Product Specific Terms
Effective starting: December 12, 2025 (unless otherwise indicated below)
The following Product-Specific Terms apply to the SailPoint Offerings specified below and hereby supplement the SailPoint Customer Agreement or other agreement entered between Customer and SailPoint (the “Agreement”) for Customer’s use of the SailPoint Offerings.Capitalized terms used and not defined in the Product-Specific Terms have the meanings given to them in the Agreement.
SailPoint Offering | Product Specific Terms |
|---|---|
AI and SaaS Services Terms | |
FedRAMP authorized SailPoint Identity Security Cloud |
AI Terms
1. Definitions. For the purposes of these AI Terms, the following definitions apply:
“AI Features” means any features or functionalities within the SaaS Services that utilize artificial intelligence and/or machine learning data models. AI Features that leverage generative artificial intelligence to create new content based on Customer Data are “Generative AI Features.”
“Input” is text or other content that Customer inputs to Generative AI Features.
“Output” is Customer-specific suggestions, results, or other output generated and returned by any AI Features.
2. Permitted Use. Customer may use the AI Features solely for Customer’s internal business purposes in accordance with the Agreement and these AI Terms.
3. Customer Responsibilities. As between Customer and SailPoint, Customer is responsible for ensuring that Users are made aware of best practices for using AI Features and Output, and use the AI Features, Input and Output in compliance with all applicable laws, regulations, government order or decree, and guidelines, including, without limitation, laws relating to bias, discrimination, fairness, and privacy (collectively, “AI laws”). Without limiting the foregoing and as between the parties, Customer is solely responsible for ensuring that all notifications, consents, or other required information for Input to be lawfully made and transmitted to SailPoint are provided and collected in accordance with AI laws and that Customer’s use of any Output is in compliance with and does not cause Customer to violate any AI laws.
4. Shared Model(s). Customer Data shall not be included in the training data set for any algorithm underlying the AI Features that will be deployed outside of Customer’s tenant (“Shared Models”) unless Customer takes an action to opt-in to the use of such Shared Model(s); Customer acknowledges and agrees that certain capabilities of the SailPoint Offerings relating to or impacted by Shared Models may not be available to Customer without accepting the use of Customer Data for such purposes. Customer agrees and acknowledges that if such capabilities are affected by Customer not opting in for such data usage, Customer will not receive a refund of any pre-paid fees relating to the affected services or reduction of future fees.
5. Acceptable Use. Customer agrees to not use any AI Features in a manner that violates the Anthropic Acceptable Use Policy. Customer must not use (or facilitate any other person to use) the AI Features: (1) for any use prohibited by AI laws or for any high-risk purpose or for any purpose that may cause the AI Feature to be deemed “high-risk” (including, without limitation, within the meaning of Regulation EU 2024/1689 (“EU AI Act”)); (2) to generate content that expresses or promotes hate, harassment, or violence, exploits or harms any individual, encourages self-harm, presents illegal, sexual, political, harmful, false, deceiving or misleading information, misuses personal data, or contains malware, unsolicited bulk content, ransomware, or viruses; or (3) in a way that infringes, misappropriates, or violates any third-party rights. Customer shall not put its name or trademark on any AI Feature or make any substantial modification to any AI Feature (including, without limitation, any change that materially alters the intended purpose, design, or performance thereof).
6. Intellectual Property and Ownership. As between SailPoint and Customer, Customer shall own any Input and Output, except to the extent such Output is based on any SailPoint confidential information or other SailPoint data or materials, such as Documentation. Due to the nature of machine learning, Output may not be unique across users, and the AI Features may generate the same or similar Output for other parties. For example, multiple SailPoint customer(s) may ask similar questions and receive the same or similar responses from the AI Features. Such responses are not Customer-specific and therefore not considered Output owned by the Customer. For clarity, Product Analytics (as defined below) and any feedback or suggestions that Customer provides to SailPoint in connection with use of the SailPoint Offerings (including in-app feedback, bug fixes and features requests) do not constitute Input.
7. No High-Risk Use. AI Features are not intended for use in, or in association with, the operation of any hazardous environments or critical systems that may lead to serious bodily injury or death or cause environmental or property damage. AI Features may be used in connection with supporting healthcare services but are not medical devices and are not intended to be used by themselves for any clinical decision-making or other clinical use. Customer is responsible for liability that may arise in connection with any such uses. Customer shall cooperate with and inform SailPoint of any incident arising from Customer’s use of any AI Feature or request from a supervisory authority addressed to the Customer concerning any AI Feature. Customer shall reasonably cooperate with SailPoint including by allowing SailPoint to systematically collect, document and analyze relevant data to allow SailPoint to meet its obligations under AI laws (including the EU AI Act), if any.
