Effective: April 21, 2026 — Last updated: April 27, 2026
Important — please read this first
These Terms of Service (“Terms of Service”) form a legally binding agreement between you (the “Customer,” “you,” or “your”) and LumoAuth (“LumoAuth,” “we,” “us,” or “our”). These Terms of Service incorporate the Data Processing Agreement (located at https://lumoauth.dev/legal/dpa, the “DPA”); collectively, the Terms of Service and the DPA make up the “Terms.” By accessing or using the LumoAuth platform, the LumoAuth APIs, SDKs, dashboards, websites, the Lumo Push Auth mobile application, or any related service (together, the “Services”); by creating an account; by clicking an “I accept” (or similar) button or checkbox; by executing an order form, quote, or statement of work that references these Terms; or by continuing to use the Services after these Terms or any update to them becomes effective, you expressly agree to be bound by these Terms.
If you are accepting these Terms on behalf of an entity, you represent and warrant that you have full legal authority to bind that entity to these Terms. If you do not have that authority, or if you do not agree with any part of these Terms, do not access or use the Services.
Section 17 contains a mandatory binding arbitration agreement, a waiver of your right to a jury trial, and a waiver of your right to participate in any class, collective, or representative action, except where prohibited by applicable law. Section 16 caps LumoAuth’s total liability to you. Section 14 disclaims all warranties other than the limited warranty in Section 14.2 and provides that LumoAuth gives you no legal, regulatory, security, or compliance advice. Please read those Sections carefully.
1. Definitions
1.1 “Account Data” means information about you and your representatives that you provide to establish, manage, and pay for your LumoAuth account (including name, business email, billing contact, authentication credentials, and related administrative information), together with our internal logs of Service usage by your account.
1.2 “Agreement” means these Terms (i.e., these Terms of Service together with the DPA available at https://lumoauth.dev/legal/dpa), any Order Form, any document or policy expressly incorporated into these Terms by reference (including the Privacy Policy, the Acceptable Use rules in Section 4, and any Supplemental Terms we publish for specific features), and any amendment we adopt under Section 9.
1.3 “Customer Data” means data, content, and information, including Personal Data as defined in the DPA, that you or your End Users submit to, or that is generated through, the Services, excluding Account Data and Usage Data.
1.4 “Documentation” means the then-current operator and developer documentation for the Services that we publish at https://lumoauth.dev/docs or otherwise make available in the Services.
1.5 “End User” means a natural person who is authenticated or authorized through your use of the Services (for example, a user of an application you operate using LumoAuth).
1.6 “Order Form” means an ordering document or online sign-up flow executed by you that references these Terms and specifies the Services, fees, and term.
1.7 “Sensitive Data” means (a) special categories of personal data as defined by Article 9 GDPR (e.g., data concerning health, sex life, sexual orientation, racial or ethnic origin, religion, political opinions, trade union membership, genetic data, biometric identifiers intended to uniquely identify a natural person), (b) personal data of children under 13 (or the applicable age of digital consent), (c) financial account numbers, payment-card numbers subject to PCI-DSS, (d) government-issued identification numbers, (e) protected health information subject to HIPAA, (f) export-controlled technical data, and (g) any other information whose processing requires a heightened legal standard we have not expressly agreed in writing to support.
1.8 “Service-Level Terms” means any uptime, availability, or performance commitment that we expressly identify as a service-level commitment in writing on an Order Form or in a Supplemental Term signed by both parties. Absent such an express commitment, no such commitment exists.
1.9 “Usage Data” means aggregated, de-identified, or anonymized data derived from the operation of the Services, including performance metrics, feature adoption rates, and abuse signals.
Capitalized terms used but not defined in these Terms have the meanings given in the DPA.
2. The Services; license grant
2.1 License. Subject to your compliance with the Agreement and payment of all applicable fees, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Services during the term solely for your internal business purposes and for the benefit of your End Users as described in the Documentation.
2.2 SDKs and client code. Any SDKs, libraries, sample code, or other client-side components we make available are licensed to you under the terms identified in their accompanying license files or, if none, under the license in Section 2.1. You may embed these components in your own applications solely to the extent reasonably necessary to integrate the Services and may not otherwise distribute them.
2.3 Authorized users. Only personnel you have authorized (“Authorized Users”) may access the Services. You are responsible for (a) their compliance with the Agreement, (b) the confidentiality and security of their credentials and API keys, (c) all acts and omissions performed under your account, whether authorized or not, and (d) promptly notifying us of any suspected unauthorized access.
2.4 Reservation of rights. All rights not expressly granted to you in the Agreement are reserved by LumoAuth and its licensors. Nothing in the Agreement transfers any ownership or intellectual-property rights to you.
2.5 Open-source components. The Services may include open-source components provided under their own license terms. Those licenses govern those components to the extent of any conflict with the Agreement, but the warranty disclaimers and limitation of liability in Sections 14 and 16 remain in effect.
3. Your account
3.1 Account creation. You must provide accurate, current, and complete information when creating your account and keep that information updated. You are responsible for all activity that occurs under your account.
