Product Specific Terms

Effective starting: December 12, 2025 (unless otherwise indicated below)

The following Product-Specific Terms apply to the SailPoint Offerings specified below and hereby supplement the SailPoint Customer Agreement or other agreement entered between Customer and SailPoint (the “Agreement”) for Customer’s use of the SailPoint Offerings.Capitalized terms used and not defined in the Product-Specific Terms have the meanings given to them in the Agreement.

FedRAMP authorized SailPoint Identity Security Cloud

1. Terms. Capitalized terms used in these FedRAMP authorized SailPoint Identity Security Cloud (“FedRAMP ISC”) terms that are not defined herein or in the Agreement shall have the meaning ascribed to them elsewhere in the applicable U.S. Federal law or Guidelines under the Federal Risk and Authorization Management Program (“FedRAMP”), unless otherwise specified.

2. FedRAMP Compliance and Framework. FedRAMP ISC must comply with FedRAMP control guidelines and is monitored and regulated by the Federal Government. FedRAMP ISC is subject to modification or update by FedRAMP authorities and applicable Federal Agencies. If there is an inconsistency between the Agreement, these FedRAMP or applicable Federal Authorities, the Federal Authority controls to the extent applicable to the matter. Federal Authority is defined as any U.S. Federal law, regulation, policy, requirement, or guideline that is applicable to the subject matter and FedRAMP ISC being purchased including Federal Agency specific authority.

3. Operations.

3.1 Hosting, Storage, and Support. To the extent required by FedRAMP to maintain authorization: (1) FedRAMP ISC shall be hosted within the United States. No data stored in FedRAMP ISC will be transferred outside of the United States; and (2) Support for FedRAMP ISC will be provided by SailPoint’s support team located in the U.S., by personnel who are U.S. citizens.

3.2 Customer Data. Customer is prohibited from transferring and storing data in FedRAMP ISC that is not in compliance with U.S. Federal law and is required for services provided to the Federal Government.

4. Security, Data Processing and Protection, Audits, Incident Reporting, and Continuous Monitoring. The certifications set forth described in SailPoint’s data security program (“Security Addendum”) available at https://www.sailpoint.com/legal/customer-partner-agreements do not apply to SailPoint FedRAMP Offerings. SailPoint will maintain FedRAMP ISC in compliance with the applicable impact controls required by the National Institute of Standards (NIST) Special Publication 800-53 (SP 800-53) and approved for use under the FedRAMP program, and in all cases, controls shall align with applicable FedRAMP guidelines and processes including data processing and protection, audits and security incident processes.

5. Customer Representations and Warranties. Customer represents and warrants that:

5.1 Customer is either a United States incorporated entity or an unincorporated United States entity having its principal place of business in the United States;

5.2 Customer acknowledges that it meets applicable eligibility requirements based on FedRAMP ISC being purchased by Customer. Customer shall maintain management processes to review and ensure its compliance with applicable third-party information security standards in connection with Customer’s use of FedRAMP ISC;

5.3 Customer will comply with any additional controls required by applicable law, including any U.S. person access requirements that apply to FedRAMP ISC;

5.4 Customer is not subject to U.S. export restrictions or sanctions;

5.5 Customer is not suspended or debarred from contracting with any U.S. government entity;

5.6 Customer’s use of FedRAMP ISC is compliant with applicable U.S. export control laws and regulations, including but not limited to the International Traffic in Arms Regulation; and

5.7 Customer will comply with all applicable security, usage, and data handling FedRAMP requirements, including properly configuring the service and maintaining the FedRAMP information boundary, managing own users and access permissions to prevent misuse, and not introducing data that exceeds the applicable security impact level or violates SailPoint’s deployment model.Customer will promptly report any actual or suspected unauthorized access, non-compliance, or security incidents affecting SailPoint’s FedRAMP-authorized environment.

6. Compliance. Customer is responsible for satisfying any applicable eligibility requirements for SailPoint FedRAMP Offerings and maintaining compliance. If requested by SailPoint, Customer will promptly provide SailPoint with documentation to verify the accuracy of the representations and warranties contained in Section 5 above.Non-compliance shall be deemed a material breach and SailPoint reserves the right to immediately terminate unauthorized use.

7. Data Processing Addendum (DPA).The DPA available at https://www.sailpoint.com/legal/customer-partner-agreements generally does not apply to FedRAMP ISC.To the extent Customer is provisioning non-U.S. Government data that is not subject to state privacy law exceptions, state privacy laws such as the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), may apply to the extent permitted by law and that they are not inconsistent with FedRAMP guidelines and processes.In the event of changes to applicable laws, including U.S. state privacy laws, including but not limited to, the amendment, revision, or introduction of new laws, regulations, or other legally binding requirements to which either party is subject, the parties agree to revisit these terms, and negotiate any appropriate or necessary mutual updates in good faith.