OpenVPN Legal

Effective April 12, 2024

These Terms of Use and the Products and Services Agreements below (collectively, the “Terms”) govern your use of and access to our websites (the “OpenVPN Sites”), our web-based applications and products, customer support, discussion forums and other interactive areas or services, and services such as CloudConnexa® (collectively, the “Products and Services”), your use of and display our OpenVPN® trademark, our logos and other trademarks (the “Trademarks”) and your display of notices and licenses related to that open source versions of our OpenVPN software.

By using the OpenVPN Sites in any manner (such as by viewing its content, downloading any software, documents, information, or other materials (referred to collectively as “Content”) or ordering any Products and Services), using any Products and Services, or using the Trademarks and the OpenVPN software, you are agreeing to these Terms of Use.  If you do not accept these Terms of Use and do not intend to be bound by them, you must not use the OpenVPN Sites in any manner.

By using this website, you affirm that you are of legal age to enter into these Terms of Use, or, if you are not, that you have obtained parental or guardian consent to enter into these Terms of Use.  If you are using an OpenVPN Site on behalf of a trust, partnership, for profit entity or not-for profit entity, unincorporated association, government agency (each of which we refer to as an “Entity” in these Terms of Use), you represent that you have the authority to bind that entity to these Terms of Use.

1. Definitions. As used in these Terms of Use: (a) the words “we”, “us”, “our”, and “OpenVPN” mean and refer to OpenVPN, Inc., a Delaware corporation; and (b) the words “you” and your” mean the person accessing and using the OpenVPN Site and its Products and Services.   
2. Products and Services Agreements. Our Products and Services are licensed, not sold, to you pursuant to agreements governing those licenses.  When you order a Product or Service, you will consent to one or more of these agreements that are applicable to that Product or Service and complete a Product and Service Order.  These agreements (which are collectively referred to as the “Product and Service Agreements” in these Terms of Use) include the following:
   1. Master Product and Service Agreement
   2. Product and Service Order
   3. CloudConnexa End User License Agreement
   4. OpenVPN Access Server End User License Agreement
   5. Service Level Agreement
   6. OpenVPN Business Associate Agreement for Protected Health Information
   7. OpenVPN Data Processing Agreement, with addendum agreements applicable to specific jurisdictions where OpenVPN stores or processes data, including personal information.
   8. Open-source licenses for non-commercial versions of the OpenVPN software.

      The terms of the applicable Product and Services Agreements are incorporated by reference into these Terms of Use.  If there is any conflict between a provision in an applicable Product and Services Agreement and a provision of these Terms of Use, that applicable Product and Service Agreement will control.

