1. Acceptance of Agreement.
“we”, “us” and “our” refer to OpenVPN Inc., a Delaware corporation.
“you” and “your” refer to each user of the OpenVPN site. If you are using the OpenVPN site on behalf of a legal entity, then (a) you, as an individual, warrant that you have authority to bind that entity to this agreement and (b) “you” and “your” also refer to that entity.
This agreement constitutes the entire and only agreement between us and you and supersedes all prior or contemporaneous agreements with respect to the subject matter of this agreement.
Our General Data Processing Agreement (“DPA”) forms an integral part of these Terms of Service and is incorporated herein.
The latest version of this agreement will be posted on the OpenVPN site.
Request a signed DPA by emailing email@example.com. Provide legal representative name and email address.
2. Terms Governing OpenVPN Software and Services
“Software and services agreements” means the terms and conditions set forth in, and in any agreements referenced by, the remainder of this section 2. In the event of a conflict between the software and services agreements and this agreement, the software and services agreements will govern.
3. OpenVPN Software Licenses
OpenVPN Inc. Provides its OpenVPN software under licensing designed to meet the needs of any size business, enterprise, distributor, system integrator, or open-source project.
OpenVPN® Access Server Software
OpenVPN Access Server is the enterprise version of OpenVPN software. Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN connect UI, and OpenVPN client software packages that accommodate Windows, Mac, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. OpenVPN Access Server Enterprise Software licensing is governed by OpenVPN End User License Agreement ("EULA"). before using OpenVPN Access Server Enterprise Software please review the End User License Agreement.
OpenVPN® Cloud Service
OpenVPN Cloud is a service offered by OpenVPN Inc. That provides a fully hosted VPN service that allows users access to all VPN capabilities without the need to host an actual server. All usage on OpenVPN Cloud is governed by the OpenVPN Cloud End User Agreement ("EULA"). Before using OpenVPN Cloud, please review this agreement — by accepting these terms of service you also accept the terms of the OpenVPN Cloud Agreement.
OpenVPN® Open-Source Community Software
• OpenVPN 2 open-source software license is governed by GNU General Public License version 2 (GPLv2).
• OpenVPN 3 open-source software license is governed by GNU Affero General Public License (AGPL).
Commercial Use and Compliance Disclaimer
Determining commercial or non-commercial use of OpenVPN® Community Open-Source Software depends on the specifics of the software project and the intentions of the user. Some use cases may be challenging to categorize as commercial or noncommercial. OpenVPN Inc. does not give legal advice. If there exists any doubt as to your use or intended use of our software, please consult a professional legal resource familiar with software licensing and the GPL (General Public License).
OpenVPN inc. Is the worldwide exclusive commercial licensor of OpenVPN Software.
4. OpenVPN Intellectual Property
We, or in certain instances our licensors, own all content and all intellectual property rights therein, including without limitation all copyrights. The copying, redistribution, use or publication by you of any content, except as allowed by section 4, below, is strictly prohibited.
OpenVPN® is a registered trademark of OpenVPN Inc.
5. Limited License: Conditions of Use
You are granted a non-exclusive, non-transferable, revocable license (a) to make non-commercial use of the OpenVPN site and content and (b) to print out, and to make non-commercial use of, portions of the OpenVPN site and content to the minimum extent required to exercise the rights set forth in clause (a), above. You may not make the OpenVPN site or the content, or any portion or any copy thereof, available to any third party. No part of the OpenVPN site or the content, or any copy thereof in any medium, may be used by you in any litigation or arbitration matter whatsoever under any circumstances.
6. Restrictions and Prohibitions on Use
To the extent that there is any conflict between clause (a), (b) or (c) in the preceding paragraph and any provision of a license agreement pertaining to any OpenVPN® software, the license agreement will govern.