8. Disclaimers. CUSTOMER ACKNOWLEDGES THAT THE AI FEATURES RELY ON TECHNOLOGIES THAT ARE INHERENTLY PROBABILISTIC IN NATURE, AND AS SUCH, OUTPUT MAY NOT BE ENTIRELY ACCURATE, PRECISE, COMPREHENSIVE, OR FACTUAL. CUTOMER’S USE OF THE OUTPUT IS AT ITS SOLE RISK. CUSTOMER SHOULD NOT RELY ON OUTPUT AS THE SOLE SOURCE OF TRUTH OR FACTUAL INFORMATION, AND SHALL EVALUATE OUTPUT FOR ACCURACY, FAIRNESS, AND APPROPRIATENESS FOR CUSTOMER’S PURPOSE AT ALL TIMES.
9. General.SailPoint may modify these AI Terms from time to time by posting a revised version on our website. Customer's continued use of the AI Features after the effective date of the revised AI Terms constitutes Customer’s acceptance of the revised terms.
B. SaaS Data Retention & Deletion. The Documentation sets forth data retention and availability commitments with respect to certain types of data. Where not specified elsewhere in the Documentation, during the Customer’s term for the SaaS Services, log data, reports, and similar historical data produced by the SaaS Services may be deleted in accordance with SailPoint’s standard data archival and deletion cycle. Customer may contact their Customer Success Manager for any further details on such retention.
C. SaaS Data Usage. From time to time, SailPoint may use Customer Data or other aspects of Customer’s use of the SailPoint Offerings to generate patterns, statistics, and similar metadata that does not identify Customer or any of Customer’s Users (“Product Analytics”). Product Analytics are owned by SailPoint and, for purposes of the AI Terms, the term “Customer Data” does not include Product Analytics.
FedRAMP authorized SailPoint Identity Security Cloud
1. Interpretation.
1.1 Terms. All defined terms herein have the meaning set forth in. Capitalised terms used in this FedRAMP Addendum that are not defined herein shall have the meaning ascribed to them elsewhere in the Agreement or applicable U.S. Federal law or Guidelines under the Federal Risk and Authorization Management Program (“FedRAMP”), unless otherwise specified.The “Agreement” is the SailPoint Software as a Service or Software license Framework Customer Agreement between SailPoint and Customer.
1.2 Incorporation. The terms and conditions set forth in this FedRAMP Addendum are hereby incorporated into and made an integral part of the Agreement, as if fully set forth therein, solely with respect to Customer’s use of SailPoint FedRAMP Offerings that are hosted in SailPoint’s environment pursuant to FedRAMP and shall be construed together with the terms of the Agreement. Except for the changes made by this FedRAMP Addendum, the Agreement remains unchanged and in full force and effect.If there is any conflict between this FedRAMP Addendum and the Agreement, this FedRAMP Addendum shall prevail solely with respect to SailPoint FedRAMP Offerings.
2. FedRAMP Compliance and Framework. SailPoint FedRAMP Offerings must comply with FedRAMP control guidelines and are monitored and regulated by the Federal Government. They are subject to modification or update by FedRAMP authorities and applicable Federal Agencies. If there is an inconsistency between the Agreement, the FedRAMP Addendum, or applicable Federal Authorities, the Federal Authority controls to the extent applicable to the matter.
For purposes of this Addendum, Federal Authority is defined as any U.S. Federal law, regulation, policy, requirement, or guideline that is applicable to the subject matter and the SailPoint FedRAMP Offering being purchased including Federal Agency specific authority.
FedRAMP deployment models are defined as the following in accordance with FedRAMP guidance. (1) Government Community Only: The cloud holds only government data.Customers can be federal, state, local, tribal, territorial, federally funded research centers (FFRDCs), contractors working on behalf of the government, or lab entities, (2) Public: Public cloud deployments support both government and non-government customers. This aligns with the traditional model of cloud computing services, (3) Private: Private cloud deployments intended for single organizations and implemented fully within federal facilities are not subject to the FedRAMP mandate and are the only exception to FedRAMP being mandatory for all federal agencies, (4) Hybrid: Combination of cloud infrastructures (private, community, or public).