3. Changes to Terms of Use. We may make changes to these Terms of Use at any time in our discretion.  If we do so, we will notify you by revising the date at the top of these Terms of Use and, in some cases, we may provide you with additional notice. We will not make changes that have the effect of imposing additional fees or charges on you without providing additional notice. Unless otherwise noted in that notice, the amended Terms of User will be effective immediately, and your continued access to and use of the OpenVPN Sites and Content, and use of Products and Services will confirm your acceptance of the changes. If you do not agree to the amended Terms of Use, you must stop using the OpenVPN Sites, Content, Products and Services and, if applicable, cancel your subscription; however, no change to these Terms of Use will affect your or our rights and obligations under an applicable Product and Service Agreement unless that Product and Service Agreement is also amended in the manner provided in that agreement.
4. Privacy
   1. Information about how we collect, use, share, or otherwise process information about you and your use of the Products and Services is in our Privacy Policy at https://openvpn.net/privacy-policy/  You have the option to manage information preferences concerning our use and storage of your personal information – please contact your OpenVPN support representative.
   2. In some countries, the law requires that we enter into a data protection agreement with you if we handle personal information (as defined in the Product and Service Agreement) as a part of the Services we provide or as a feature of a Product. These OpenVPN Data Processing Agreements are located at https://openvpn.net/legal/
5. Intellectual Property Rights and General Licenses
   1. We, or in certain instances our licensors, own all Content and the copyrights, trademarks, and other intellectual property rights in that Content.  You may not copy, redistribute, use or publish any of the Content, except as allowed by Section 6 (Use of OpenVPN Sites) and in accordance with the OpenVPN Trademark and Copyright Policies.
   2. OpenVPN® and the keyhole logo are registered trademarks of OpenVPN, and we own all rights in those trademarks under the laws of the United States and other countries.  The GPLv2 is the open-source license that covers your rights to use, modify, publish, distribute, market, and create derivative works based on the OpenVPN® Community Software.  Neither the GPLv2 license nor any other open-source license applies to your use of any OpenVPN Trademark.  Your use of any Trademark in connection with any software product based on the OpenVPN Community Software must comply with the OpenVPN Trademark and Copyright Policies, and all other uses of the Trademarks are prohibited without our prior written consent.
6. Use of OpenVPN Sites and Limitations. You may use the OpenVPN Sites to order Products and Services and, to the extent that a Product or Service involves the use of the OpenVPN Sites, access and use those OpenVPN Sites for the purposes related to those Products and Services.  You agree that you will not:
   1. copy or print any portion of the OpenVPN Sites (including any pages or Content) other than small portions of the OpenVPN Sites for personal, non-commercial use;
   2. republish, display, distribute, transmit, sell, rent, lease, loan, or otherwise make available in any form or by any means all or any portion of the OpenVPN Sites or Content;
   3. use the OpenVPN Sites or Content to develop, or as a component of, any information, storage and retrieval system, database, information base, or similar resource that is offered for commercial distribution of any kind other than as permitted under the open-source license governing the use of OpenVPN® Community Software or any other software that we license under an open-source license;
   4. create compilations or derivative works of any Content other than as permitted under the open-source license governing the use of OpenVPN® Community Software or any other software that we license under an open-source license;
   5. use any content in any manner that infringes, misappropriates of violates any intellectual property right or any other right of us or any third party;
   6. remove, change or obscure any copyright notice or other proprietary notice or terms of use contained in the OpenVPN Sites or any Content;
   7. make any portion of the OpenVPN Sites available through any timesharing system, service bureau, the internet or any other technology now existing or developed in the future;
   8. remove, decompile, disassemble or reverse engineer any OpenVPN Site’s software or Content or use any network monitoring or discovery software to determine the OpenVPN Site’s architecture or the architecture of any Content;
   9. use any automatic or manual process to harvest information from any OpenVPN Site;
   10. upload, transmit, store, or make available any content or computer software code contains viruses, malicious code, malware, or any components designed to harm or limit the functionality of the Products or Services;
   11. use an OpenVPN Site to gather information for or transmit (1) unsolicited commercial email; (2) email that makes use of headers, invalid or nonexistent domain names, or other means of deceptive addressing; or (3) unsolicited telephone calls, electronic messages, or facsimile transmissions;
   12. create accounts with OpenVPN for the purpose of violating these Terms of Use, any Product and Service Agreement, or our policies, such as by creating fake accounts or accounts with false or misleading information;
   13. use an OpenVPN Site or any Content in a manner that violates any United States state or federal law; or
   14. export or re-export the OpenVPN site any content or any portion thereof in violation of the export control laws or regulations of the United States.
7. Linking. You may provide links to OpenVPN Sites on your website if: (a) you do not remove, obscure or alter, by framing or otherwise, trademark and copyright symbols and notices, and other notices that appear on the OpenVPN Sites, and (b) your site is not used to engage in illegal or pornographic activities or other activities that violate the rules for Use of OpenVPN Sites.  If we conclude in our discretion that you or your website may be violating the preceding sentence, you must immediately discontinue providing links to all OpenVPN Sites upon us notifying you that you are to do so.
8. Advertising. The OpenVPN Sites may contain advertising and sponsorships. Advertisers and sponsors are responsible for ensuring that material submitted for inclusion on the OpenVPN Sites is accurate and complies with applicable laws. We are not responsible for the illegality or any error, inaccuracy or problem in the advertiser's or sponsor's materials.
9. Payments
   1. Taxes and Third-Party Fees. Unless the Product or Service Order specifically states otherwise, you must pay any applicable taxes and third-party fees (including, for example, telephone toll charges, mobile carrier fees, ISP charges, data plan charges, credit card fees, VAT, foreign exchange fees, and foreign transaction fees) for any Product or Service. We are not responsible for these fees.
   2. Credit Card Information. You authorize us or our authorized vendor(s) to store your payment method and use it in connection with your use of the Services and Software.  To avoid interruption of your service, we may participate in programs supported by your card provider to try to update your payment information. You authorize us or our authorized vendor(s) to continue billing and charging your account for amounts owed with the information that we obtain.  You warrant that any credit information you supply to us is true and complete and that the charges you incur will be honored by your credit card company.
10. Accounts. Certain Products and Services require you to register for an OpenVPN account ("Account"), and registration may be required for full functionality of certain Products and for product and technical support.  You agree to provide us with your name or the name of the entity you represent, mail and email address, telephone contact information, and a valid form of payment.  You may also be requested to provide additional information.  You warrant that all such information will be accurate and complete.  Our obligations concerning the use and disclosure of your account information are in the OpenVPN Privacy Policy and any applicable Data Processing Agreement.  We do not permit: (a) any other person using the registered sections of your account under your name; or (b) access through a single name being made available to multiple users on a network. You are responsible for preventing such unauthorized use.  We may terminate your OpenVPN account immediately on notice to you if we become aware that you have violated this Section 10.
11. Reporting of Illegal Activity. We reserve the right to investigate complaints or reported violations of these Terms of Use, including actions that may be unlawful.  We reserve the right to take any action we deem appropriate in response to any such violations, including reporting any suspected unlawful activity to law enforcement officials, regulators, or other third parties and disclosing any information necessary or appropriate to such persons relating to your profile, email addresses, usage history, posted materials, IP addresses and traffic information.  By accessing the OpenVPN Sites or any of the Content, you waive all objections to our taking of these actions in these situations.