7. Forms, Agreements & Documents
We may make available through the OpenVPN site or through third-party websites sample and actual forms, checklists, business documents and legal documents (collectively, “documents”). All documents are provided on a non-exclusive basis solely for your personal, one-time non-commercial use, without any right to re-license, sublicense, distribute, assign, or transfer such rights. Documents are provided for a charge and without any representations or warranties, express or implied, as to their suitability, legal effect, completeness, accuracy, and/or appropriateness. The documents are provided “as is”, “as available”, and with “all faults”, and we and any provider of the documents disclaim any warranties, including but not limited to the warranties of merchantability and fitness for a particular purpose. The documents may be inappropriate for your circumstances. Furthermore, state laws may require different or additional provisions to ensure the desired result. You should consult with legal counsel to determine the appropriate legal or business documents necessary for your transactions, as the documents are only samples and may not be applicable to a particular situation. Some documents are public domain forms or available from public records.
8. No Legal Advice or Attorney-Client Relationship
Information contained on or made available through the OpenVPN site is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance and no attorney-client relationship is formed. We do not warrant or guarantee the accurateness, completeness, adequacy, or currency of the information contained in or linked to the OpenVPN site. Your use of information on the OpenVPN site or materials linked to the OpenVPN site is entirely at your own risk. We are not a law firm and the OpenVPN site is not a lawyer referral service.
9. Linking to the OpenVPN Website
You may provide links to the OpenVPN site, provided (a) that you do not remove or obscure, by framing or otherwise, advertisements, the copyright notice, or other notices on the OpenVPN site, (b) your OpenVPN site does not engage in illegal or pornographic activities, and (c) you discontinue providing links to the OpenVPN site immediately upon request by us.
The OpenVPN site may contain advertising and sponsorships. Advertisers and sponsors are responsible for ensuring that material submitted for inclusion on the OpenVPN site is accurate and complies with applicable laws. We are not responsible for the illegality or any error, inaccuracy or problem in the advertiser’s or sponsor’s materials.
12. Errors, Corrections, and Changes
We do not represent or warrant that the OpenVPN site will be error-free, free of viruses or other harmful components, or that defects will be corrected. We do not represent or warrant that the content will be correct, accurate, timely or otherwise reliable. We may make changes to the features, functionality, or content of the OpenVPN site at any time. We reserve the right in our sole discretion to edit or delete any content.
13. Third-Party Content
Third-party content may appear on the OpenVPN site or may be accessible via links from the OpenVPN site. We are not responsible for and assume no liability for any mistakes, misstatements of law, defamation, omissions, falsehood, obscenity, pornography or profanity in the statements, opinions, representations, or any other form of third-party content on the OpenVPN site or elsewhere. You understand that the information and opinions in the third-party content represent solely the thoughts of the author and is neither endorsed by nor does it necessarily reflect our beliefs or opinions.
14. Unlawful Activity
We reserve the right to investigate complaints or reported violations of this agreement and to take any action we deem appropriate, including but not limited to reporting any suspected unlawful activity to law enforcement officials, regulators, or other third parties and disclosing any information necessary or appropriate to such persons or entities relating to your profile, email addresses, usage history, posted materials, IP addresses and traffic information.
You agree to indemnify, defend, and hold us and our partners, agents, officers, directors, employees, subcontractors, successors, assigns, third party suppliers of information and documents, attorneys, advertisers, product and service providers, and affiliates (collectively, "Affiliated parties") harmless from any liability, loss, claim and expense, including reasonable attorney's fees, related to your violation of this agreement or use of the OpenVPN site.
OpenVPN may assign its rights and obligations hereunder to any person or entity that succeeds to all or substantially all of OpenVPN’s business or that aspect of OpenVPN’s business in which you are principally involved. You may not assign any rights and obligations under this agreement without the prior written consent of OpenVPN.
The OpenVPN site and content are provided "As-is," "As available," with “all faults”, and all warranties, express or implied, are disclaimed (including but not limited to the disclaimer of any implied warranties of merchantability and fitness for a particular purpose). The OpenVPN site and content may contain bugs, errors, problems, or other limitations. We and our affiliated parties have no liability whatsoever for your use of any information or service, except as provided in section 17(b) in particular, but not as a limitation thereof, we and our affiliated parties are not liable for any indirect, special, incidental or consequential damages (including damages for loss of business, loss of profits, litigation, or the like), whether based on breach of contract, breach of warranty, tort (including negligence), product liability or otherwise, even if advised of the possibility of such damages. The negation and limitation of damages set forth above are fundamental elements of the basis of the bargain between us and you. The OpenVPN site and content would not be provided without such limitations. No advice or information, whether oral or written, obtained by you from us through the OpenVPN site or any content or otherwise shall create any warranty, representation or guarantee not expressly stated in this agreement.