3. Operations.
3.1 Hosting, Storage, and Support. To the extent required by FedRAMP to maintain authorization: (1) SailPoint FedRAMP Offerings shall be hosted within the United States. No Customer Data stored in SailPoint FedRAMP Offerings will be transferred outside of the United States; and (2) Support for the SailPoint FedRAMP Offerings will be provided by SailPoint’s support team located in the U.S., by personnel who are U.S. citizens.
3.2 Customer Data. Customer is prohibited from transferring and storing data in the SailPoint FedRAMP Offerings that is not in compliance with U.S. Federal law.
4. Security, Data Processing and Protection, Audits, Incident Reporting, and Continuous Monitoring. The certifications set forth described in SailPoint’s data security program (“Security Addendum”) available at https://www.sailpoint.com/legal/customer-partner-agreements do not apply to SailPoint FedRAMP Offerings. SailPoint will maintain its SailPoint FedRAMP Offerings in compliance with the applicable impact controls required by the National Institute of Standards (NIST) Special Publication 800-53 (SP 800-53) and approved for use under the FedRAMP program, and in all cases, controls shall align with applicable FedRAMP guidelines and processes including data processing and protection, audits and security incident processes.
5. Customer Representations and Warranties. Customer represents and warrants that:
5.1 Customer is either a U.S. incorporated entity or an unincorporated U.S. entity having its principal place of business in the U.S.;
5.2 Customer acknowledges that SailPoint makes no representation or warranty related to the U.S. Persons status of any Customer or End User that may be granted access to the SailPoint FedRAMP Offering(s);
5.3 Customer is responsible to verify the adequacy of the SailPoint FedRAMP Offering(s) for the storing, processing or accessing of Customer Data and that its use of the SailPoint FedRAMP Offering(s) will comply with any applicable Federal Authority and any other laws and regulations that may govern Customer Data;
5.4 Customer acknowledges that SailPoint FedRAMP Offerings are hosted in the Amazon Web Services (“AWS”) GovCloud (U.S.) Region and the Snowflake SnowGov (U.S.) Region, and that SailPoint operates under a Government Only Community Model, resulting in Customer and Customer Data limitations. Customer is responsible for meeting applicable Customer eligibility requirements based on the SailPoint FedRAMP Offering(s) being purchased by Customer pursuant to FedRAMP deployment model guidance, including providing accurate and current SailPoint FedRAMP Customer verification information. Customer shall maintain management processes to review and ensure its compliance with applicable third-party information security standards in connection with Customer’s use of such SailPoint FedRAMP Offerings;
5.5 Customer will comply with any additional controls required by applicable law, including any U.S. person access requirements that apply to SailPoint FedRAMP Offerings;
5.6 Customer is not subject to U.S. export restrictions or sanctions;
5.7 Customer is not suspended or debarred from contracting with any U.S. government entity;
5.8 Customer’s use of SailPoint FedRAMP Offerings is compliant with applicable U.S. export control laws and regulations, including but not limited to the International Traffic in Arms Regulation; and
5.9 Customer will comply with all applicable security, usage, and data handling FedRAMP requirements, including properly configuring the service and maintaining the FedRAMP information boundary, managing own users and access permissions to prevent misuse, and not introducing data that exceeds the applicable security impact level or violates SailPoint’s deployment model.Customer will promptly report any actual or suspected unauthorized access, non-compliance, or security incidents affecting SailPoint’s FedRAMP-authorized environment.
6. Compliance. Customer is responsible for satisfying any applicable eligibility requirements for SailPoint FedRAMP Offerings and maintaining compliance. If requested by SailPoint, Customer will promptly provide SailPoint with documentation to verify the accuracy of the representations and warranties contained in Section 5 above.Non-compliance shall be deemed a material breach and SailPoint reserves the right to immediately terminate unauthorized use.
7. Data Processing Addendum (DPA). The DPA available at https://www.sailpoint.com/legal/customer-partner-agreements generally does not apply to SailPoint FedRAMP offerings.To the extent Customer is provisioning non-U.S. Government data that is not subject to U.S. privacy law exceptions, U.S. state privacy laws such as the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), may apply to the extent permitted by law and that they are not inconsistent with FedRAMP guidelines and processes.In the event of changes to applicable laws, including U.S. state privacy laws, including but not limited to, the amendment, revision, or introduction of new laws, regulations, or other legally binding requirements to which either party is subject, the parties agree to revisit these terms, and negotiate any appropriate or necessary mutual updates applicable to SailPoint’s performance in good faith.
8. Applicable Websites. Any links to external websites are provided for convenience only. SailPoint does not control or endorse the content of third-party sites and does not guarantee their accuracy, completeness, or timeliness. Readers are responsible for independently verifying any information obtained from external sources.