12. Indemnification. You will indemnify us and our subsidiaries, affiliates, officers, agents, employees, partners, and licensors from any claim(s), demand(s), loss(es), or damage(s), including reasonable attorneys’ fees, arising out of, or related to your violation of these Terms of Use.  Your and OpenVPN’s rights and obligations concerning indemnification relating to any Product or Service are governed by the indemnification provisions of the applicable Product and Service Agreement.  Our obligations to indemnify you for loss or improper use and disclosure of personal information are governed by our Privacy Policy and the applicable Data Processing Agreement.
13. Warranties
    1. General Warranties – Disclaimer.  The OpenVPN Sites and all Content are made available and provided “AS IS” without any express or implied warranty of any kind.  Without limiting the scope of the previous sentence, we disclaim all warranties of merchantability, fitness of the OpenVPN Sites and Content for any particular purpose, and warranties of non-infringement of intellectual property rights of the OpenVPN Sites and Content. We do not represent or warrant that the OpenVPN Site will be error-free, free of viruses or other harmful components, or that defects will be corrected. We do not warrant that the Content will be correct, accurate, timely or otherwise reliable.
    2. Products and Services. Warranties for Products and Services are in the Product and Services Agreement and govern those warranties to the exclusion of this Section 13.
14. Third-Party Content. Third-party content may appear on the OpenVPN Sites or may be accessible via links from the OpenVPN Sites.  Although we attempt to prevent illegal or inappropriate content from appearing on the OpenVPN Sites, we are not responsible for and assume no liability for any mistakes, misstatements of law, defamation, omissions, falsehood, obscenity, pornography or profanity in the statements, opinions, representations, or any other form of third-party content that might appear on an OpenVPN Site or on any website that is accessible by links to an OpenVPN Site.  The information and opinions in the third-party content represent solely the thoughts of the author and is neither endorsed by nor does it necessarily reflect our beliefs or opinions.
15. Limitation on Liability.
    1. General Limitation. Our aggregate liability to you for monetary damages of any kind for violation of these Terms of Use or that arise out of your use of or relate to the OpenVPN Sites or the Content will not exceed $500.00, regardless of the nature of the claim (including negligence). 
    2. Exclusion of Liability for Errors or Inaccessibility.  We will not be liable  for any loss, injury, claim, liability, or damage of any kind resulting in any way from (i) any errors in or omissions from the OpenVPN sites or Content; or (ii) the unavailability or interruption of the OpenVPN Site of Content.
    3. Exclusion of Certain Liabilities. To the extent permitted by applicable law, neither you nor OpenVPN shall be liable to the other or to any third party for any indirect, incidental, special or consequential damages, including damages for lost business or profits, regardless of the nature of the claim (including negligence), even if those damages were foreseeable or the other party has been advised of the possibility of such damages.  For the purpose of clarification, the previous sentence will not limit the right of a party to indemnification under Section 12 (Indemnification).  Neither you nor OpenVPN will be liable to the other party for punitive or exemplary damages regardless of the nature of the claim asserted, and each party irrevocably waives all claims to such damages to the extent such damages may be waived under applicable law.
    4. Limitations on Liability for Products and Services. The provisions of the applicable Product and Services Agreements govern the limitations on and exclusions liabilities of the parties related to those Products and liabilities to the exclusion of this Section 15.
16. Information you Provide.
    1. No Limitations on Our Use. Other than information you provide to us in connection with providing you Products or Services, which will be governed by the applicable Product and Services Agreements, and other than personal information that is subject to protection under our Privacy Policy, none of the information that you provide to us through the OpenVPN Sites will be deemed confidential or proprietary, and you agree not to provide to us any information you consider to be confidential or proprietary to you or any other person.  We may use without limitation and without compensation to you or any other person all such information you provide to us (such as remarks, suggestions for product features or improvements, and ideas related to products, advertising, logos, and designs), including by incorporating those ideas into Products and Services we offer.
    2. Your Representations. You represent that you have a legal right to convey to us all information that you provide to us through the OpenVPN Sites.  You represent that none of this information is false, misleading, conveyed in violation of the trade secret or other proprietary rights of others, conveyed in violation of any non-disclosure agreement or law, defamatory, or violate the rights of privacy of others.
17. Third-Party Products and Services. We may allow third-party product or service providers ("Merchants") to use the OpenVPN Sites to market products and services.  You understand that we do not operate or control the products or services offered by Merchants. Merchants are responsible for all aspects of order processing, fulfillment, billing, and customer service. We are not a party to the transactions entered into between you and Merchants. You agree that use of or purchase from such merchants is at your sole risk and is without warranties of any kind by us, expressed, implied or otherwise including warranties of title, fitness for purpose, merchantability, or non-infringement. Under no circumstances are we liable for any damages arising from transactions between you and merchants or for any information appearing on any OpenVPN Sites related to that merchant or any merchant sites that contain links to any OpenVPN Sites.  All Merchants are independent businesses that are unaffiliated with OpenVPN.
18. Refund and Return Policy
    1. Specific Products and Services. If the Product and Service Order under which you acquired a license to a Product or Service provides for a different cancellation period or refund terms, the terms of that Product and Service Order will govern to exclusion of this Section 18.
    2. General Policies. If you wish to cancel your subscription to an OpenVPN product for any reason, we will refund the purchase price you paid for the product if you make your refund request to us within 30 days of the date of purchase. We will not provide refunds for cancellations or returns of products on renewed subscriptions or for refunds requested more than 30 days after the date of purchase other than in cases where we determine that the product is defective, in which case we will refund the balance of the purchase price attributable to the remainder of the subscription.  Refunds for Standard Non-Subscription License Key(s) also called Fixed License Key(s) "fixed" license keys will only be permitted if the license key(s) have not been activated on a server. Refund requests must be made to us in writing by email directed to sales@openvpn.net explaining the reason for the refund request and, in the case of any refund due to a defective product, a description of the defect. Refunds on products are subject to the condition that you return the product to us in substantially the same condition as you purchased it. We will promptly respond to refund requests and use commercially reasonable efforts to do so within 30 days of the date the request was made.
    3. Third Party Products. Please note that certain products and services mentioned on the OpenVPN Sites are sold by third parties or are linked to third-party websites. We have no responsibility or liability for those products or services and you will need to obtain refunds for purchases of those products and services from the provider directly.
    4. Further Information. You may obtain additional information concerning our refund and return policy, including our mailing address, by contacting us at https://support.openvpn.com/
19. Consent to Electronic Communications.  By using the OpenVPN Sites and the Content, you consent to receiving certain electronic communications from us as further described in our Privacy Policy. Please read our Privacy Policy to learn more about our electronic communications practices.  You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that those communications be in writing.
20. Press Releases. We post press releases and other public announcements on the OpenVPN Sites from time to time.  We disclaim any obligation to update these press releases and announcements.  We may provide links to or republish press releases and other announcements from third parties.  We are not responsible for the truth, accuracy, or completeness of those press releases and announcements.
21. OpenVPN Trademark and Copyright Policies. The following are OpenVPN’s policies concerning the use and display of its Trademarks and Copyright notices by developers creating and advertising software products using the OpenVPN Community Software that is licensed on an open-source basis.
    1. Use of OpenVPN Trademark If you use the “OpenVPN” trademark in any way that identifies product or service, you must include the trademark “®” symbol and a notice stating that OpenVPN is a registered trademark of OpenVPN Inc.  The following are examples of correct and incorrect uses of “OpenVPN.”