All responsibility or liability for any damages caused by viruses contained within the electronic file containing a form or document is disclaimed.
18. Limitation of Liability
(a) we and any affiliated party shall not be liable for any loss, injury, claim, liability, or damage of any kind resulting in any way from (I) any errors in or omissions from the OpenVPN site or any content, (ii) the unavailability or interruption of the OpenVPN site or any features thereof or any content, (iii) your use of the OpenVPN site or content, or (iv) any delay or failure in performance beyond our control.
(b) the aggregate liability of us and the affiliated parties in connection with any claim arising out of or relating to the OpenVPN site and/or the content shall not exceed $100 US dollars and that amount shall be in lieu of all other remedies which you may have against us and any affiliated party.
19. Use of Information
20. Third-Party Services
We may allow access to or advertise certain third-party product or service providers ("Merchants") from which you may purchase certain goods or services. You understand that we do not operate or control the products or services offered by merchants. Merchants are responsible for all aspects of order processing, fulfillment, billing, and customer service. We are not a party to the transactions entered into between you and merchants. You agree that use of or purchase from such merchants is at your sole risk and is without warranties of any kind by us, expressed, implied or otherwise including warranties of title, fitness for purpose, merchantability, or non-infringement. Under no circumstances are we liable for any damages arising from the transactions between you and merchants or for any information appearing on merchant OpenVPN sites or any other OpenVPN site linked to our OpenVPN site.
21. Third-Party Merchant Policies
All rules, policies (including privacy policies) and operating procedures of merchants will apply to you while on any merchant OpenVPN sites. We are not responsible for information provided by you to merchants. We and the merchants are independent contractors and neither party has authority to make any representations or commitments on behalf of the other.
You represent and warrant that if you are purchasing something from us or from merchants that (I) any credit information you supply is true and complete, (ii) charges incurred by you will be honored by your credit card company, and (iii) you will pay the charges incurred by you at the posted prices, including any applicable taxes.
24. Securities laws
The OpenVPN site may include statements concerning our operations, prospects, strategies, financial condition, future economic performance and demand for our products or services, as well as our intentions, plans and objectives (particularly with respect to product and service offerings), that are forward-looking statements. These statements are based upon several assumptions and estimates which are subject to significant uncertainties, many of which are beyond our control. When used on our OpenVPN site, words like "Anticipates," "Expects," "Believes," "Estimates," "Seeks," "Plans," "Intends," "Will" and similar expressions are intended to identify forward-looking statements designed to fall within securities law safe harbors for forward-looking statements. The OpenVPN site and the information contained herein does not constitute an offer or a solicitation of an offer for sale of any securities. None of the information contained herein is intended to be, and shall not be deemed to be, incorporated into any of our securities-related filings or documents.
25. Links to Other Web Sites
The OpenVPN site contains links to third-party websites. We are not responsible for the content, accuracy or opinions expressed in such websites, and such websites are not investigated, monitored, or checked for accuracy or completeness by us. Inclusion of any linked website on the OpenVPN site does not imply approval or endorsement of the linked website by us. If you decide to leave the OpenVPN site and access these third-party websites, you do so at your own risk.
26. Information and Press Releases
The OpenVPN site contains information and press releases about us. We disclaim any duty or obligation to update this information or any press releases. Information about companies other than ours contained in the press release or otherwise, should not be relied upon as being provided or endorsed by us.
27. Legal Compliance
You agree to comply with all applicable domestic and international laws, statutes, ordinances, and regulations regarding your use of the OpenVPN site and the content.
OpenVPN may use your name and logo in client listings. OpenVPN may issue a press release announcing the relationship contemplated hereby, subject to your approval which shall not be unreasonably withheld or delayed.
