwide, fully-paid, royalty-free license during the Subscription Term to, and to permit WorkOS’ subprocessors to, use, copy, distribute, modify for transmission and display and publicly perform Subscriber Data solely for the purpose of providing the Service to Subscriber and Users.
c. Data Processing Addendum. Each Party will comply with its obligations set forth in the Data Processing Addendum attached hereto as Exhibit A.
d. Aggregate Data. WorkOS shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Service and related systems and technologies (including, without limitation, information that is derived or aggregated in deidentified from (i) Subscriber Data, and (ii) Subscriber’s and/or its Users use of the Service, such as usage data or trends with respect to the Service) (such data and information, collectively, “Aggregate Data”).
11. Term and Termination.
a. Term. This Agreement is effective as of the date on which Subscriber first accesses the Service through any online provisioning, registration or order process. This Agreement will govern Subscriber’s initial subscription to the Service on the Effective Date as well as any subsequent renewals. Unless this Agreement is terminated in accordance with this Section 11 or otherwise agreed by the parties in writing, (i) Subscriber’s subscription to the Service will renew for a Subscription Term equivalent in length to the then expiring Subscription Term and (ii) the Subscription Fees applicable to the subsequent Subscription Term shall be WorkOS’ fees for the applicable Service Tier at the time such subsequent Subscription Term commences. Either party may elect to terminate this Agreement and Subscriber’s subscription to the Service as of the end of the then current Subscription Term by providing notice to the other party no less than thirty (30) days prior to the end of such Subscription Term.
b. Termination for Breach. Either party may terminate this Agreement upon notice if the other party materially breaches this Agreement, provided that: (i) such party gives notice to the breaching party describing the manner in which this Agreement has been breached, and (ii) the breach is not cured within 30 days as of receipt of such notice. WorkOS may further immediately terminate this Agreement if Subscriber fails to pay any Subscription Fees when due.
c. Effect of Termination or Expiration. Upon expiration or termination of this Agreement: (i) the rights granted pursuant to Sections 2(a) and 2(b) will terminate; (ii) WorkOS may irrevocably delete any and all information associated with Subscriber’s account, including Subscriber Data; (iii) Subscriber will return or destroy, at WorkOS’ sole option, all copies of the WorkOS Integration Code and all WorkOS Confidential Information in its possession or control, including permanent removal of such WorkOS Confidential Information (consistent with customary industry practice for data destruction) from any storage devices or other hosting environments that are in Subscriber’s possession or under Subscriber’s control, and at WorkOS’ request, certify in writing to WorkOS that the WorkOS Integration Code and WorkOS Confidential Information has been returned, destroyed or, in the case of electronic communications, deleted. Notwithstanding the foregoing, WorkOS will assist Subscriber in exporting Subscriber Data from the Service for up to thirty (30) days following the termination or expiration of this Agreement, if Subscriber requests this assistance prior to the termination or expiration of this Agreement. No expiration or termination will affect Subscriber’s obligation to pay all Subscription Fees that may have become due or otherwise accrued through the effective date of expiration or termination, or entitle Subscriber to any refund.
d. Survival. This Section 11(d) (Survival) and Sections 2(c) (Third-Party Software), 2(d) (Users), 3 (Subscription Fees), 8(b) (Disclaimer), 10(d) (Aggregate Data), 11(c) (Effect of Termination or Expiration), 12 (Confidential Information), 13(a) (Proprietary Rights), 13(b) (Reservation of Rights), 13(d) (Feedback), 14 (Indemnification), 15 (Limitation of Liability) and 16 (General Provisions), survive any termination or expiration of this Agreement.