       Correct: OpenVPN®
       Incorrect: OpenVPN
       Required statement:  “OpenVPN® is a registered trademark of OpenVPN Inc.”

       The above required statement must always appear as complete sentences and must appear on the copyright page and the page of the material in which OpenVPN® is mentioned.

       An exception to this requirement is that persons writing product reviews, news articles, articles for scholarly publications, or in legal documents may use “OpenVPN” without the statements above if that use is limited solely to describing the OpenVPN Community software.

    2. Use of Other OpenVPN Trademarks.

       You may not use the OpenVPN keyhole logo or any other trademark of OpenVPN without the prior written consent of OpenVPN. If we grant you that permission, your use of that logo or other trademark will be subject to the same rules concerning the display of the registered trademark symbol and the inclusion of the required statement as is applicable to the OpenVPN word trademark.

       You may never use any Trademark in a way that implies that you or the products and services you offer are endorsed by, sponsored, or affiliated with OpenVPN, without the prior written consent of OpenVPN.

       To ensure compliance with these Trademark and Copyright Policies, you agree to provide samples of any marketing, advertising, and material you are using that displays the Trademarks to us upon our request. If we determine that your use of the Trademarks violates these Trademark and Copyright Policies, may damage the reputation of OpenVPN and its Products and Services, violates these Terms of Use, or otherwise violates our rights as the owner of the Trademarks, you will immediately cease such use of the Trademarks.

    3. Copyright Notices.

       If you copy or display any portion of the OpenVPN Sites or its content, you are to display the following copyright notice on that copy or display. “© 2002-2024 OpenVPN Inc. All Rights Reserved.” Nothing in this paragraph will permit you to copy or display any portion of the OpenVPN Sites or Content in a manner that is otherwise not permitted in these Terms of Use.