29. Refund and Return Policy
If you wish to cancel your subscription to an OpenVPN product for any reason, we will refund the purchase price you paid for the product if you make your refund request to us within 30 days of the date of purchase. We will not provide refunds for cancellations or returns of products on renewed subscriptions or for refunds requested more than 30 days after the date of purchase other than in cases where we determine that the product is defective, in which case we will refund the balance of the purchase price attributable to the remainder of the subscription. Refunds for Standard Non-Subscription License Key(s) also called Fixed License Key(s) “fixed” license keys will only be permitted if the license key(s) have not been activated on a server. Refund requests must be made to us in writing by email directed to firstname.lastname@example.org explaining the reason for the refund request and, in the case of any refund due to a defective product, a description of the defect. Refunds on products are subject to the condition that you return the product to us in substantially the same condition as you purchased it. We will promptly respond to refund requests and use commercially reasonable efforts to do so within 30 days of the date the request was made. Please note that certain products and services mentioned on our OpenVPN site are sold by third parties or are linked to third-party websites. We have no responsibility or liability for those products or services and you will need to obtain refunds for purchases of those products and services from the provider directly. You may obtain additional information concerning our refund and return policy, including our mailing address, by contacting us at email@example.com.
This agreement shall be treated as though it were executed and performed in San Francisco, California, and shall be governed by and construed in accordance with the laws of the state of California (without regard to conflict of law principles). Any cause of action by you with respect to the OpenVPN site (and/or any information, documents, products, or services related thereto) must be instituted within one (1) year after the cause of action arose or be forever waived and barred. All actions shall be subject to the limitations set forth in section 16 and section 17. The language in this agreement shall be interpreted as to its fair meaning and not strictly for or against any party. This agreement and all incorporated agreements and your information may be automatically assigned by us in our sole discretion to a third party in the event of an acquisition, sale, or merger. Should any part of this agreement be held invalid or unenforceable, that portion shall be construed consistent with applicable law and the remaining portions shall remain in full force and effect. To the extent that anything in or associated with the OpenVPN site is in conflict or inconsistent with this agreement, this agreement shall take precedence. Our failure to enforce any provision of this agreement shall not be deemed a waiver of such provision nor of the right to enforce such provision. Our rights under this agreement shall survive any termination of this agreement
30.1. Consent to Electronic Communications
Any legal controversy or legal claim arising out of or relating to this agreement or our services, excluding legal action taken by us to collect or recover damages for, or obtain any injunction relating to, OpenVPN site operations, intellectual property, and our services, shall be settled solely by binding arbitration in accordance with the commercial arbitration rules of jams. Any such controversy or claim shall be arbitrated on an individual basis and shall not be consolidated in any arbitration with any claim or controversy of any other party. The arbitration shall be conducted in Pleasanton, California, and judgment on the arbitration award may be entered into any court having jurisdiction thereof. Either you or we may seek any interim or preliminary relief from a court of competent jurisdiction in Pleasanton, California necessary to protect the rights or property of you and us pending the completion of arbitration. Each party shall bear one-half of the arbitration fees and costs incurred.
32. OpenVPN Trademark, Copyrights, and Logo Use
How to use graphic logo versions of OpenVPN trademarks:
- Obtain approval prior to use from OpenVPN Inc.
- Include the registered trademark symbol ® in all uses of OpenVPN name.
The use of the OpenVPN name and logos are protected by USA trademark and Copyright Laws. Your business and product communications must include the appropriate copyright or trademark ® symbol and a disclaimer stating that OpenVPN is a registered trademark of OpenVPN Inc. Not doing so, would confuse and lead consumers to infer an affiliation with OpenVPN and OpenVPN Inc. Exception; media writers, blogs, if simply referring to the OpenVPN trademarked name in a purely descriptive manner to support their opinions do not have to include the copyright symbols within the text of the articles or postings.
Proper Use of Trademarks and Symbols:
© 2002-2023 OpenVPN Inc.
OpenVPN is a registered trademark of OpenVPN Inc.
The above required statement must always appear as complete sentences and must appear on the copyright page and the page of the material in which OpenVPN® is mentioned.