12. Confidential Information.
a. Definition. “Confidential Information” means any information that one party (the “Disclosing Party”) provides to the other Party (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure. For clarity: (a) all Subscriber Data is Confidential Information of Subscriber, and (b) any and all non-public features of the Service and Documentation including and all pages and materials on the WorkOS website that are accessible only after logging in are Confidential Information of WorkOS. Notwithstanding the foregoing, Confidential Information does not include information that: (i) was rightfully known by the Receiving Party prior to receiving such information or materials from the Disclosing Party; (ii) is independently developed by Receiving Party without use of or reference to the Disclosing Party’s Confidential Information; (iii) becomes known publicly, before or after disclosure, through no act or failure to act by the Receiving Party; or (iv) is approved for release in writing by the Disclosing Party.
b. Confidentiality Restrictions. The Receiving Party will maintain the Disclosing Party’s Confidential Information in strict confidence, and will not use the Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its rights under this Agreement; provided that WorkOS may use and modify Confidential Information of Subscriber in deidentified form for purposes of developing and deriving Aggregate Data. The Receiving Party will not disclose or cause to be disclosed any Confidential Information of the Disclosing Party, except (i) to those employees, representatives, or contractors of the Receiving Party who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by written agreements with use and nondisclosure restrictions at least as protective as those set forth in this Agreement, or (ii) as such disclosure may be required by the order or requirement of a court, administrative agency or other governmental body, subject to the Receiving Party providing to the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or otherwise contest the disclosure.
c. Term. Each party’s obligations of non-disclosure with regard to Confidential Information will expire five (5) years from the date first disclosed to the Receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.
13. Intellectual Property.
a. Proprietary Rights.
i. Ownership by WorkOS. The WorkOS IP is the exclusive property of WorkOS. Subject to the limited rights expressly granted in this Agreement, WorkOS reserves and, as between the parties will solely own, all right, title and interest in and to the WorkOS IP.
ii. Ownership by Subscriber. WorkOS asserts no ownership rights in Subscriber Data. As between the parties, subject to the limited rights granted to WorkOS in this Agreement, Subscriber owns all right, title and interest in and to the Subscriber Data, including all Intellectual Property Rights therein.
b. Reservation of Rights. No rights are granted to either party hereunder (whether by implication, estoppel, exhaustion or otherwise) except as expressly set forth in this Agreement.
c. Logo Usage. During the Subscription Term, WorkOS may use Subscriber’s name, logos and trademarks in listings of WorkOS’ customers on WorkOS’ website and in other public statements or disclosures for the purposes of marketing the Service. All goodwill and improved reputation generated by WorkOS’ use of the Subscriber’s name, logos and trademarks inures to the exclusive benefit of Subscriber. WorkOS will use Subscriber’s name, logos and trademarks in the form stipulated by Subscriber and will conform to and observe such standards as Subscriber prescribes from time to time in connection with the right granted hereunder.
d. Feedback. From time to time Subscriber or its employees, contractors, or representatives may provide WorkOS with suggestions, comments, feedback or the like with regard to the Service (collectively, “Feedback”). Subscriber hereby grants WorkOS a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with WorkOS’ business purposes, including, without limitation, the testing, development, maintenance and improvement of the Service.
b. WorkOS Indemnification. Subject to Section 14(d), WorkOS will defend Subscriber against Claims alleging that Subscriber’s use of the Service infringes or misappropriates such third party’s Intellectual Property Rights, and will indemnify and hold harmless Subscriber against any damages and costs awarded against Subscriber or agreed in settlement by WorkOS (including reasonable attorneys’ fees) resulting from such Claim. WorkOS’ obligations under this Section 14(b) will not apply if the underlying third-party Claim arises from or as a result of: (i) Subscriber’s breach of this Agreement, negligence, willful misconduct or fraud; (ii) any Subscriber Data; (iii) Subscriber’s failure to use any enhancements, modifications, or updates to the Service that have been provided by WorkOS; (iv) modifications to the Service by anyone other than WorkOS; or (v) combinations of the Service with software, data or materials not provided or approved by WorkOS.
c. IP Remedies. If WorkOS reasonably believes the Service (or any component thereof) could infringe any third party’s Intellectual Property Rights, WorkOS may, at its sole option and expense, use commercially reasonable efforts to: (i) modify or replace the Service, or any component or part thereof, to make it non-infringing; or (ii) procure the right for Subscriber to continue using the Service. If WorkOS determines that neither alternative is commercially practicable, WorkOS may terminate this Agreement, in its entirety or with respect to the affected component, by providing written notice to Subscriber. The rights and remedies set forth in this Section 14 will constitute Subscriber’s sole and exclusive remedy and WorkOS’ sole and exclusive liability for any infringement or misappropriation of Intellectual Property Rights in connection with the Service.