3.2 Credentials and keys. You are solely responsible for safeguarding passwords, API keys, signing secrets, and any other credentials we issue. You will notify us immediately of any actual or suspected unauthorized use. We may require credential rotation to protect the Services.
3.3 Eligibility. The Services are offered only to users who are of legal age to form a binding contract in their jurisdiction and who are not barred from receiving the Services under applicable law.
4. Acceptable use
4.1 Prohibited conduct. You will not, and will not permit any Authorized User, End User, or third party to:
- (a) access or use the Services other than as permitted by the Agreement and Documentation;
- (b) copy, modify, translate, distribute, rent, lease, lend, sell, resell, sublicense, transfer, or make available the Services except as expressly permitted;
- (c) reverse-engineer, decompile, disassemble, or otherwise attempt to derive the source code, underlying algorithms, or trade secrets of the Services, except to the minimum extent that applicable law permits such activity despite this prohibition;
- (d) create derivative works of the Services or any component thereof;
- (e) use the Services to build, train, or improve any product, service, or dataset that competes with the Services, including any machine-learning model, or to benchmark the Services for publication, or to publish performance, availability, or security-testing results for the Services without our prior written consent;
- (f) interfere with, degrade, probe, scan, or penetration-test the Services (other than through our published responsible-disclosure program);
- (g) circumvent or attempt to circumvent any rate limit, access control, authentication flow, security feature, or technical restriction;
- (h) introduce any virus, worm, time-bomb, Trojan horse, or other malicious code, or conduct a denial-of-service attack against the Services;
- (i) use the Services to transmit unsolicited bulk communications, unlawful content, infringing content, or content that violates the privacy, publicity, or other rights of any person;
- (j) use the Services to process Sensitive Data, except under a separately executed written agreement between you and LumoAuth that expressly permits the specific Sensitive Data category;
- (k) use the Services in a manner that violates applicable law, including export control, sanctions, privacy, consumer-protection, anti-discrimination, anti-money-laundering, anti-bribery, banking, securities, gambling, or telecommunications laws;
- (l) use the Services in connection with high-risk activities where failure or malfunction could reasonably be expected to cause death, personal injury, severe physical damage, or severe environmental damage, including without limitation operation of nuclear facilities, air-traffic control, life-support systems, autonomous vehicle safety-critical systems, or weapons systems (“High-Risk Activities“); or
- (m) use the Services on behalf of, for the benefit of, or to transfer data to, any person or entity that is the target of comprehensive sanctions administered by the United States, the European Union, the United Kingdom, or the United Nations.
4.2 Your responsibility for End Users. You are solely responsible for your End Users’ use of, and interaction with, your applications and the Services through them. We have no relationship with your End Users and owe them no direct duties under these Terms.
4.3 Cooperation and audit. If we have reasonable grounds to believe that you have breached Section 4.1, you will cooperate with a reasonable, good-faith inquiry and, if a breach is confirmed, promptly remediate it.
4.4 Anti-corruption, anti-money-laundering, and sanctions compliance. You represent, warrant, and covenant that, in connection with your use of the Services and the performance of the Agreement, you and your representatives will comply with all applicable anti-corruption, anti-bribery, anti-money-laundering, counter-terrorism-financing, and sanctions laws — including, where applicable, the U.S. Foreign Corrupt Practices Act, the UK Bribery Act 2010, the U.S. Bank Secrecy Act, and equivalent laws of any jurisdiction in which you operate. You will not, directly or indirectly, offer, pay, promise, or authorize any payment of money or anything of value to any government official, political party, candidate, or other person to influence any official act or decision, to secure an improper advantage, or otherwise to improperly assist you or LumoAuth in obtaining or retaining business. You will maintain books and records reasonably adequate to evidence compliance with this Section 4.4 and will promptly notify us in writing if you become aware of any actual or alleged breach of this Section.
4.5 Sector-specific regulation. Where your use of the Services involves a regulated industry or activity (including financial services, payments, healthcare, education, telecommunications, gambling, or cryptocurrency), you are solely responsible for ensuring that your application, your configuration of the Services, and your data-handling practices satisfy the applicable sectoral requirements. We do not provide, and will not be deemed to provide, services that are themselves regulated under those regimes (for example, the Services are not a “financial institution,” “covered entity,” “money services business,” or “telecommunications carrier”), and our willingness to support a particular use case is not a representation that the use case is lawful in your jurisdiction.
5. Customer Data
5.1 Ownership. As between the parties, you retain all right, title, and interest in Customer Data. We claim no ownership of Customer Data.
5.2 License to us. You grant LumoAuth a worldwide, royalty-free, non-exclusive license to host, copy, transmit, display, and otherwise process Customer Data as strictly necessary to provide, secure, and support the Services, including through our Sub-processors listed in the DPA.
5.3 Customer warranty. You represent and warrant that (a) you have all rights, consents, and authorizations necessary under applicable law to submit Customer Data to the Services and to allow our processing of it; (b) Customer Data does not infringe or misappropriate any third party’s intellectual property, privacy, publicity, or other rights; (c) you have provided all notices required by law to End Users; and (d) Customer Data is not Sensitive Data unless expressly permitted under Section 4.1(j).
