Data Security Addendum

Okta Inc. Data Security Addendum

For Customers Purchasing Through a Partner

This Data Security Addendum (this “Addendum”) is between Okta and Customer, sets forth the data security commitments Okta makes to Customer in connection with Customer’s use of the Service, and supplements the agreement between Customer and Reseller pursuant to which Reseller is reselling subscriptions to the Service to Customer.

1. Definitions.

1.1. “Free Trial Service” means any Okta service or functionality that may be made available by Okta to Customer to try at Customer’s option, at no additional charge, and which is clearly designated as “beta,” “trial,” “non-GA,” “pilot,” “developer preview,” “non-production,” “free trial,” “evaluation,” “early access,” or by a similar designation.

1.2. “Customer” means the entity that has contracted with Reseller to purchase subscriptions to the Service.

1.3 “Customer Data” means all electronic data submitted by or on behalf of Customer to the Service.

1.4. “Customer Order Form” means an ordering document between Customer and Reseller specifying the Service purchased and to be provided by Okta.

1.5. “Documentation” means Okta’s user guides and other end user documentation for the applicable Service available on the online help feature of the Service, as updated by Okta from time to time, including without limitation the materials available at www.support.okta.com, and the ‘trust and compliance’ documentation available at https://www.okta.com/trustandcompliance.

1.6. “Non-Okta Application” means a web-based, offline, mobile, or other software application that is provided by Reseller, Customer or a third party and interoperates with the Service.

1.7. “Okta” means Okta, Inc., a Delaware corporation with offices at 301 Brannan Street, San Francisco, CA 94107.

1.8. “Reseller” means the authorized Okta reseller that has contracted with (a) Okta to resell subscriptions to the Service and (b) Customer for the sale of subscriptions to the Service.

1.9. “Service” means an Okta web based solution that is generally offered on a fixed-term subscription basis, as specified on a Customer Order Form and as described in the Documentation. “Service” excludes Free Trial Services and Non-Okta Applications.

2. Security.

Okta shall: (i) maintain appropriate administrative, physical, and technical safeguards to protect the security and integrity of the Service and the Customer Data as described in the Documentation; (ii) protect the confidentiality of the Customer Data; (iii) access and use the Customer Data solely to perform its obligations and exercise the rights granted to or retained by Okta; and (iv) maintain a security incident response plan in the event of any unauthorized disclosure of Customer Data by Okta or its agents of which Okta becomes aware, as described in the Documentation (“Security Program”). Such Security Program will conform with the Okta security protocols which are further described in Okta’s most recently completed Service Organization Control 2 (SOC 2) audit reports or other similar independent third party annual audit report (“Audit Report”). Upon Customer’s request, Okta shall provide Customer with a copy of Okta’s then-current Audit Report. In no event during Customer’s subscription to the Service shall Okta materially diminish the protections provided by the controls set forth in Okta’s then-current Audit Report. To the extent that Okta processes any Personal Data (as defined in the DPA) contained in Customer Data, on Customer’s behalf, in the provision of the Service (but, for clarity, excluding Free Trial Services, for which no Personal Data should be provided), the terms of the data processing addendum at https://www.okta.com/trustandcompliance ("DPA") as may be updated by Okta if required by applicable law, which are hereby incorporated by reference, shall apply and the parties agree to comply with such terms. For the purposes of the DPA (including the Standard Contractual Clauses attached to the DPA), Customer is the data controller and data exporter, and Customer's signing of a Customer Order Form shall be treated as signing of the DPA (including the Standard Contractual Clauses and their Appendices).

3. Limitation of Liability.

3.1. IN NO EVENT WILL EITHER OKTA (OR OKTA’S THIRD PARTY LICENSORS) BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS ADDENDUM OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR OTHER THEORY FOR (A) ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) ANY LOST PROFITS OR REVENUES, OR (D) ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

3.2. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF OKTA TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS ADDENDUM EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER UNDER THE APPLICABLE CUSTOMER ORDER FORM FOR THE SERVICE GIVING RISE TO THE LIABILITY IN THE TWELVE-MONTH PERIOD PRECEDING THE FIRST INCIDENT OUT WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION SHALL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

4. General.

Neither the rights nor the obligations arising under this Addendum are assignable or transferable by Customer or Okta without the other party’s prior written consent which shall not be unreasonably withheld or delayed, and any such attempted assignment or transfer shall be void and without effect. Notwithstanding the foregoing, either party may freely assign this Addendum upon notice and without the consent of the other party, to its successor in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, provided that, in the case of Customer as the assigning party, all fees owed and due have been paid and such assignment is effected as part of a permitted assignment of the applicable Customer Order Form. This Addendum and any disputes arising out of or related hereto shall be governed by and construed in accordance with the laws of the State of California, without giving effect to its conflicts of laws rules or the United Nations Convention on the International Sale of Goods. With respect to all disputes arising out of or related to this Addendum, the parties consent to exclusive jurisdiction and venue in the state and Federal courts located in San Francisco, California. In any action to enforce this Addendum the prevailing party will be entitled to costs and attorneys’ fees. In the event that any of the provisions of this Addendum shall be held by a court or other tribunal of competent jurisdiction to be unenforceable, such provisions shall be limited or eliminated to the minimum extent necessary so that this Addendum shall otherwise remain in full force and effect and enforceable. If the performance of this Addendum or any obligation hereunder (other than obligations of payment) is prevented or restricted by reasons beyond the reasonable control of a party including but not limited to computer related attacks, hacking, or acts of terrorism, the party so affected shall be excused from such performance and liability to the extent of such prevention or restriction. This Addendum constitutes the entire agreement between Customer and Okta pertaining to the subject matter hereof, and any and all prior or contemporaneous written or oral agreements existing between the parties hereto related to the subject matter hereof are expressly canceled. No modification, amendment or waiver of any provision of this Addendum will be effective unless in writing and signed by both parties hereto.