d. Indemnification Procedure. The party seeking defense and indemnity (the “Indemnified Party”) will promptly (and in any event no later than thirty (30) days after becoming aware of facts or circumstances that could reasonably give rise to any Claim) notify the other party (the “Indemnifying Party”) of the Claim for which indemnity is being sought, and will reasonably cooperate with the Indemnifying Party in the defense and/or settlement thereof. The Indemnifying Party will have the sole right to conduct the defense of any Claim for which the Indemnifying Party is responsible hereunder (provided that the Indemnifying Party may not settle any Claim without the Indemnified Party’s prior written approval unless the settlement is for a monetary amount, unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the Indemnified Party, and does not place restrictions upon the Indemnified Party’s business, products or services). The Indemnified Party may participate in the defense or settlement of any such Claim at its own expense and with its own choice of counsel or, if the Indemnifying Party refuses to fulfill its obligation of defense, the Indemnified Party may defend itself and seek reimbursement from the Indemnifying Party.
15. Limitation of Liability.
a. Waiver of Indirect Damages. IN NO EVENT WILL WORKOS BE LIABLE FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR THE COST OF COVER OR SUBSTITUTE SERVICES OR OTHER ECONOMIC LOSS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, THE WORKOS IP OR THE PROVISION OF THE SERVICE, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE.
b. Cap on Liability. IN NO EVENT WILL WORKOS BE LIABLE FOR AGGREGATE DAMAGES IN EXCESS OF (A) THE TOTAL SUBSCRIPTION FEES PAID BY SUBSCRIBER TO WORKOS DURING THE SIX (6) MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY, OR (B) ONE HUNDRED DOLLARS ($100), IF SUBSCRIBER HAS NOT HAD ANY PAYMENT OBLIGATIONS TO WORKOS, AS APPLICABLE, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED.
c. Independent Allocation of Risk. THE EXCLUSIONS AND LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN WORKOS AND SUBSCRIBER.
16. General Provisions.
a. Governing Law; Venue. This Agreement shall be governed by the laws of the State of California without regard to conflict of law principles. Subscriber and WorkOS agree to submit to the personal and exclusive jurisdiction of the state courts and federal courts located in San Francisco, California for the purpose of litigating all claims or disputes, and waive any and all objections regarding venue or inconvenient forum in such courts.
b. Amendments. WorkOS may amend this Agreement from time to time upon written notice to Subscriber (which may be provided on the Site). Subscriber’s continued use of the Service following the effective date of any such amendment will mean that Subscriber has accepted and agreed to the changes.
c. Waiver. A party’s failure to require performance of any provision of this Agreement shall not affect its right to require performance at any time thereafter, nor shall a waiver of any breach or default constitute a waiver of any subsequent breach or default.
d. Severability. If any part of this Agreement is determined to be invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of this Agreement will continue in effect.
e. Headings. Use of paragraph headers in this Agreement is for convenience only and shall not have any impact on the interpretation of particular provisions.
f. Assignment. Neither party may assign this Agreement without the other party’s express written consent, except that WorkOS may assign this Agreement to its successor by way of merger, acquisition, reorganization, or sale of stock or assets. Any attempt to assign or transfer this Agreement in violation of this Section will be void. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the parties and their respective successors and permitted assigns.
g. Notices. All notices required or permitted under this Agreement will be in writing, will reference this Agreement, and will be deemed given: (i) one (1) business day after deposit with a nationally-recognized express courier, with written confirmation of receipt; (ii) when sent by email, on the date the email was sent if sent during normal business hours of the receiving party, and on the next business day if sent after normal business hours of the receiving party; or (iii) three (3) business days after having been sent by registered or certified mail, return receipt requested, postage prepaid. All such notices will be sent to: (i) if to WorkOS, 548 Market St, PMB 86125, San Francisco, CA 94104, [email protected], or (ii) if to Subscriber, to the address and email provided by Subscriber on its account with the Service; or to such other address as may be specified by either party to the other party in accordance with this Section. Subscriber’s questions or communications regarding the Service can be sent to [email protected] but will not serve as notice under this Agreement.
h. Independent Contractors. The relationship between the parties is that of independent contractors. Neither party is nor will represent itself as the agent of the other.