    4. OpenVPN Community Software Distribution and Copyrights

       You must always comply with any version of the GNU General Public License applicable to any copyright or copyrightable work released by OpenVPN Inc. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

       • Redistributions of source code must retain our copyright notice and the disclaimer as listed below.
       • Redistributions in binary form must reproduce our copyright notice and disclaimer in the documentation and/or other materials provided with the distribution.
       • Neither the name OpenVPN nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

       Some Products may include technology components governed by the GPL license. You may only use these GPL components in accordance with the GPL license agreement.

    5. Changes to Trademarks

       We may modify or discontinue use of any Trademark at any time in our discretion.

    6. Questions

       If you have questions about our Trademark and Copyright Policies, you may contact us at sales@openvpn.net: Subject line: Official OpenVPN Trademark and Copyright Use Request.

22. Dispute Resolution

    Except as provided below, all controversies and claims arising out of or relating to these Terms of Use will be resolved by binding arbitration. conducted under the Federal Arbitration Act, 9 U.S.C. § 1 et seq. (the “FAA”) judicial Mediation and Arbitration Service (JAMS) under its Comprehensive Arbitration Rules and Procedures as in effect from time to time.  A copy of the current version of these rules is at https://www.jamsadr.com/rules-comprehensive-arbitration.  The arbitration will be conducted by means of remote video communication and not at a physical location unless the parties otherwise agree.  The arbitrator shall have the authority to determine an appropriate remedy in connection with any matter brought before the arbitrator including sanctions or interlocutory relief with respect to discovery, provided that such remedy must be of a nature that a court could award if the matter had been litigated in a court of competent jurisdiction.  The decision of the arbitrator will be final and binding. Judgment upon the award of the arbitrator, including any interlocutory relief or sanctions granted or issued by the arbitrator with respect to matters related to discovery, may be entered in any court having jurisdiction of that award.

    BY AGREEING TO ARBITRATE CLAIMS BROUGHT UNDER THESE TERMS OF USE, EACH PARTY ACKNOWLEDGES THAT IT IS IRREVOCABLY WAIVING ITS RIGHTS TO HAVE ANY SUCH CLAIMS TRIED IN A COURT BEFORE A JURY.

    A party may seek a temporary restraining order, a preliminary injunction, or other interim relief from a court of competent jurisdiction without prior reference to arbitration if such interim relief is necessary to prevent irreparable injury to that party for which monetary damages alone will be insufficient to provide a proper remedy.  After the court has determined whether to grant interim relief, the matter may be submitted to arbitrationbyanypartyforfinalresolution.

    If either you or OpenVPN wishes to initiate an arbitration (or lawsuit or other type of proceeding to the extent permitted under these Terms of Use) against the other party based on a controversy or claim that arises out or relates to these Terms of Use, that party must bring that arbitration or other action no later than one year after that controversy or claim arose.  A failure to initiate an arbitration or other proceeding within that one year period will cause that claim or right to submit that controversy to arbitration to be forever waived and barred.

    For any dispute arising out of or relating to a Product or Service, the dispute resolution provisions of the applicable Products and Services Agreement will apply to the exclusion of this Section 22.

23. Class Action Waiver

    You may only bring any action (including any arbitration, lawsuit, or other proceeding) in your capacity as an individual and not as a class action or other representative action. ACCORDINGLY, YOU IRREVOCABLY WAIVE ANY RIGHT YOU MAY OTHERWISE HAVE TO BRING A CLASS ACTION OR SEEK RELIEF ON A CLASS BASIS IN ANY MATTER THAT ARISES OUT OF OR RELATES TO THESE TERMS OF USE.

24. Miscellaneous
    1. These Terms of Use are governed by the laws of the State of California, excluding the conflicts of laws principles of that state that would otherwise apply the laws of any other jurisdiction.
    2. Neither you nor OpenVPN may assign its rights of obligations under these Terms of Use, including any claims that arise under these Terms of Use, without the prior consent of the other party, which consent may be withheld in that party’s sole discretion. However, we may assign our rights and obligations without your consent to an affiliate of OpenVPN (such as a subsidiary, parent or company under common ownership with OpenVPN) or to the purchaser or assignee of or successor to OpenVPN’s business or assets.
    3. Except where the words “business days” is used, all references to “days” in this Master Agreement mean calendar days. “Business days” means days other than weekend days and federal holidays in the United States when banks in Pleasanton, California are authorized to remain closed. The word “including” in these Terms of Use means “including but not limited to.” All references to the “consent” of a party means a consent, which that party may grant in its unlimited discretion, that is signed by the party granting that consent.
    4. These Terms of Use contain the entire agreement of the parties concerning the subject matter of these Terms of Use and supersede all prior OpenVPN terms of use. Nothing in these Terms of Use will amend, terminate, or otherwise modify or limit any Product and Service Agreement.

The legal contract entered between OpenVPN and the user of OpenVPN software. The EULA specifies in detail the rights and restrictions which apply to the use of the software.