5.4 Data Processing Agreement. The DPA, available at https://lumoauth.dev/legal/dpa, is incorporated into and forms part of these Terms and governs our processing of personal data contained in Customer Data. In the event of a conflict between these Terms of Service and the DPA with respect to such processing, the DPA prevails.
5.5 Usage Data. We may collect and generate Usage Data and use it for any lawful purpose, including operating, securing, and improving the Services and our other products. Usage Data does not contain information that identifies you, your Authorized Users, or any End User.
6. Fees and payment
6.1 Fees. You will pay all fees specified on the applicable Order Form or published at lumoauth.dev/pricing. Except as expressly stated in these Terms, fees are non-cancellable and non-refundable.
6.2 Taxes. Fees are exclusive of all taxes, levies, and duties imposed by taxing authorities (other than taxes on our net income). You are responsible for payment of all such taxes.
6.3 Payment terms. Unless otherwise agreed on an Order Form, fees are due in advance and invoiced on a recurring basis. Undisputed amounts not paid when due accrue interest at the lesser of 1.5% per month or the highest rate permitted by law, and you will reimburse us for reasonable costs of collection, including attorneys’ fees. You must raise any good-faith billing dispute in writing to billing@lumoauth.dev within thirty (30) days after the invoice date; amounts not so disputed are deemed accepted.
6.4 Changes to fees. We may change recurring fees for any renewal term by providing at least 30 days’ notice before the start of that renewal term. Your continued use of the Services after the renewal date constitutes acceptance of the new fees.
6.5 Suspension for non-payment. In addition to Section 8, we may suspend the Services for any account with overdue fees without further notice.
6.6 Free and trial tiers. We may offer the Services at no charge on a free, evaluation, or trial basis. We may modify, limit, or discontinue any free or trial tier at any time in our sole discretion, with or without notice. Sections 11 (Beta and Free Features), 14 (Warranties), 15 (Indemnification), and 16 (Limitation of Liability) continue to apply to free and trial use, with the express understanding that LumoAuth’s aggregate liability for free or trial use is capped at US$100 regardless of any other limitation.
6.7 Chargebacks and payment-method disputes. You will not initiate a chargeback, payment reversal, or similar dispute with your payment-card issuer, bank, or payment processor in respect of any fee that has not been timely disputed in good faith under Section 6.3. Initiating a chargeback in violation of this Section 6.7 is a material breach of the Agreement, entitles us to suspend or terminate the Services immediately under Sections 7 and 8, and authorizes us to recover from you the disputed amount, together with any chargeback fees, processing fees, and the reasonable attorneys’ fees and costs we incur in responding to the dispute. You authorize us to charge the payment method you have provided for any unpaid fees and any amounts recoverable under this Section.
6.8 Authorization for recurring billing. Where you provide a payment method for recurring billing, you authorize us (and our payment processors) to charge that payment method for all fees due under the Agreement until you cancel or terminate as expressly permitted, and you agree to keep your payment-method information current.
7. Term; termination
7.1 Term. The Agreement begins on the earlier of your first access to the Services or the effective date of the applicable Order Form, and continues for the subscription term set forth in the Order Form (or, in the absence of an Order Form, until terminated). Unless otherwise specified, subscription terms automatically renew for successive periods of equal length, at the fees then in effect, unless either party gives written notice of non-renewal at least 30 days before the end of the then-current term.
7.2 Termination for convenience (by us). We may terminate the Agreement or any Order Form, in whole or in part, at any time upon at least 30 days’ written notice to you, or immediately in the case of a free or trial account.
7.3 Termination for cause. Either party may terminate the Agreement immediately upon written notice if the other party materially breaches the Agreement and does not cure the breach within 30 days after receiving written notice describing the breach with reasonable specificity. We may terminate the Agreement immediately, without a cure period, if (a) you breach Section 4 (Acceptable Use), Section 5.3 (Customer Data warranties), Section 6.7 (Chargebacks), Section 13 (Confidentiality), Section 21 (Export Controls), or any intellectual-property provision; (b) you become insolvent, make an assignment for the benefit of creditors, or become the subject of a bankruptcy or similar proceeding; or (c) we reasonably determine that your use of the Services creates a security, legal, or regulatory risk to LumoAuth, its other customers, or the public.
7.4 Effect of termination. On termination or expiration:
- (a) your license and right to access the Services ends immediately;
- (b) all fees accrued or owing before the effective date of termination become immediately due and payable;
- (c) we will handle Customer Data in accordance with Section 9 of the DPA, which permits us to delete Customer Data following the post-termination window described there; and
- (d) Sections 1, 4 (as applicable to conduct engaged in during the term), 5.3, 5.5, 6 (for accrued amounts), 6.7, 7.4, 7.6, 8.3, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, and 22, and any provision of the DPA that by its nature is intended to survive, survive termination.
7.5 No refunds. Termination does not entitle you to any refund of fees paid, except where expressly stated.
7.6 Insolvency notice. You will give us prompt written notice if you become insolvent, are unable to pay your debts as they become due, file or have filed against you a petition under any bankruptcy or insolvency law, make a general assignment for the benefit of creditors, or have a receiver, trustee, or similar officer appointed for any of your assets.
8. Suspension
8.1 Suspension rights. We may suspend your access to the Services, in whole or in part, with or without prior notice, if: (a) we reasonably believe that your use of the Services violates the Agreement or applicable law; (b) your account has a security issue (for example, suspected compromise); (c) you fail to pay undisputed fees when due; (d) your use is causing, or threatens to cause, harm or material risk of harm to the Services, to other customers, to End Users, or to LumoAuth; or (e) required by a governmental, judicial, or regulatory order.
8.2 Notice. We will use commercially reasonable efforts to provide notice before suspension where practicable, except in emergencies (including security-related suspensions) where delay would increase risk.
8.3 Effect of suspension. You remain responsible for all fees accrued during a suspension caused by your breach, your security incident, or your non-payment. We are not liable for any damages, losses, or costs you or any End User may incur as a result of a suspension.
9. Changes to the Services and to these Terms
9.1 Service changes. We may modify, add, or remove features of the Services at any time. We will not materially reduce core functionality of a paid feature during the then-current paid subscription term, except as required by law or to address a security or legal risk. If we do, your sole and exclusive remedy is to terminate the affected Order Form and receive a pro-rata refund of pre-paid fees covering the period after termination.
9.2 Changes to these Terms. We may revise these Terms or any incorporated document at any time by posting an updated version at the same URL at which these Terms are published, or by notifying you by email or in the Services. Revisions take effect 30 days after posting (or immediately, where the revision relates to a legal, regulatory, or security requirement, or to new features). Your continued use of the Services after the effective date of a revision constitutes your acceptance of the revised Terms. If you do not agree to a revision, your sole remedy is to terminate the Agreement and stop using the Services before the revision takes effect.
10. Service levels; support
10.1 No implied service-level commitments. Except for Service-Level Terms expressly signed by both parties, the Services are provided without any commitment as to uptime, availability, response time, or performance, and no such commitment is implied by course of dealing, usage of trade, or otherwise.
10.2 Support. We provide technical support during our published business hours and through the channels described at https://lumoauth.dev/contact. We may modify support offerings at any time. Support provided outside Service-Level Terms is provided as a courtesy and without warranty.
10.3 Scheduled and emergency maintenance. We may perform scheduled and emergency maintenance at any time. Maintenance windows are not breaches of the Agreement.
11. Beta and free features
11.1 Beta. Features designated as “beta,” “early access,” “preview,” “alpha,” “experimental,” or similar (“Beta Features“) are provided for evaluation purposes only and are not considered part of the Services for purposes of any Service-Level Terms, warranty, indemnity, or support obligation.
11.2 AS-IS. BETA FEATURES AND ANY FREE OR TRIAL USE OF THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT ANY WARRANTY OR SUPPORT WHATSOEVER. CONFIGURATIONS AND CUSTOMER DATA USED WITH BETA FEATURES OR FREE OR TRIAL TIERS MAY BE PERMANENTLY LOST WITHOUT NOTICE.
11.3 Discretion. We may modify, limit, or discontinue any Beta Feature or free or trial tier at any time, with or without notice, in our sole discretion.
12. Intellectual property; feedback
12.1 Our IP. The Services, the Documentation, the LumoAuth trademarks and logos, and all modifications, derivative works, and improvements of any of the foregoing (the “LumoAuth IP“) are and remain the exclusive property of LumoAuth and its licensors. No rights are granted to you in the LumoAuth IP except the express license in Section 2.1.
12.2 Your IP. Customer Data remains your property, subject only to the license in Section 5.2.
12.3 Feedback. If you or any Authorized User provides any suggestions, enhancement requests, recommendations, bug reports, or other feedback about the Services or LumoAuth IP (“Feedback“), you grant LumoAuth an unrestricted, perpetual, irrevocable, worldwide, fully paid-up, royalty-free, sublicensable, transferable license to use, reproduce, modify, distribute, create derivative works of, and otherwise exploit the Feedback for any purpose, without attribution or compensation. You represent that you have all rights necessary to grant this license.
12.4 Publicity. We may identify you by name and logo as a LumoAuth customer on our website and in our marketing materials, consistent with any usage guidelines you reasonably provide. You may opt out of this permission by writing to legal@lumoauth.dev.
13. Confidentiality
13.1 Definition. “Confidential Information” means non-public information disclosed by one party (the “Disclosing Party”) to the other (the “Receiving Party”) that is designated as confidential or that reasonably should be understood to be confidential given its nature and the circumstances of disclosure. Confidential Information of LumoAuth includes the Services’ non-public features, pricing, Documentation marked confidential, architecture information, and security details. Confidential Information of Customer includes Customer Data and non-public configuration. Confidential Information does not include information that: (a) is or becomes generally available to the public without breach of this Section; (b) was known to the Receiving Party before disclosure; (c) is received from a third party without a duty of confidentiality; or (d) is independently developed without use of the Confidential Information.
13.2 Obligations. The Receiving Party will (a) use Confidential Information only as necessary to exercise its rights or perform its obligations under the Agreement; (b) protect it with at least the same degree of care as it uses for its own similarly sensitive information, and no less than a reasonable degree of care; and (c) disclose it only to employees, contractors, advisors, and Sub-processors who have a need to know and who are bound by written confidentiality obligations at least as restrictive as those in this Section.
13.3 Compelled disclosure. The Receiving Party may disclose Confidential Information to the extent required by law or valid legal process, provided that it gives the Disclosing Party, where legally permissible, prompt written notice and a reasonable opportunity to seek a protective order.
13.4 Term of obligations. These obligations continue during the term and for five (5) years after termination, except that obligations regarding trade secrets continue for as long as the information remains a trade secret.
13.5 Equitable relief. Each party acknowledges that breach of this Section may cause irreparable harm for which monetary damages would be inadequate, and the non-breaching party is entitled to seek injunctive or other equitable relief without the requirement of posting a bond or proving actual damages.
14. Warranties; disclaimers
14.1 Mutual organizational warranty. Each party represents and warrants that it is duly organized, validly existing, and in good standing under the laws of its jurisdiction of formation, and that the person accepting these Terms on its behalf has authority to bind it.
14.2 Limited service warranty. We warrant that the Services will perform substantially in accordance with the Documentation during the paid subscription term. Your sole and exclusive remedy, and LumoAuth’s sole and exclusive liability, for a breach of this warranty is, at our option, (a) to modify the Services to conform to the Documentation or (b) if we cannot do so using commercially reasonable efforts, to terminate the affected portion of the Agreement and refund pre-paid fees covering the period after termination.
14.3 Warranty disclaimer. EXCEPT FOR THE LIMITED WARRANTY IN SECTION 14.2, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES, DOCUMENTATION, BETA FEATURES, FREE TIER, SDKS, AND ALL OTHER MATERIALS PROVIDED OR MADE AVAILABLE BY LUMOAUTH ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITH ALL FAULTS, AND LUMOAUTH, ITS AFFILIATES, AND ITS LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES, REPRESENTATIONS, AND CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AVAILABILITY, ACCURACY, QUIET ENJOYMENT, OR ANY WARRANTY ARISING OUT OF A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. LUMOAUTH DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, SECURE AGAINST EVERY ATTACK, FREE FROM LOSS OR CORRUPTION OF DATA, OR THAT ANY DEFECT WILL BE CORRECTED.
14.4 No reliance. You acknowledge that no commitment has been made to you by LumoAuth other than the commitments expressly contained in the Agreement.
14.5 High-Risk Activities; identity-verification disclaimer. The Services are a general-purpose authentication and authorization platform. You acknowledge that authentication decisions can be wrong (for example, a legitimate user can be incorrectly blocked, or an illegitimate access attempt can, in rare circumstances, be permitted despite our controls) and that you remain solely responsible for the security design of your application. LumoAuth is not suitable for, and makes no warranty regarding its suitability for, High-Risk Activities.
14.6 No legal, regulatory, or compliance advice. The Services, the Documentation, and any guidance, templates, default configurations, AI-generated outputs, risk-assessment narratives, policy suggestions, or sample policies provided through them are technical tools provided for your information and convenience. They do not constitute legal, regulatory, security, financial, accounting, tax, or other professional advice and are not a substitute for the advice of qualified professionals or for your independent assessment of your obligations. You are solely responsible for determining whether your use of the Services satisfies your obligations under applicable law and regulation — including any sector-specific regulations applicable to your business (such as HIPAA, GLBA, PCI-DSS, FERPA, COPPA, KYC/AML obligations, securities, banking, telecommunications, gambling, or cryptocurrency laws) — and for designing your application’s authentication, authorization, and security architecture to meet those obligations. No statement made by LumoAuth, whether in marketing materials, sales discussions, support communications, AI-generated content, blog posts, or otherwise, creates a representation, warranty, or commitment beyond those expressly set out in the Agreement.
14.7 No fiduciary or trust relationship. Nothing in the Agreement creates a fiduciary, trust, partnership, joint venture, or principal-agent relationship between the parties.
14.8 Third-party services. The Services may interoperate with, link to, or rely on third-party services (including identity providers, push-notification gateways, AI providers, email-delivery services, and infrastructure providers). LumoAuth is not responsible for the availability, accuracy, security, content, or practices of those third-party services, and your use of them is governed by their own terms.
15. Indemnification
15.1 By you. You will defend, indemnify, and hold harmless LumoAuth, its affiliates, and its and their officers, directors, employees, agents, and Sub-processors (collectively, the “LumoAuth Indemnitees“) from and against any and all claims, actions, investigations, liabilities, damages, losses, fines, penalties, and reasonable expenses (including attorneys’ fees) (collectively, “Losses“) arising out of or relating to: (a) Customer Data, including any claim that Customer Data infringes or misappropriates a third party’s rights or violates applicable law; (b) your or any Authorized User’s or End User’s breach of the Agreement, including Sections 4, 5.3, and 6.7; (c) your use of the Services in combination with any product, service, data, or material not provided or approved in writing by LumoAuth, where the combination (and not the Services alone) is the basis of the claim; (d) your products, services, or business operations; (e) any dispute between you and an End User or any third party (including any End User’s employer, an identity provider you have integrated with, or your own customers); (f) your violation of applicable law (including Data Protection Laws, anti-corruption laws, sanctions laws, and sector-specific regulation); or (g) any claim by a regulator or governmental authority arising out of conduct described in (a)–(f).
