Product Specific Terms
Effective starting: December 12, 2025 (unless otherwise indicated below)
The following Product-Specific Terms apply to the SailPoint Offerings specified below and hereby supplement the SailPoint Customer Agreement or other agreement entered between Customer and SailPoint (the “Agreement”) for Customer’s use of the SailPoint Offerings.Capitalized terms used and not defined in the Product-Specific Terms have the meanings given to them in the Agreement.
SailPoint Offering | Product Specific Terms |
|---|---|
FedRAMP authorized SailPoint Identity Security Cloud |
FedRAMP authorized SailPoint Identity Security Cloud
1. Interpretation.
1.1 Terms. All defined terms herein have the meaning set forth in. Capitalised terms used in this FedRAMP Addendum that are not defined herein shall have the meaning ascribed to them elsewhere in the Agreement or applicable U.S. Federal law or Guidelines under the Federal Risk and Authorization Management Program (“FedRAMP”), unless otherwise specified.The “Agreement” is the SailPoint Software as a Service or Software license Framework Customer Agreement between SailPoint and Customer.
1.2 Incorporation. The terms and conditions set forth in this FedRAMP Addendum are hereby incorporated into and made an integral part of the Agreement, as if fully set forth therein, solely with respect to Customer’s use of SailPoint FedRAMP Offerings that are hosted in SailPoint’s environment pursuant to FedRAMP and shall be construed together with the terms of the Agreement. Except for the changes made by this FedRAMP Addendum, the Agreement remains unchanged and in full force and effect.If there is any conflict between this FedRAMP Addendum and the Agreement, this FedRAMP Addendum shall prevail solely with respect to SailPoint FedRAMP Offerings.
2. FedRAMP Compliance and Framework. SailPoint FedRAMP Offerings must comply with FedRAMP control guidelines and are monitored and regulated by the Federal Government. They are subject to modification or update by FedRAMP authorities and applicable Federal Agencies. If there is an inconsistency between the Agreement, the FedRAMP Addendum, or applicable Federal Authorities, the Federal Authority controls to the extent applicable to the matter.
For purposes of this Addendum, Federal Authority is defined as any U.S. Federal law, regulation, policy, requirement, or guideline that is applicable to the subject matter and the SailPoint FedRAMP Offering being purchased including Federal Agency specific authority.
FedRAMP deployment models are defined as the following in accordance with FedRAMP guidance. (1) Government Community Only: The cloud holds only government data.Customers can be federal, state, local, tribal, territorial, federally funded research centers (FFRDCs), contractors working on behalf of the government, or lab entities, (2) Public: Public cloud deployments support both government and non-government customers. This aligns with the traditional model of cloud computing services, (3) Private: Private cloud deployments intended for single organizations and implemented fully within federal facilities are not subject to the FedRAMP mandate and are the only exception to FedRAMP being mandatory for all federal agencies, (4) Hybrid: Combination of cloud infrastructures (private, community, or public).
3. Operations.
3.1 Hosting, Storage, and Support. To the extent required by FedRAMP to maintain authorization: (1) SailPoint FedRAMP Offerings shall be hosted within the United States. No Customer Data stored in SailPoint FedRAMP Offerings will be transferred outside of the United States; and (2) Support for the SailPoint FedRAMP Offerings will be provided by SailPoint’s support team located in the U.S., by personnel who are U.S. citizens.
3.2 Customer Data. Customer is prohibited from transferring and storing data in the SailPoint FedRAMP Offerings that is not in compliance with U.S. Federal law.
4. Security, Data Processing and Protection, Audits, Incident Reporting, and Continuous Monitoring. The certifications set forth described in SailPoint’s data security program (“Security Addendum”) available at https://www.sailpoint.com/legal/customer-partner-agreements do not apply to SailPoint FedRAMP Offerings. SailPoint will maintain its SailPoint FedRAMP Offerings in compliance with the applicable impact controls required by the National Institute of Standards (NIST) Special Publication 800-53 (SP 800-53) and approved for use under the FedRAMP program, and in all cases, controls shall align with applicable FedRAMP guidelines and processes including data processing and protection, audits and security incident processes.
5. Customer Representations and Warranties. Customer represents and warrants that:
5.1 Customer is either a U.S. incorporated entity or an unincorporated U.S. entity having its principal place of business in the U.S.;
5.2 Customer acknowledges that SailPoint makes no representation or warranty related to the US Persons status of any Customer or End User that may be granted access to the SailPoint FedRAMP Offering(s);
5.3 Customer is responsible to verify the adequacy of the SailPoint FedRAMP Offering(s) for the storing, processing or accessing of Customer Data and that your use of the SailPoint FedRAMP Offering(s) will comply with any applicable Federal Authority and any other laws and regulations that may govern Customer Data;
5.4 Customer acknowledges that SailPoint FedRAMP Offerings are hosted in the Amazon Web Services (“AWS”) GovCloud (U.S.) Region and the Snowflake SnowGov (U.S.) Region, and that SailPoint operates under a Government Only Community Model, resulting in Customer and Customer Data limitations.Customer is responsible for meeting applicable Customer eligibility requirements based on the SailPoint FedRAMP Offering(s) being purchased by Customer pursuant to FedRAMP deployment model guidance, including providing accurate and current SailPoint FedRAMP Customer verification information. Customer shall maintain management processes to review and ensure its compliance with applicable third-party information security standards in connection with Customer’s use of such SailPoint FedRAMP Offerings;
5.5 Customer will comply with any additional controls required by applicable law, including any U.S. person access requirements that apply to SailPoint FedRAMP Offerings;
5.6 Customer is not subject to U.S. export restrictions or sanctions;
5.7 Customer is not suspended or debarred from contracting with any U.S. government entity;
5.8 Customer’s use of SailPoint FedRAMP Offerings is compliant with applicable U.S. export control laws and regulations, including but not limited to the International Traffic in Arms Regulation; and
5.9 Customer will comply with all applicable security, usage, and data handling FedRAMP requirements, including properly configuring the service and maintaining the FedRAMP information boundary, managing own users and access permissions to prevent misuse, and not introducing data that exceeds the applicable security impact level or violates SailPoint’s deployment model.Customer will promptly report any actual or suspected unauthorized access, non-compliance, or security incidents affecting SailPoint’s FedRAMP-authorized environment.
6. Compliance. Customer is responsible for satisfying any applicable eligibility requirements for SailPoint FedRAMP Offerings and maintaining compliance. If requested by SailPoint, Customer will promptly provide SailPoint with documentation to verify the accuracy of the representations and warranties contained in Section 5 above.Non-compliance shall be deemed a material breach and SailPoint reserves the right to immediately terminate unauthorized use.
7. Data Processing Addendum (DPA). The DPA available at https://www.sailpoint.com/legal/customer-partner-agreements generally does not apply to SailPoint FedRAMP offerings.To the extent Customer is provisioning non-U.S. Government data that is not subject to state privacy law exceptions, state privacy laws such as the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), may apply to the extent permitted by law and that they are not inconsistent with FedRAMP guidelines and processes.In the event of changes to applicable laws, including U.S. state privacy laws, including but not limited to, the amendment, revision, or introduction of new laws, regulations, or other legally binding requirements to which either party is subject, the parties agree to revisit these terms, and negotiate any appropriate or necessary mutual updates in good faith.
8. Applicable Websites. Any links to external websites are provided for convenience only. SailPoint does not control or endorse the content of third-party sites and does not guarantee their accuracy, completeness, or timeliness. Readers are responsible for independently verifying any information obtained from external sources.