Hi,
Hope you’re doing well.
We are currently considering subscribing to Auth0’s Professional or Enterprise plan.
As part of our evaluation, we are discussing how liability for damages and compensation would be handled in the event of a third-party attack, such as ransomware.
For example, if we use Auth0 for authentication in our application and store end-user personal information (e.g., name, email address) in Auth0 Users, who would be responsible in the event of an attack on Auth0’s systems that compromises this data? Would Auth0 be liable, or would the responsibility fall on us as the customer?
This is a critical factor in our decision-making process, so we would appreciate your clarification on this matter.
Hi @segiryamya and welcome back to the Auth0 Community!
Here is the section regarding Liability from our Terms of Service:
IX. Limitation of Liability
IN NO EVENT SHALL OKTA BE LIABLE FOR ANY LOSSES OR DAMAGES WHATSOEVER, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR DAMAGES BASED ON LOST PROFITS, DATA OR USE, HOWEVER CAUSED AND, WHETHER IN AN ACTION IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY (INCLUDING NEGLIGENCE), ARISING FROM YOUR ACCESS TO, OR USE OF, THE SITE OR ANY CONTENT, MATERIALS, OR INFORMATION MADE AVAILABLE ON OR THROUGH THE SITE, WHETHER OR NOT YOU HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
You can find the whole document by scrolling to the bottom of the page on https://auth0.com/ and clicking on Terms or clicking here.
I hope this answers your question!
Teodor.
@teodor.andrei
Thank you for your reply.
I understand your point regarding responsibility, but one thing concerns me.
In the [https://www.okta.com/content/dam/okta---digital/en_us/legal/data-processing-addendum-en-jp-updated.pdf/ ], under the “17. Liability” part, it states, "Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or
related to this DPA, and all DPAs between Authorized Affiliates and Okta, whether in contract, tort or under any
other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in
such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the
Agreement and all DPAs together.".
I had interpreted this to mean that if the information I mentioned in my previous question were to be leaked, the responsibility would be shared. Is this understanding incorrect?
Hi again @segiryamya!
As a Community Engineer, I cannot provide legal advice or a binding interpretation of this contract, all I can do is provide you with resources. Perhaps the Sales team can give you an answer for what the wording in that contract means. Here is a link for you to contact them.
Have a great day!
Teodor.