No OpenVPN trademark or logo may be used in a way that is likely to imply that the user, its products, or its services are endorsed by, sponsored, or affiliated with OpenVPN, without written permission from OpenVPN Inc.
OpenVPN Community Software Distribution and Copyrights
You must always comply with any version of the GNU General Public License applicable to any copyright or copyrightable work released by OpenVPN Inc.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain our copyright notice and the disclaimer as listed below.
- Redistributions in binary form must reproduce our copyright notice and disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name OpenVPN nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Third Party Licensors
Some OpenVPN products may include technology components governed by the GPL license. You may only use these GPL components in accordance with the GPL license agreement.
Reservation of Rights
OpenVPN Inc. is the owner of all right, title, and interest in the OpenVPN brand and logos. No person or entity may reproduce or use (or authorize the reproduction or use of) the OpenVPN brands and logos in any manner other than expressly authorized by OpenVPN Inc. Unauthorized use of OpenVPN brands and logos is strictly prohibited.
OpenVPN Inc. may, at its sole discretion, modify the OpenVPN brands and logos at any time. To assure compliance and quality of control, OpenVPN Inc. may request that you provide samples of any marketing, advertising, or other material that includes the OpenVPN brands and logos.
These guidelines are not intended to serve as legal advice. Should you have questions regarding your legal rights or duties, please consult your own attorney. Should you have further questions regarding OpenVPN Inc. Trademark, Copyrights, and Logo Use Guidelines, please contact us at firstname.lastname@example.org
Subject line: Official OpenVPN Trademark Use Request
OpenVPN Inc. reserves the right to change this policy at any time, without notice.
Last Revised: May 4th, 2023
THIS GENERAL DATA PROCESSING AGREEMENT (“DPA”) is entered into by OpenVPN Inc., a Delaware corporation (“OpenVPN”) and the person or persons to whom OpenVPN has granted a license to use a service described below (the “Customer”) and sets forth the terms under which OpenVPN will process Customer Data in connection with that service.
All capitalized terms not defined in this DPA shall have the meanings set forth in the License Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA.
- Definition of Terms.
- “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
- “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.“Customer Data” means personal data that OpenVPN processes on behalf of Customer via the Service, as more particularly described in this DPA.
- “Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Customer Data under the Agreement, including, where applicable, European Data Protection Laws and Non-European Data Protection Laws.
- “European Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).
- “Europe” means, for the purposes of this DPA, the European Economic Area and its member states (“EEA”), Switzerland and the United Kingdom (“UK”).
- “Non-European Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 of Australia, as amended (“Australian Privacy Law”).
- “Principal Agreement” means the agreement pursuant to which OpenVPN provides the Service to the Customer, including OpenVPN Access Server End User License Agreement, 2 OpenVPN Cloud End User License Agreement, and the OpenVPN Connect End User License Agreement.
- “Service” means OpenVPN Cloud, Access Server, OpenVPN Connect, or other computer software or service that OpenVPN provides to the Customer under the License Agreement.
- “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by OpenVPN.
- “Sensitive Data” means an individual’s (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) information concerning a person’s race, ethnicity, political or religious affiliation, trade union membership, sexual life or sexual orientation, or criminal record.
- “Sub-Processor” means any processor engaged by OpenVPN or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the License Agreement or this DPA. Sub-Processors may include third parties or Affiliates of OpenVPN but shall exclude OpenVPN employees, contractors, or consultants.The terms “personal data”, “controller”, “data subject”, “processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and “process”, “processes" and “processed”, with respect to any Customer Data, shall be interpreted accordingly.
- Roles and Responsibilities
- a. Parties’ Roles. If European Data Protection Laws apply to either party’s processing of Customer Data, the parties acknowledge and agree that with regard to the processing of Customer Data, OpenVPN is a processor acting on behalf of the Customer (whether itself a controller or a processor).
- b. Purposes. OpenVPN will process Customer Data for the purposes described in Exhibit A and only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law and to perform the Service, or as OpenVPN and Customer otherwise agreed in writing (“Permitted Purposes”). The License Agreement, including this DPA, along with the Customer’s configuration of or use of any settings, features, or options in the Service (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to OpenVPN in relation to the processing of Customer, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
- c. Prohibited Data. Unless Sensitive Information is listed in Exhibit A as being among the categories of Customer Data OpenVPN will process, Customer will not provide (or cause to be provided) any Sensitive Data to OpenVPN for processing or storage. OpenVPN will have no obligations with respect to any Sensitive Data or liability for any access or destruction of 3 any Sensitive Data, whether in connection with a Security Incident or otherwise, that Customer provides or makes available to OpenVPN in violation of this Section 2c.
- d. Customer Compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to OpenVPN; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for OpenVPN to process Customer Data for the purposes described in the License Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.e. Lawfulness of Customer’s Instructions. Customer will ensure that OpenVPN’s processing of the Customer Data in accordance with Customer’s instructions will not cause OpenVPN to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. OpenVPN shall promptly notify Customer in writing, unless prohibited from doing so under applicable law, if it becomes aware or believes that any data processing instruction from Customer violates European Data Protection Laws. Customer shall serve as the sole point of contact for OpenVPN and OpenVPN need not interact directly with (including to provide notifications to or seek authorization from) any third-party controller other than through regular provision of the Service to the extent required under the License Agreement. Customer shall be responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
- a. Authorized Sub-Processors. Customer agrees that OpenVPN may engage Sub-Processors to process Customer Data on Customer’s behalf. OpenVPN shall notify Customer if it adds or removes Sub-Processors at least 10 days prior to any such changes if Customer opts in to receive such notifications.
- b. Sub-Processor Obligations. OpenVPN shall: (i) enter into a written agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-Processor; and (ii) remain responsible for such SubProcessor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause OpenVPN to breach any of its obligations under this DPA. Customer acknowledges and agrees that OpenVPN may be prevented from disclosing Sub-Processor agreements to Customer due to confidentiality restrictions but OpenVPN shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-Processor agreements.
- Security and Confidentiality
- a. Security Measures. OpenVPN shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security 4 Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with OpenVPN’s security standards, which shall be no less stringent than those that are generally applied in the industry in the United States (“Security Measures”).
- b. Confidentiality of Processing. OpenVPN shall ensure that any person who is authorized by OpenVPN to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- c. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that OpenVPN may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer. Customer is responsible for reviewing the information made available by OpenVPN relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
- d. Security Incident Response. Upon becoming aware of a Security Incident, OpenVPN shall: (i) notify Customer without undue delay, and where feasible, in any event no later than forty-eight (48) hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. OpenVPN’s notification of or response to a Security Incident under this Section 4d shall not be construed as an acknowledgment by OpenVPN of any fault or liability with respect to the Security Incident.
- e. Customer Responsibilities. Notwithstanding the above, Customer agrees that it, and not OpenVPN, is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data that is uploaded to the Service.
- f. Government Audit. If a government regulatory authority requires an audit of the data processing facilities of OpenVPN in order to ascertain or monitor Customer's compliance with Data Protection Laws, OpenVPN will cooperate with such audit. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time OpenVPN expends for any such audit, in addition to the rates for services performed by OpenVPN.
- Provisions for Specific Customers and Data.
- a. Data Center Locations. Customer acknowledges that OpenVPN may transfer and process Customer Data to and in the United States and anywhere else in the world where OpenVPN, its Affiliates or its Sub-Processors maintain data processing operations provided that such transfer is in accordance with applicable law. OpenVPN shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
- b. Provisions Applicable to Certain Jurisdictions.
- i) If OpenVPN is a recipient of Customer Data protected by the Australian Privacy Law, the parties acknowledge and agree that OpenVPN may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the parties and subject to OpenVPN complying with this DPA and the Australian Privacy Law.
- ii) To the extent that OpenVPN receives Customer Data from the states and countries listed in Exhibit C, the provisions of Exhibit C will apply to OpenVPN’s obligations under this Agreement with respect to that Customer Data.