15.2 By us (limited). We will defend you against any third-party claim alleging that your authorized use of the unmodified Services, in accordance with the Agreement and the Documentation, directly infringes a third party’s United States patent, copyright, or trademark (a “Covered IP Claim“), and we will pay amounts finally awarded against you by a court of competent jurisdiction or agreed to in settlement we approve. This obligation does not apply to Losses arising out of (i) Customer Data; (ii) your failure to apply updates, patches, or configurations we have made available; (iii) your use of the Services in violation of the Agreement or Documentation; (iv) any Beta Feature or free or trial use; (v) any modification of the Services not made by LumoAuth; or (vi) the combination of the Services with anything not provided by LumoAuth.
15.3 IP remedies. If we receive notice of, or reasonably believe that the Services may be the subject of, a Covered IP Claim, we may in our sole discretion (a) procure the right for you to continue using the Services; (b) modify the Services to be non-infringing without materially reducing functionality; or (c) terminate the Agreement with respect to the affected portion of the Services and refund pre-paid fees for the period after termination. Section 15.2 and Section 15.3 together state our entire liability and your exclusive remedy for any claim that the Services infringe any third-party right.
15.4 Procedure. The indemnified party will (a) promptly notify the indemnifying party in writing of the claim; (b) give the indemnifying party sole control over the defense and settlement of the claim, provided that no settlement may require the indemnified party to admit fault, pay money, or take any action without its prior written consent (not to be unreasonably withheld); and (c) provide reasonable cooperation at the indemnifying party’s expense. Failure to notify the indemnifying party promptly does not relieve it of its obligations except to the extent actually prejudiced.
16. Limitation of liability
16.1 Exclusion of indirect damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL LUMOAUTH, ITS AFFILIATES, OR ANY OF ITS OR THEIR OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR LICENSORS BE LIABLE UNDER OR IN CONNECTION WITH THE AGREEMENT, THE SERVICES, OR ANY USE OR INABILITY TO USE THE SERVICES, FOR ANY: (A) LOSS OF PROFITS, REVENUE, OR BUSINESS; (B) LOSS OF GOODWILL OR REPUTATION; (C) LOSS, CORRUPTION, OR INACCESSIBILITY OF DATA; (D) COST OF COVER, SUBSTITUTE GOODS OR SERVICES, OR SUBSTITUTE PROCUREMENT; (E) LOSS OF ANTICIPATED SAVINGS; (F) REGULATORY FINES OR PENALTIES IMPOSED ON YOU; OR (G) ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF WHETHER THE CLAIM IS BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, STATUTE, OR OTHERWISE.
16.2 Aggregate cap. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, LUMOAUTH’S AGGREGATE LIABILITY TO YOU UNDER OR IN CONNECTION WITH THE AGREEMENT, THE SERVICES, AND ANY RELATED MATTER — WHETHER ARISING UNDER CONTRACT, TORT, STATUTE, OR OTHERWISE, AND FOR ANY AND ALL CLAIMS IN THE AGGREGATE — WILL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES ACTUALLY PAID BY YOU TO LUMOAUTH FOR THE SERVICES IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY AND (B) ONE HUNDRED U.S. DOLLARS (US$100). FOR FREE, TRIAL, OR BETA USE, THE AGGREGATE CAP IS US$100.
16.3 Basis of the bargain. The parties acknowledge that the limitations and exclusions in this Section 16 (and in Sections 11.2, 14, and 15) are a material and essential part of the allocation of risk between the parties, are reflected in the fees (or zero fees) for the Services, and will apply even if any limited remedy fails of its essential purpose.
16.4 No action after one year. Except for actions to enforce payment obligations, actions for breach of intellectual-property rights, or actions that may not by statute be so limited, no claim arising out of or relating to the Agreement or the Services may be brought by you more than one (1) year after the claim arose. This period is a contractual limitations period and does not extend any shorter period provided by applicable law.
16.5 Non-waivable rights. Some jurisdictions do not allow certain exclusions or limitations of liability. In those jurisdictions, the exclusions and limitations in this Section 16 apply only to the fullest extent permitted by applicable law. Nothing in the Agreement limits any liability that cannot as a matter of law be limited, including liability for gross negligence, willful misconduct, fraud, or death or personal injury caused by negligence where such limitation is prohibited.
17. Dispute resolution; binding arbitration; class-action and jury waivers
PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR LEGAL RIGHTS, INCLUDING YOUR RIGHT TO BRING A LAWSUIT IN COURT, TO HAVE A JURY DECIDE YOUR CLAIM, AND TO PARTICIPATE IN A CLASS OR REPRESENTATIVE ACTION.
17.1 Informal dispute resolution. Before initiating any formal proceeding, the parties will attempt in good faith to resolve any dispute by sending a written notice of the dispute (including a description of the claim, the relief requested, and the sender’s contact information) to the other party. The parties will then confer by video or phone, through authorized representatives, for at least thirty (30) days (“Informal Resolution Period“) before initiating arbitration or litigation. This Section 17.1 is a condition precedent to initiating any formal proceeding.
17.2 Binding arbitration. If the dispute is not resolved during the Informal Resolution Period, the dispute will be submitted to final and binding arbitration, except as provided in Section 17.5. The arbitration will be administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules (and, for disputes involving US$250,000 or less, the AAA Expedited Procedures), each as in effect on the date arbitration is initiated. The arbitration will be conducted by a single neutral arbitrator experienced in technology contract disputes. The seat of arbitration is Wilmington, Delaware, although hearings may be conducted remotely by video at either party’s request. The arbitrator has exclusive authority to decide all issues of arbitrability, including the scope, enforceability, formation, and interpretation of this Section 17. Judgment on the award may be entered by any court of competent jurisdiction.
17.3 Class, collective, and representative action waiver. ARBITRATION AND ANY PROCEEDING BETWEEN YOU AND LUMOAUTH WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, COLLECTIVE, MASS, OR REPRESENTATIVE ACTION. YOU AND LUMOAUTH EACH WAIVE THE RIGHT TO PARTICIPATE IN ANY SUCH ACTION, TO SERVE AS A REPRESENTATIVE PARTY, OR TO HAVE CLAIMS JOINED OR CONSOLIDATED WITH THE CLAIMS OF ANY OTHER PERSON OR ENTITY. The arbitrator has no authority to adjudicate claims on a class, collective, or representative basis. If a court or arbitrator determines that this class-action waiver is unenforceable with respect to a particular claim or request for relief, that claim or request will be severed and litigated in court, and the remainder of this Section 17 will remain in effect.
17.4 Jury-trial waiver. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU AND LUMOAUTH EACH IRREVOCABLY WAIVE ANY RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATING TO THE AGREEMENT OR THE SERVICES.
17.5 Carve-outs. Notwithstanding Section 17.2, either party may (a) bring an individual action in a court of competent jurisdiction for small-claims matters within that court’s jurisdictional limits; (b) seek injunctive or other equitable relief in any court of competent jurisdiction to prevent actual or threatened infringement, misappropriation, or disclosure of its intellectual property or Confidential Information; and (c) bring an action in any court of competent jurisdiction to enforce an arbitration award.
17.6 Opt-out right. You may opt out of Sections 17.2 and 17.3 (the arbitration agreement and class-action waiver) by sending written notice of your decision to opt out to legal@lumoauth.dev within thirty (30) days after first accepting these Terms. The notice must include your account identifier, the name of the entity you represent (if any), and a clear statement that you wish to opt out of the arbitration agreement and class-action waiver. If you opt out within the 30-day window, Sections 17.4, 18, and 19 remain in full effect. Opting out will not affect any other provision of the Agreement and will not cause us to modify, restrict, or terminate the Services for your account. If you accept later amendments to these Terms, the 30-day opt-out window does not restart.
17.7 Fees. Each party will bear its own attorneys’ fees and costs in arbitration except where an applicable statute provides otherwise. Arbitrator and administrative fees will be allocated as the AAA rules provide, subject to the arbitrator’s ability to reallocate for a frivolous claim or bad-faith conduct.
17.8 Severability of dispute-resolution provisions. If any part of this Section 17 is held unenforceable, that part will be severed, and the remainder will continue in effect, except that if Section 17.3 (class-action waiver) is found unenforceable in its entirety with respect to a particular claim, the entire Section 17 is void with respect to that claim and the parties will litigate in the courts designated in Section 18.
18. Governing law; venue (for disputes not subject to arbitration)
18.1 Governing law. The Agreement is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws principles, and excluding the United Nations Convention on Contracts for the International Sale of Goods.
18.2 Venue. For any action not subject to arbitration under Section 17, the parties submit to the exclusive jurisdiction and venue of the state and federal courts located in New Castle County, Delaware, and waive any objection to venue or inconvenient-forum in those courts.
19. Statute of limitations
See Section 16.4.
20. Force majeure
Neither party is liable for any delay or failure to perform (other than payment obligations) caused by circumstances beyond its reasonable control, including acts of God, natural disasters, epidemic or pandemic, war, terrorism, civil unrest, strikes or other labor disputes, governmental action, internet or telecommunications failure, failures or disruptions of third-party service providers (including our Sub-processors or upstream infrastructure providers), denial-of-service attacks, and other cyber-attacks. The affected party will use reasonable efforts to mitigate the effect of the event and to resume performance.
21. Export controls; sanctions
You represent and warrant that you are not, and are not acting on behalf of, (a) any person or entity that is the subject of comprehensive sanctions administered by the United States, the European Union, the United Kingdom, or the United Nations, or (b) any person or entity located in, organized under the laws of, or ordinarily resident in any country or region that is the subject of such comprehensive sanctions. You will not export, re-export, or transfer the Services or any technical data received through the Services in violation of applicable export-control or sanctions laws. You are solely responsible for obtaining any licenses or approvals required for your use of the Services.
22. General provisions
22.1 Entire agreement; order of precedence. The Agreement is the entire agreement between the parties regarding the subject matter and supersedes all prior or contemporaneous agreements, communications, and understandings, whether oral or written. In the event of a conflict, the order of precedence is: (i) the DPA (including its incorporated Standard Contractual Clauses and UK Addendum, with respect to data-protection matters); (ii) a signed Order Form; (iii) these Terms of Service; (iv) any Supplemental Terms; (v) the Documentation. Any terms contained in a purchase order or other procurement document issued by you are rejected and have no effect.
22.2 Amendments. Except as provided in Section 9.2, no amendment to the Agreement is effective unless in writing and signed (including by electronic acceptance) by authorized representatives of both parties. Continued use of the Services after a Section 9.2 revision constitutes acceptance of that revision.
22.3 No waiver. A party’s failure or delay to enforce any provision is not a waiver of its right to do so later.
22.4 Severability. If any provision of the Agreement is held unenforceable, it will be modified to the minimum extent necessary to make it enforceable, or severed if it cannot be so modified, and the remaining provisions will continue in full force and effect.
22.5 Assignment. You may not assign or transfer the Agreement or any rights or obligations under it, by operation of law or otherwise, without our prior written consent. Any purported assignment in violation of this Section is void. We may assign the Agreement without your consent to an affiliate, to a successor in a merger, acquisition, or sale of all or substantially all of our assets, or as part of a corporate reorganization. The Agreement binds and inures to the benefit of the parties and their permitted successors and assigns.
22.6 Notices. We may give notice to you by email to the address associated with your account, by posting in the Services, or by posting at the URL of these Terms. You must give notice to us in writing to legal@lumoauth.dev, with a copy to any physical address listed in the most current Order Form. Customer-support tickets, chat messages, and community-forum posts do not constitute legal notice.
22.7 Independent contractors; no agency. The parties are independent contractors. No partnership, joint venture, employment, franchise, or agency relationship is created by the Agreement, and neither party has authority to bind the other.
22.8 No third-party beneficiaries. The Agreement is for the benefit of the parties only. No other person or entity, including End Users, has any rights under the Agreement or may enforce any of its provisions.
22.9 Interpretation. Headings are for convenience only. “Including” means “including without limitation.” A reference to days is to calendar days unless otherwise specified. The Agreement will not be construed against any party as the drafter.
22.10 Counterparts; electronic signatures. The Agreement may be executed in counterparts, including by electronic signature or by electronic acceptance through a check-box, click-through, or continued use of the Services, each of which is deemed an original and all of which together constitute one agreement.
22.11 U.S. government rights. If you are a U.S. government end user, the Services are “commercial computer software” and related documentation is “commercial computer software documentation” under FAR 12.212 and DFARS 227.7202, and are licensed to you with only those rights provided under these Terms.
22.12 Contact. Questions about the Agreement may be sent to legal@lumoauth.dev. For privacy matters, see the Privacy Policy at privacy@lumoauth.dev.
22.13 Digital Millennium Copyright Act. LumoAuth respects the intellectual-property rights of others. If you believe that material accessible through the Services infringes a copyright you own or control, please send a notice complying with 17 U.S.C. § 512(c)(3) to our designated agent at legal@lumoauth.dev, with a copy to the address listed under Section 22.6. The notice must include: (a) a physical or electronic signature of the owner or authorized agent; (b) identification of the copyrighted work claimed to be infringed; (c) identification of the allegedly infringing material and information reasonably sufficient to permit us to locate it; (d) your contact information; (e) a statement that you have a good-faith belief that the use is not authorized; and (f) a statement, under penalty of perjury, that the information in the notice is accurate and that you are authorized to act on the owner’s behalf. We may, in our discretion and where appropriate, disable or remove the allegedly infringing material and terminate the accounts of repeat infringers. Submission of a knowingly false notice may result in liability for damages under 17 U.S.C. § 512(f).
22.14 Anti-reliance and integration. You acknowledge that you have not relied on any statement, promise, representation, assurance, or warranty (whether made innocently or negligently) that is not expressly set out in the Agreement. The only remedy available to you in respect of any such statement is for breach of the Agreement, and you waive any claim for innocent or negligent misrepresentation based on any statement in the Agreement (without limiting any liability that cannot as a matter of law be excluded).
22.15 Survival of DPA terms. Provisions of the DPA that by their nature should survive termination of the Agreement (including those relating to confidentiality, indemnity, liability allocation, audits already in progress, deletion or return of Customer Personal Data, and ongoing data-transfer obligations) survive termination of the Agreement.
Acknowledgment
By accessing or using the Services, you acknowledge that you have read these Terms (including the DPA incorporated by reference at https://lumoauth.dev/legal/dpa), understand them, and agree to be bound by them. If you do not agree, you must not access or use the Services. Your continued use of the Services following any revision to these Terms constitutes your acceptance of the revised Terms.