THIS GENERAL DATA PROCESSING AGREEMENT (“DPA”) is entered into by OpenVPN Inc., a Delaware corporation (“OpenVPN”) and the person or persons to whom OpenVPN has granted a license to use a service described below (the “Customer”) and sets forth the terms under which OpenVPN will process Customer Data in connection with that service.

All capitalized terms not defined in this DPA shall have the meanings set forth in the License Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA.

1. Definition of Terms.
   • “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
   • “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.“Customer Data” means personal data that OpenVPN processes on behalf of Customer via the Service, as more particularly described in this DPA.
   • “Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Customer Data under the Agreement, including, where applicable, European Data Protection Laws and Non-European Data Protection Laws.
   • “European Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).
   • “Europe” means, for the purposes of this DPA, the European Economic Area and its member states (“EEA”), Switzerland and the United Kingdom (“UK”).
   • “Non-European Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 of Australia, as amended (“Australian Privacy Law”).
   • “Principal Agreement” means the agreement pursuant to which OpenVPN provides the Service to the Customer, including OpenVPN Access Server End User License Agreement, 2 CloudConnexa End User License Agreement, and the OpenVPN Connect End User License Agreement.
   • “Service” means CloudConnexa, Access Server, OpenVPN Connect, or other computer software or service that OpenVPN provides to the Customer under the License Agreement.
   • “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by OpenVPN.
   • “Sensitive Data” means an individual’s (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) information concerning a person’s race, ethnicity, political or religious affiliation, trade union membership, sexual life or sexual orientation, or criminal record.
   • “Sub-Processor” means any processor engaged by OpenVPN or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the License Agreement or this DPA. Sub-Processors may include third parties or Affiliates of OpenVPN but shall exclude OpenVPN employees, contractors, or consultants.The terms “personal data”, “controller”, “data subject”, “processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and “process”, “processes" and “processed”, with respect to any Customer Data, shall be interpreted accordingly.
2. Roles and Responsibilities
   • a. Parties’ Roles. If European Data Protection Laws apply to either party’s processing of Customer Data, the parties acknowledge and agree that with regard to the processing of Customer Data, OpenVPN is a processor acting on behalf of the Customer (whether itself a controller or a processor).
   • b. Purposes. OpenVPN will process Customer Data for the purposes described in Exhibit A and only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law and to perform the Service, or as OpenVPN and Customer otherwise agreed in writing (“Permitted Purposes”). The License Agreement, including this DPA, along with the Customer’s configuration of or use of any settings, features, or options in the Service (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to OpenVPN in relation to the processing of Customer, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
   • c. Prohibited Data. Unless Sensitive Information is listed in Exhibit A as being among the categories of Customer Data OpenVPN will process, Customer will not provide (or cause to be provided) any Sensitive Data to OpenVPN for processing or storage. OpenVPN will have no obligations with respect to any Sensitive Data or liability for any access or destruction of 3 any Sensitive Data, whether in connection with a Security Incident or otherwise, that Customer provides or makes available to OpenVPN in violation of this Section 2c.
   • d. Customer Compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to OpenVPN; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for OpenVPN to process Customer Data for the purposes described in the License Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.e. Lawfulness of Customer’s Instructions. Customer will ensure that OpenVPN’s processing of the Customer Data in accordance with Customer’s instructions will not cause OpenVPN to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. OpenVPN shall promptly notify Customer in writing, unless prohibited from doing so under applicable law, if it becomes aware or believes that any data processing instruction from Customer violates European Data Protection Laws. Customer shall serve as the sole point of contact for OpenVPN and OpenVPN need not interact directly with (including to provide notifications to or seek authorization from) any third-party controller other than through regular provision of the Service to the extent required under the License Agreement. Customer shall be responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
3. Sub-Processing
   • a. Authorized Sub-Processors. Customer agrees that OpenVPN may engage Sub-Processors to process Customer Data on Customer’s behalf. OpenVPN shall notify Customer if it adds or removes Sub-Processors at least 10 days prior to any such changes if Customer opts in to receive such notifications.
   • b. Sub-Processor Obligations. OpenVPN shall: (i) enter into a written agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-Processor; and (ii) remain responsible for such SubProcessor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause OpenVPN to breach any of its obligations under this DPA. Customer acknowledges and agrees that OpenVPN may be prevented from disclosing Sub-Processor agreements to Customer due to confidentiality restrictions but OpenVPN shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-Processor agreements.
4. Security and Confidentiality
   • a. Security Measures. OpenVPN shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security 4 Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with OpenVPN’s security standards, which shall be no less stringent than those that are generally applied in the industry in the United States (“Security Measures”).
   • b. Confidentiality of Processing. OpenVPN shall ensure that any person who is authorized by OpenVPN to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
   • c. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that OpenVPN may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer. Customer is responsible for reviewing the information made available by OpenVPN relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
   • d. Security Incident Response. Upon becoming aware of a Security Incident, OpenVPN shall: (i) notify Customer without undue delay, and where feasible, in any event no later than forty-eight (48) hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. OpenVPN’s notification of or response to a Security Incident under this Section 4d shall not be construed as an acknowledgment by OpenVPN of any fault or liability with respect to the Security Incident.
   • e. Customer Responsibilities. Notwithstanding the above, Customer agrees that it, and not OpenVPN, is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data that is uploaded to the Service.
   • f. Government Audit. If a government regulatory authority requires an audit of the data processing facilities of OpenVPN in order to ascertain or monitor Customer's compliance with Data Protection Laws, OpenVPN will cooperate with such audit. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time OpenVPN expends for any such audit, in addition to the rates for services performed by OpenVPN.
5. Provisions for Specific Customers and Data.
   • a. Data Center Locations. Customer acknowledges that OpenVPN may transfer and process Customer Data to and in the United States and anywhere else in the world where OpenVPN, its Affiliates or its Sub-Processors maintain data processing operations provided that such transfer is in accordance with applicable law. OpenVPN shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
   • b. Provisions Applicable to Certain Jurisdictions.
     • i) If OpenVPN is a recipient of Customer Data protected by the Australian Privacy Law, the parties acknowledge and agree that OpenVPN may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the parties and subject to OpenVPN complying with this DPA and the Australian Privacy Law.
     • ii) To the extent that OpenVPN receives Customer Data from the states and countries listed in Exhibit C, the provisions of Exhibit C will apply to OpenVPN’s obligations under this Agreement with respect to that Customer Data.
     • iii) If OpenVPN receives Customer Data from Brazil, the Customer agrees that OpenVPN may process that data outside of Brazil, and represents and warrants that such transfer of Customer Data is in compliance with LGPD.
   • c. International Transfers from Designated Countries. The parties obligations with respect to Customer Data that originates in the European Area will be governed by the following Addenda to this DPA. To the extent that there is any conflict between the provisions of this DPA and any Addendum that is applicable to the Customer Data from that country or region so designated, that Addendum will control.
     • i) For Customer Data that is transmitted from the EEA and is processed by OpenVPN outside of the EEA, the Data Processing Agreement Addendum, Module 2, (attached as Exhibit D) will govern.
     • ii) For Customer Data that is transmitted from the UK and is processed by OpenVPN outside of the UK, the United Kingdom Data Processing Agreement Addendum (attached as Exhibit E) will govern.
     • iii) For Customer Data that is transmitted from Switzerland and is processed by OpenVPN outside of Switzerland, the Data Processing Agreement Addendum under Switzerland Data Protection (attached as Exhibit F) will govern.
   • d. HIPAA Data. If OpenVPN has entered into an agreement with Customer pursuant to which it processes Customer Data that is subject to the Health Insurance Portability and Accountability Act of 1996 and the regulations of the Department of Health and Human Services promulgated thereunder, that agreement will govern all rights and obligations of OpenVPN and the Customer with respect to that data.
6. Return or Deletion of Data
   • a. Deletion or Return on Termination. Upon termination or expiration of the Agreement, OpenVPN shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent OpenVPN is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data OpenVPN shall securely isolate, protect from any further processing and eventually delete in accordance with OpenVPN’s deletion policies, except to the extent required by applicable law.
   • b. Return or Removal of Customer Data. OpenVPN will promptly delete Customer Data pursuant to an instruction from Customer, whether pursuant to a written request from the data subject or otherwise, provided that such request was in accordance with applicable law. Promptly following Customer’s request OpenVPN will provide Customer with evidence of the deletion of that Customer Data.
7. Data Subject Rights and Cooperation
   • a. Data Protection Impact Assessment. To the extent required under applicable Data Protection Laws, OpenVPN shall (considering the nature of the processing and the information available to OpenVPN) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. OpenVPN shall comply with the foregoing by: (i) complying with Section 4; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing clauses (i) and (ii) are insufficient for Customer to comply with such obligations, providing additional reasonable assistance (at Customer’s expense) upon Customer’s request.
8. Limitation of Liability
   • a. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the License Agreement.
   • b. Any claims made against OpenVPN or its Affiliates under or in connection with this DPA shall be brought solely by the Customer.
   • c. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
9. Relationship with the License Agreement
   • a. This DPA shall remain in effect for as long as OpenVPN carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 6.a.
   • b. The parties agree that this DPA replaces in its entirety any existing data processing agreement or similar document into which the parties may have previously entered into in connection with the Service.
   • c. In the event of any conflict or inconsistency between this DPA and the License Agreement with respect to Customer Data, the provisions of this DPA will prevail.
   • d. Except for any changes made by this DPA, the License Agreement remains unchanged and in full force and effect.
   • e. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
   • f. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the License Agreement, unless required otherwise by applicable Data Protection Laws.g. This DPA may only be amended by means of a writing signed by OpenVPN and Customer; however, if, in the good faith judgment of OpenVPN, any provision of this DPA is required to be amended to comply with a Data Processing Law applicable to the Customer Data, OpenVPN may amend effect such amendment by delivering notice of that amendment to Customer. Such amendment will enter into effect thirty (30) days after notice of that amendment is provided to Customer unless OpenVPN determines in good faith that the amendment is required to enter into effect earlier to comply with that Data Processing Law, in which case that amendment will enter into effect immediately upon OpenVPN providing notice of the same to Customer.

EXHIBIT A – DETAILS OF DATA PROCESSING

(a) Categories of Data Subjects:
Individual customers of OpenVPN

(b) Categories of Personal Data:
Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
For OpenVPN’s Access Server and CloudConnexa Solution: Data Importer may process certain information about how a User uses the Subscriber Websites or Apps, including a User’s Internet Protocol (IP) address and other user engagement and interaction metrics and other statistics. For subscriber processing, Data Importer may process name, email address, usernames, passwords and other login credentials as necessary to manage the user’s account.

(c) Sensitive Data Processed (if applicable):
No sensitive data is processed by OpenVPN

(d) Frequency of Processing:
OpenVPN shall process Personal Data in its provision of Services on a continuous basis pursuant to the terms of the Agreement.

(e) Subject Matter and Nature of the Processing:
Storage and other processing necessary to provide, maintain, and improve the Service provided to Customer pursuant to the License Agreement.

(f) Purpose of the Processing:
OpenVPN shall process Customer Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the License Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the License Agreement.

(g) Duration of Processing and Period for which Personal Data will be retained:
OpenVPN will process Customer Data as outlined in Section 7 (Return or Deletion of Data) of this DPA.

EXHIBIT B – SECURITY MEASURES

The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 4.c of this DPA).

MFA is required to access stored data. Access is limited based on least privilege and limited to a small number of importer employees who require access. All data transfer is performed over encrypted connections. Only minimum necessary data is collected. Information Security program is overseen by certified individual (CISSP, CISM, GPEN, GXPN.)

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Sub-processors that are certified in PCI-DSS are used to process credit card transactions. Required transaction information is transferred to importer over encrypted connections.

EXHIBIT C - JURISDICTION-SPECIFIC TERMS

Europe:
Objection to Sub-Processors. Customer may object in writing to OpenVPN’s appointment of a new Sub-Processor within five (5) calendar days of receiving notice in accordance with Section 3.a of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, OpenVPN will, at its sole discretion, either not appoint such Sub-Processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

Government data access requests. As a matter of general practice, OpenVPN does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about OpenVPN accounts (including Customer Data). If OpenVPN receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a OpenVPN account (including Customer Data) belonging to a data subject whose primary contact information indicates that the data subject is located in Europe, OpenVPN shall: (i) review the legality of the request; (ii) inform the government agency that OpenVPN is a processor of the data; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and (v) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. As part of this effort, OpenVPN may provide the data subject’s primary and billing contact information to the agency. OpenVPN shall not be required to comply with this paragraph if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, the OpenVPN website, OpenVPN’s computer network and other assets, or to the Service.

California:
Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.

For this “California” section of Exhibit C only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.

OpenVPN’s obligations regarding data subject requests, as described in Section 7 of this DPA, extend to rights requests under the CCPA. Notwithstanding any use restriction contained elsewhere in this DPA, OpenVPN shall process Customer Data to perform the Service, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.

Notwithstanding any use restriction contained elsewhere in this Exhibit C, OpenVPN may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.

Where Sub-Processors process the Personal Information of Customer contacts, OpenVPN takes steps to ensure that such Sub-Processors are Service Providers under the CCPA with whom OpenVPN has entered into a written contract that includes terms substantially similar to this “California” section of Exhibit or are otherwise exempt from the CCPA’s definition of “sale”. OpenVPN conducts appropriate due diligence on its Sub-Processors.

Canada:
OpenVPN takes steps to ensure that OpenVPN’s Sub-Processors are third parties under PIPEDA, with whom OpenVPN has entered into a written contract that includes terms substantially similar to this DPA. OpenVPN conducts appropriate due diligence on its SubProcessors.

OpenVPN will implement technical measures set forth in Section 4 of the DPA.

Addendums for EEU, UK, and Switzerland available upon request

Rev. 9.19.2022

OpenVPN has incorporated the new Standard Contractual Clauses (SCCs) that the European Commission published on June 4, 2021 to address data transfers originating from the European Economic Area (EEA).

When OpenVPN is the processor (Importer) of Personal Data transferred from the EEA on behalf of a Controller (Exporter) the SCC clauses apply.

The Swiss Addendum provides the necessary amendments and adaptations to the SCCs for customer data transfers in compliance with Swiss data protection law.

When OpenVPN is the processor (Importer) of Personal Data transferred from the UK on behalf of a Controller (Exporter) the UK DPA Addendum applies.

OpenVPN safeguards the electronic protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of customers that function as business associates of Covered Entities under HIPAA compliance.