- iii) If OpenVPN receives Customer Data from Brazil, the Customer agrees that OpenVPN may process that data outside of Brazil, and represents and warrants that such transfer of Customer Data is in compliance with LGPD.
- c. International Transfers from Designated Countries. The parties obligations with respect to Customer Data that originates in the European Area will be governed by the following Addenda to this DPA. To the extent that there is any conflict between the provisions of this DPA and any Addendum that is applicable to the Customer Data from that country or region so designated, that Addendum will control.
- i) For Customer Data that is transmitted from the EEA and is processed by OpenVPN outside of the EEA, the Data Processing Agreement Addendum, Module 2, (attached as Exhibit D) will govern.
- ii) For Customer Data that is transmitted from the UK and is processed by OpenVPN outside of the UK, the United Kingdom Data Processing Agreement Addendum (attached as Exhibit E) will govern.
- iii) For Customer Data that is transmitted from Switzerland and is processed by OpenVPN outside of Switzerland, the Data Processing Agreement Addendum under Switzerland Data Protection (attached as Exhibit F) will govern.
- d. HIPAA Data. If OpenVPN has entered into an agreement with Customer pursuant to which it processes Customer Data that is subject to the Health Insurance Portability and Accountability Act of 1996 and the regulations of the Department of Health and Human Services promulgated thereunder, that agreement will govern all rights and obligations of OpenVPN and the Customer with respect to that data.
- Return or Deletion of Data
- a. Deletion or Return on Termination. Upon termination or expiration of the Agreement, OpenVPN shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent OpenVPN is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data OpenVPN shall securely isolate, protect from any further processing and eventually delete in accordance with OpenVPN’s deletion policies, except to the extent required by applicable law.
- b. Return or Removal of Customer Data. OpenVPN will promptly delete Customer Data pursuant to an instruction from Customer, whether pursuant to a written request from the data subject or otherwise, provided that such request was in accordance with applicable law. Promptly following Customer’s request OpenVPN will provide Customer with evidence of the deletion of that Customer Data.
- Data Subject Rights and Cooperation
- a. Data Protection Impact Assessment. To the extent required under applicable Data Protection Laws, OpenVPN shall (considering the nature of the processing and the information available to OpenVPN) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. OpenVPN shall comply with the foregoing by: (i) complying with Section 4; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing clauses (i) and (ii) are insufficient for Customer to comply with such obligations, providing additional reasonable assistance (at Customer’s expense) upon Customer’s request.
- Limitation of Liability
- a. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the License Agreement.
- b. Any claims made against OpenVPN or its Affiliates under or in connection with this DPA shall be brought solely by the Customer.
- c. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
- Relationship with the License Agreement
- a. This DPA shall remain in effect for as long as OpenVPN carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 6.a.
- b. The parties agree that this DPA replaces in its entirety any existing data processing agreement or similar document into which the parties may have previously entered into in connection with the Service.
- c. In the event of any conflict or inconsistency between this DPA and the License Agreement with respect to Customer Data, the provisions of this DPA will prevail.
- d. Except for any changes made by this DPA, the License Agreement remains unchanged and in full force and effect.
- e. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
- f. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the License Agreement, unless required otherwise by applicable Data Protection Laws.g. This DPA may only be amended by means of a writing signed by OpenVPN and Customer; however, if, in the good faith judgment of OpenVPN, any provision of this DPA is required to be amended to comply with a Data Processing Law applicable to the Customer Data, OpenVPN may amend effect such amendment by delivering notice of that amendment to Customer. Such amendment will enter into effect thirty (30) days after notice of that amendment is provided to Customer unless OpenVPN determines in good faith that the amendment is required to enter into effect earlier to comply with that Data Processing Law, in which case that amendment will enter into effect immediately upon OpenVPN providing notice of the same to Customer.
EXHIBIT A – DETAILS OF DATA PROCESSING
(a) Categories of Data Subjects:
Individual customers of OpenVPN
(b) Categories of Personal Data:
Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
For OpenVPN’s Access Server and OpenVPN Cloud Solution: Data Importer may process certain information about how a User uses the Subscriber Websites or Apps, including a User’s Internet Protocol (IP) address and other user engagement and interaction metrics and other statistics. For subscriber processing, Data Importer may process name, email address, usernames, passwords and other login credentials as necessary to manage the user’s account.
(c) Sensitive Data Processed (if applicable):
No sensitive data is processed by OpenVPN
(d) Frequency of Processing:
OpenVPN shall process Personal Data in its provision of Services on a continuous basis pursuant to the terms of the Agreement.
(e) Subject Matter and Nature of the Processing:
Storage and other processing necessary to provide, maintain, and improve the Service provided to Customer pursuant to the License Agreement.
(f) Purpose of the Processing:
OpenVPN shall process Customer Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the License Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the License Agreement.
(g) Duration of Processing and Period for which Personal Data will be retained:
OpenVPN will process Customer Data as outlined in Section 7 (Return or Deletion of Data) of this DPA.
EXHIBIT B – SECURITY MEASURES
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 4.c of this DPA).
MFA is required to access stored data. Access is limited based on least privilege and limited to a small number of importer employees who require access. All data transfer is performed over encrypted connections. Only minimum necessary data is collected. Information Security program is overseen by certified individual (CISSP, CISM, GPEN, GXPN.)
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
Sub-processors that are certified in PCI-DSS are used to process credit card transactions. Required transaction information is transferred to importer over encrypted connections.
EXHIBIT C - JURISDICTION-SPECIFIC TERMS
Objection to Sub-Processors. Customer may object in writing to OpenVPN’s appointment of a new Sub-Processor within five (5) calendar days of receiving notice in accordance with Section 3.a of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, OpenVPN will, at its sole discretion, either not appoint such Sub-Processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
Government data access requests. As a matter of general practice, OpenVPN does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about OpenVPN accounts (including Customer Data). If OpenVPN receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a OpenVPN account (including Customer Data) belonging to a data subject whose primary contact information indicates that the data subject is located in Europe, OpenVPN shall: (i) review the legality of the request; (ii) inform the government agency that OpenVPN is a processor of the data; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and (v) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. As part of this effort, OpenVPN may provide the data subject’s primary and billing contact information to the agency. OpenVPN shall not be required to comply with this paragraph if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, the OpenVPN website, OpenVPN’s computer network and other assets, or to the Service.
Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.
For this “California” section of Exhibit C only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
OpenVPN’s obligations regarding data subject requests, as described in Section 7 of this DPA, extend to rights requests under the CCPA. Notwithstanding any use restriction contained elsewhere in this DPA, OpenVPN shall process Customer Data to perform the Service, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.
Notwithstanding any use restriction contained elsewhere in this Exhibit C, OpenVPN may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.
Where Sub-Processors process the Personal Information of Customer contacts, OpenVPN takes steps to ensure that such Sub-Processors are Service Providers under the CCPA with whom OpenVPN has entered into a written contract that includes terms substantially similar to this “California” section of Exhibit or are otherwise exempt from the CCPA’s definition of “sale”. OpenVPN conducts appropriate due diligence on its Sub-Processors.
OpenVPN takes steps to ensure that OpenVPN’s Sub-Processors are third parties under PIPEDA, with whom OpenVPN has entered into a written contract that includes terms substantially similar to this DPA. OpenVPN conducts appropriate due diligence on its SubProcessors.
OpenVPN will implement technical measures set forth in Section 4 of the DPA.
Addendums for EEU, UK, and Switzerland available upon request
OpenVPN has incorporated the new Standard Contractual Clauses (SCCs) that the European Commission published on June 4, 2021 to address data transfers originating from the European Economic Area (EEA).
When OpenVPN is the processor (Importer) of Personal Data transferred from the EEA on behalf of a Controller (Exporter) the SCC clauses apply.
The Swiss Addendum provides the necessary amendments and adaptations to the SCCs for customer data transfers in compliance with Swiss data protection law.
When OpenVPN is the processor (Importer) of Personal Data transferred from the UK on behalf of a Controller (Exporter) the UK DPA Addendum applies.
OpenVPN safeguards the electronic protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of customers that function as business associates of Covered Entities under HIPAA compliance.