i. Force Majeure. To the extent caused by hurricane, earthquake, other natural disaster or act of God, terrorism, war, labor unrest, general failure of the Internet or of communications systems, or other forces beyond the performing party’s reasonable control (collectively, “Force Majeure”), no delay, failure, or default, other than Subscriber’s failure to make payments when due, will constitute a breach of this Agreement. The performing party shall use reasonable efforts to minimize the delays, to notify the other party promptly, and to inform the other party of its plans to resume performance.
j. Injunctions. Each party agrees that breach or threatened breach by such party of any of its obligations under Section 12 (Confidentiality) or, in the case of Subscriber, Section 5 (Access and Use Restrictions; Suspension) would cause the injured irreparable injury for which monetary relief would not provide adequate compensation, and that in addition to any other remedies available, the injured party will be entitled to injunctive relief against such breach or threatened breach, without the necessity of proving actual damages or posting a bond or other security. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise. This Section shall not be taken to limit either party’s right to injunctive relief related to breach of a section of this Agreement not listed in this Section.
k. Entire Agreement. This Agreement constitutes the entire and exclusive understanding and agreement between Subscriber and WorkOS regarding Subscriber’s use of and access to the Service. This Agreement supersedes all prior or contemporaneous writings, negotiations, and discussions with respect to the subject matter hereof.
l. No Third-Party Beneficiaries. No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations, or liabilities hereunder upon any Person other than the parties and their respective successors and assigns.
Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms part of the Subscription Service Terms and Conditions (“Agreement”) between Subscriber and WorkOS.
1. Subject Matter and Duration.
a) Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Subscriber Personal Data in connection with WorkOS’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its attachments conflicts with the Agreement, this Addendum shall control.
b) Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement. WorkOS will Process Subscriber Personal Data until the relationship terminates as specified in the Agreement.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) “Subscriber Personal Data” means Subscriber Data that is Personal Data Processed by WorkOS on behalf of Subscriber.
b) “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Subscriber Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).
c) “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
d) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Subscriber Personal Data attributable to WorkOS.
e) “Subprocessor(s)” means WorkOS’s authorized vendors and third party service providers that Process Subscriber Personal Data.
3. Data Use and Processing.
a) Documented Instructions. WorkOS shall Process Subscriber Personal Data to provide the Service in accordance with the Agreement, this Addendum, and any instructions agreed upon by the parties. WorkOS will, unless legally prohibited from doing so, inform Subscriber in writing if it reasonably believes that there is a conflict between Subscriber’s instructions and applicable law or otherwise seeks to Process Subscriber Personal Data in a manner that is inconsistent with Subscriber’s instructions.
b) Authorization to Use Subprocessors. To the extent necessary to fulfill WorkOS’s contractual obligations under the Agreement, Subscriber hereby authorizes WorkOS to engage Subprocessors.
c) WorkOS and Subprocessor Compliance. WorkOS agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Subscriber Personal Data that imposes on such Subprocessors data protection requirements for Subscriber Personal Data that are consistent with this Addendum; and (ii) remain responsible to Subscriber for WorkOS’s Subprocessors’ failure to perform their obligations with respect to the Processing of Subscriber Personal Data.
d) Right to Object to Subprocessors. Where required by Data Protection Laws, WorkOS will notify Subscriber prior to engaging any new Subprocessors by updating following website: www.workos.com/legal/subprocessors. WorkOS will allow Subscriber two (2) calendar days to object to the new Subprocessor after notice is given. It is Subscriber's responsibility to check this website regularly for updates. If Subscriber emails [email protected] with legitimate objections to the appointment of any new Subprocessor within the objection period set forth above, the parties will work together in good faith to resolve the grounds for the objection.
e) Confidentiality. Any person authorized to Process Subscriber Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
f) Personal Data Inquiries and Requests. Where required by Data Protection Laws, WorkOS agrees to provide reasonable assistance and comply with reasonable instructions from Subscriber related to any requests from individuals exercising their rights in Subscriber Personal Data granted to them under Data Protection Laws.
g) Sale of Subscriber Personal Data Prohibited. WorkOS shall not sell Subscriber Personal Data as the term "sell" is defined by the CCPA.
h) Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, WorkOS agrees to provide reasonable assistance at Subscriber’s expense to Subscriber where, in Subscriber’s judgement, the type of Processing performed by WorkOS requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
i) Demonstrable Compliance. WorkOS agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Subscriber’s reasonable request.
j) Limitation on Disclosure of Subscriber Personal Data. To the extent legally permitted, WorkOS shall: (i) promptly notify Subscriber in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Subscriber Personal Data to any third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) not disclose Subscriber Personal Data to the third party without providing Subscriber at least forty-eight (48) hours’ notice, so that Subscriber may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure.
k) Service Optimization. Where permitted by Data Protection Laws, WorkOS may Process Subscriber Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
4. Cross-Border Transfers of Personal Data.
a) Cross-Border Transfers of Personal Data. Subscriber authorizes WorkOS and its Subprocessors to transfer Subscriber Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
b) Standard Contractual Clauses. If Subscriber Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Subscriber to WorkOS in a country that has not been found to provide an adequate level of protection under Data Protection Laws, the parties agree that the terms of the transfer shall be governed by the Standard Contractual Clauses attached hereto as Attachment 1. The parties agree that: (i) the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum; (ii) pursuant to Clause 5(h) and Clause 11 of the Standard Contractual Clauses, WorkOS may engage new Subprocessors in accordance with Section 3(b) – (d) of this Addendum; and (iii) the Subprocessor agreements referenced in Clause 5(j) and certification of deletion referenced in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Subscriber ’s written request. Each party’s acceptance of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
5. Information Security Program.
a) Security Measures. WorkOS shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Subscriber Personal Data in accordance with WorkOS’s Information Security Standards attached hereto as Attachment 2.
6. Security Incidents.
a) Notice. Upon becoming aware of a Security Incident, WorkOS agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Subscriber. Where possible, such notice will include all available details required under Data Protection Laws for Subscriber to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a) Subscriber Audit. Where Data Protection Laws afford Subscriber an audit right, Subscriber (or its appointed representative) may carry out an audit of WorkOS’s policies, procedures, and records relevant to the Processing of Subscriber Personal Data by having WorkOS complete a data protection questionnaire of reasonable length. Any audit shall be: (i) be limited to once per year; and (ii) subject to reasonable confidentiality procedures.
8. Data Deletion.
a) Data Deletion. At the expiry or termination of the Agreement, WorkOS will delete all Subscriber Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with WorkOS’ data retention schedule), except where WorkOS is required to retain copies under applicable laws, in which case WorkOS will isolate and protect that Subscriber Personal Data from any further Processing except to the extent required by applicable laws.
9. Processing Details.
a) Subject Matter. The subject matter of the Processing is the Service pursuant to the Agreement.
b) Duration. The Processing will continue until the expiration or termination of the Agreement.
c) Categories of Data Subjects. Data subjects whose Subscriber Personal Data will be Processed pursuant to the Agreement.
d) Nature and Purpose of the Processing. The purpose of the Processing of Subscriber Personal Data by WorkOS is the performance of the Service.
e) Types of Subscriber Personal Data. Subscriber Personal Data that is Processed pursuant to the Agreement.
Exhibit A – Attachment 1
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: Subscriber.
(the data exporter)
Name of the data importing organisation: WorkOS.
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is: Subscriber.
The data importer is: WorkOS.
The personal data transferred concern the following categories of data subjects: As set forth in Section 9(c) of the Addendum.
Categories of data
The personal data transferred concern the following categories of data: As set forth in Section 9(e) of the Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: As set forth in Section 9(e) of the Addendum.
The personal data transferred will be subject to the following basic processing activities: Processing to carry out the Service pursuant to the Agreement.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
WorkOS will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Subscriber Personal Data in accordance with the Addendum.
Exhibit A – Attachment 2
WorkOS Information Security Standards
WorkOS shall implement and maintain an information security program (“Information Security Program”) that: (i) is consistent with industry standard practices taking into consideration the sensitivity of the relevant Subscriber Personal Data, and the nature and scope of the Service to be provided; (ii) includes reasonable administrative, technical and physical safeguards designed to protect Subscriber Personal Data; and (iii) complies with Data Protection Laws. At a minimum, the Information Security Program shall include: