Effective Date: January 1, 2022

Posted Date: December 20, 2021

I. Introduction

At Okta, data privacy is important to us. This Okta Privacy Policy (“Privacy Policy”) details our privacy practices for the activities described in this Privacy Policy. Please take the time to read this Privacy Policy carefully in order to understand how we collect, share, and otherwise process information relating to individuals (“Personal Data”), and to learn about your rights and choices regarding our processing of your Personal Data.

In this Privacy Policy, “Okta,” “we,” “our,” and “us” each mean Okta, Inc. and the applicable Okta affiliate(s) involved in the processing activity. The addresses of our offices, where Okta, Inc. and our affiliates are located, can be found at https://www.okta.com/contact. 

Auth0 Inc.'s headquarters is located at 10800 NE 8th Street, Suite 700, Bellevue, Washington 98004, USA.

II. Okta’s Roles & Responsibilities

Okta is the controller of your Personal Data, as described in this Privacy Policy, unless otherwise stated.  Please note that this Privacy Policy does not apply to the extent that we process Personal Data in the role of a processor (or a comparable role such as a “service provider” in certain jurisdictions) on behalf of our customers, including where we offer to our customers various cloud products and services, through which our customers (and/or their affiliates) connect their own websites and applications to our hosted platform, sell or offer their own products and services, send electronic communications to other individuals, or otherwise collect, use, share or process Personal Data via our cloud products and services.

Each of our customers, not Okta, controls whether they provide you with a subscription to the Okta identity cloud service, and if they provide you with a subscription, they control what information about you that they submit to our service. This content may include contact information (such as your first and last name, email address, and phone number), professional information (such as the department you work for at your place of employment), or other types of information that a customer chooses to submit. Use of this content by Okta is governed by agreements between Okta and the Customer.

For detailed privacy information applicable to situations where an Okta customer (and/or a customer affiliate) who uses Okta’s cloud products and services is the controller, please reach out to the respective customer directly. We are not responsible for the privacy or data security practices of our customers, which may differ from those set forth in this Privacy Policy. If not stated otherwise either in this Privacy Policy or in a separate disclosure, we process such Personal Data in the role of a processor or service provider on behalf of a customer (and/or its affiliates), who is the responsible controller of the applicable Personal Data.

If your Personal Data has been submitted to us by or on behalf of an Okta customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable customer directly. Because we may only access a customer’s data upon instruction from that customer, if you wish to make your request directly to us, please provide to us the name of the Okta customer who submitted your Personal Data to us. If we are able to verify the Okta customer, we will refer your request to that customer and support them as needed in responding to your request within a reasonable timeframe.

Additional information and safeguards regarding Okta’s data protection obligations (including for international transfers) to our customers are set forth in our subscription agreement form and related documents, including our Trust & Compliance Documentation, all of which are available online at https://www.okta.com/agreements

III. Personal Data We Collect and Data Sources

Covered Data Processing Activities

This Privacy Policy applies to the processing of Personal Data that we collect in the following ways, as detailed in this section.

We collect information about you when you provide it to us, when you interact with our websites and electronic systems, and when you attend events and visit our offices, and when other sources provide it to us, as further described below. 

Information you provide to us

Based on our current practices (and including our practices over the last 12 months), we collect the following categories of information about you:

Contact and Professional Data: We collect contact and/or professional data about you in person, through communications, including communications from you or your colleagues, and through our websites. For example, you provide your contact and professional information to us when you sign up to learn more about Okta’s products and services, download content, register for an event, and visit our offices. If you attend an event, we may also receive contact and professional details about you when you choose to scan your attendee badge or by providing a business card or other method(s) whereby you share Personal Data with us. Typically, contact data includes your name and contact methods, such as telephone number, email address, and office or other mailing address, and professional data includes details such as the organization you are affiliated with, your job title, and industry.

Biographical, Community, and Support-related Data: We may also collect various types of biographical, community, and support-related Personal Data from you via our help center and community support forums. For example, if you register for an online community that we host, we may ask you to provide a username, photo and/or biographical information, such as your occupation, organization name and areas of expertise. Additionally, you may provide Personal Data to us when you create user-generated content (for example, by posting in a forum), provide Okta with feedback, or when you participate in interactive features, trainings, online surveys, contests, promotions, sweepstakes, activities, or events. You may also be asked to provide contact information, a summary of the problem you are experiencing, and any other information that would be helpful in resolving a customer support request.

Job Applicant Data: You provide your contact and professional information, including your resume with educational and work background, when you apply for a job with Okta. You may also provide us with sensitive information, like your Social Security Number or other government identifier, racial or ethnic origin, or other such Personal Data in connection with your job application. 

Contract and Payment Data: We may receive contract details (like signatures) from you or your organization and use third party payment processing services to collect payment and billing information, which may contain Personal Data such as billing name, billing address and payment card details, in connection with some of our products and services. 

Audio, Electronic, or Visual Data: If you attend an Okta in-person or virtual event or agree to be recorded in a telephone or video meeting, we may record some or all of that event or meeting. For events, we may document the event in various ways, such as by taking photos at the event, interviewing you at the event, or recording your participation in a live question-and-answer or other interactive session. We use this information for business and marketing purposes to better inform the public about Okta, its events, and provide testimonials about our products and services.

Consumer Products: If you use consumer products by Okta (“Okta Consumer Products”), then we may receive various types of information and content from you that you choose to share, including contact information (such as your first and last name, email address, and phone number), additional multi-factor authentication factor setup details, content you upload (such as identification or other documentation), and information regarding the websites and applications that you visit and use through Okta Consumer Products for authentication. We also receive Ancillary Data, including device data, Usage Data, and metadata, as described below for the purposes described below.

Depending on your jurisdiction, if we collect sensitive data from you, we will do so by providing you with additional notice or confirming your consent upon collection.

Personal Data We Collect From Other Sources

In the course of doing business (and over the 12 months preceding the effective date of this Privacy Policy), we receive Personal Data and other information from other third parties for our business or commercial purposes. This information varies and typically falls into a few categories:

  • Business contact information (such as name, job title, business email, phone number, and address), social profile (such as LinkedIn or XING) including other details about your organization for sales and marketing purposes, including to better inform you about Okta products and services;
  • Third-party platform usernames and identifying information;
  • Details about you as a job candidate (which may include your name, resume, educational and work history, criminal history information, and feedback) as permitted under law; and
  • Data used for security purposes to protect our products and services.

We receive business contact information that contains Personal Data for commercial purposes, including details about your organization from third parties for marketing and business intelligence, such as analyzing business opportunities, identifying and communicating with potential  customers, and providing our audience with more relevant content and advertising. Typically, we receive this information about you from a few sources, such as: (i) third-party marketing initiatives, such as events where we are a sponsor, or website forms hosted by third parties that may provide content about us; (ii) instances when you consent to having your attendee badge scanned at an event hosted by us or another third party; (iii) companies, such as information aggregators and similar entities, from whom we have licensed business contact information; and (iv) referrals. In some situations, we may combine such business contact information with other non-personal and Personal Data we possess or that you have provided to us. For example, we may combine business contact details with details about your organization, such as its address or revenue range, and analyze this information for business opportunities or use this to send you tailored content. 

 

We also receive information from third-party platforms for various business purposes such as credit, program management, or technical reasons. For example, we may receive credit information about an organization that includes the names of individuals. If you participate in an open source project or our bug bounty program, we may receive details about you, such as your username or pull requests, to help us manage your participation in the project or program and provide you with updates.

If you are a candidate applying for a job at Okta, we may receive Personal Data about you from third parties for business purposes, such as through background checks (educational, employment, criminal, and financial information), publicly-available sources (like social media accounts, including LinkedIn for identifying candidates), feedback about your application and from interviews, and other third parties that may provide feedback about your application.

For our professional services work, as a processor or service provider, Okta may also receive Personal Data about you to perform its obligations under its contract with a third party. Okta partners may also share your business contact information with Okta as part of their recommendation to your organization to become an Okta customer. If Okta is interested in partnering with, acquiring, investing in, or partners with, acquires, or invests in your employing or retaining organization, Okta may receive Personal Data about you through the (potential or completed) transaction for its business purposes.

Device Data, Usage Data, and Metadata We Collect

Explanation of Device Data, Usage Data, and Other Metadata and Technology Used

Like most websites, applications, and software across the Internet, Okta collects certain Personal Data. This type of data collection allows us to better understand how individuals use and the performance of our websites, products and services. For example, we may collect metadata about you, including technical data about your performance or use of our website, products and services. We may also collect device data about you to help us determine that users from one type of device use our websites, products and services in different ways than users of a different type of device, which in turn allows us to improve our websites, products and services, such as through optimizing the screen size of Okta mobile applications, or making sure that our customers’ users have a more efficient user experience. We may collect these types of Personal Data as part of the services we provide to customers as well as in connection with your use of Okta Consumer Products.

 

One common technology we use to collect metadata that may be considered Personal Data is our use of cookies. Cookies are small text files that are placed on your web browser and that help us recognize your browser or device as a unique visitor in different ways based on the type of cookie. The three main types of cookies are: 

Essential cookies. Essential cookies are required for website functionality and security. For example, authentication, security, and session cookies may be required for our website or products to work.

Functional cookies. We use functional cookies to help enhance our websites’ performance, for market research, or other analytics or advertising that is not tied to a specific individual. For example, we may use Google analytics to help us track how many individuals visited our websites. We may also utilize HTML5 local storage cookies for the reasons described in this section. These types of cookies are different from browser cookies in the amount and type of data they store and how they store it.

Targeting or advertising cookies. We use targeting and advertising cookies to help us understand our marketing efforts and to reach potential customers across the web. For example, we contract with third-party advertising networks that may track your activity over time and across different channels, including our websites, email activity, and other websites and applications that display advertisements. They may use this tracking information to understand and predict your interests, to display an advertisement for Okta on another website, or email you with a marketing communication for an Okta product. 

If you would like to manage your cookies and your permissions to share data with cookie providers, please visit the section below on Your Information Choices.

A second common technology we use to collect metadata that may be considered Personal Data is beacon technology. We use beacons in our websites and in email communications to you. Beacons provide us with information about your activity and help us to improve our business operations and strategy, such as by understanding our email communications’ functionality and improving our websites and content. For example, if you click on a marketing email we send to you about a new product or service, the beacon will provide signals to us that you and your organization may be interested in learning more. If you would like to manage your email subscriptions with us, please visit the section below on Your Information Choices

Data Collected from the Okta Service and Ancillary Data

We offer products that collect both Customer Data and Usage Data (as defined in our agreements with customers, including from the Okta Service). Our collection of both types of data enables us to provide and innovate upon the Okta Service, which in turn allows us to act as a service provider to our customers and to continuously improve upon the services we provide to our customers and consumers. In conjunction with the products we make available to our customers, we may collect additional data, such as user-agent and browser version, IP address, the URLs you visit (such as to determine whether we can help you manage your credentials for such URLs), logs of your usage and click activities, logs about your login history, identity confirmation, and device data (such as whether your device is managed by an administrator, the operating system installed on the device, certain device configurations, and similar device or version information). For the Okta Mobility Management product, data collected may include the applications that are installed on your device. Collectively, we refer to this data as “Ancillary Data”. Some of the Ancillary Data, including Usage Data, that we receive is dependent on your organization’s policies and settings and what information it permits to be shared with Okta. Okta uses Ancillary Data to improve security and to provide and improve its products to customers, including to better understand customer behavior in order to create new features and provide threat-related insights for our customers.

Some of these products that collect and process Ancillary Data include:

  • the Okta browser plugin;
  • the Okta desktop and mobile applications (Okta Verify and Okta Mobile); and
  • Okta Consumer Products.

Through the Okta browser plugin, the Ancillary Data we collect includes details about your login session, IP address, user-agent, and the web application name and website address, as well as other information that is not personal in nature. In addition, as part of Ancillary Data, we may collect interaction data about your use of the Okta browser plugin. We use the information collected through the Okta browser plugin for security purposes and to provide features, such as to allow you to better manage your passwords for websites that you visit.

Personal Data Collected Through Our Website, Trainings or Events, and Other Engagement

As with most websites, whenever you visit an Okta website, take an Okta training course, engage with the Okta Community, or when you interact with Okta promotional or other informational content, Okta may receive both Personal Data about you from information-gathering tools and passive information collection on our websites, including Personal Data from our websites you visit or emails we send. This information collection typically includes information such as cookies, beacons, demographic information, company and role details, market research and publicly-available information, IP address, device and browser details, usage information, timestamps, pages viewed, searches, interaction with and action taken by you on our websites or content, as well as other non-Personal Data.

IV. How We Use Personal Data

How we use the Personal Data that we collect depends in part on how you choose to communicate with us, how you use our websites and interact with us, and any preferences you have communicated to us.  In general, we use your Personal Data as is necessary to run our business and carry out our day-to-day activities. In addition to the uses identified elsewhere in this Privacy Policy, we may use your Personal Data to accomplish the following tasks (and we have done so during the 12 months preceding the effective date of this Privacy Policy):

For the purpose of communicating with you about our products and services and facilitate other interaction. We may use your Personal Data, such as contact data, Ancillary Data, and metadata, to send you transactional communications, notices, updates, security alerts, and administrative messages regarding our products and services that may be useful to you and your organization. We will respond to your questions, provide tailored communications based on your activity and interactions with us, and help you use our products and services effectively. 

For the purpose of supporting safety, security, and manage operations. We use Personal Data, such as contact data, Ancillary Data and other metadata, about you and your use of our products, services, and offices to verify accounts and activity, monitor suspicious or fraudulent activity, assist our customers in their monitoring of suspicious or fraudulent activity, and identify violations of policies regarding the use of our products and services. We may also combine Ancillary Data with other data we receive for safety, security, and to manage our business operations. We also process Personal Data, such as contact data and health data, for security and operations management reasons, such as to register visitors to our offices and carry out related safety measures (including through using our Atmosphere application), including to manage non-disclosure agreements that visitors may be required to sign.

For the purpose of marketing our products and services. We use your Personal Data, such as contact data, Ancillary Data, and other metadata about how you use the products and services to send promotional communications that may be of specific interest to you and your organization, including by email and by displaying Okta marketing communications on other organizations’ websites and applications, as well as on third-party platforms like Facebook, Twitter, and Google. These communications are aimed at encouraging engagement and maximizing the benefits that you and your organization can gain from Okta’s products and services, including information about new products and features, survey requests, newsletters, and events that we think may be of interest to you and your organization.

For the purpose of analyzing, predicting, and improving results and operations. We use Personal Data to analyze and predict results (such as those arising from our sales and marketing efforts and product usage and consumption), improve the performance of our websites, products and services and customer support, identify potential customers, opportunities, and potential new product areas, ascertain trends, improve our websites’ functionality, improve our security, and provide us with general business intelligence, including through the use of machine learning technology. We may also combine the metadata and usage information collected from our websites with other information to help further the purposes described in the previous sentence.

For the purpose of managing contests or promotions and customer appreciation. Okta may occasionally run contests or other special promotions or make available opportunities or other tokens of appreciation for customers, and if you register for these, we may process your Personal Data, such as contact information, biographical information, and contract-related data to perform our contract with you. Okta may also use the Personal Data, such as contact data, collected in these contests, promotions, and for customer appreciation as well as to send you gifts or prizes and promotional material about Okta and our partners.

For the purpose of processing payments. We process Personal Data, such as contact information, contract-related data, financial information, biographical information, and payment information to process payments to the extent that doing so is necessary to complete a transaction and perform our contract with you or your organization.

For the purpose of recruiting and hiring. We process your Personal Data, such as contact, job applicant, and biographical data, to assess your application and to evaluate and improve our recruitment system, our application tracking and recruitment activities. We also use your Personal Data to communicate with you regarding your application or opportunities at Okta that appear over time that we believe may be of interest to you. We also use your Personal Data to send you new hire and employee experience information. We may verify your information, including through reference checks and, where allowed, background checks.

Other purposes for our legitimate interests: Where required by law or where we believe it is necessary to protect our legal rights, interests, or the interests of others, we may use your Personal Data in connection with the management of our business, including but not limited to, for operational purposes and workflow automation, business intelligence (such as to understand subscription consumption and free trial product usage), website and product improvement, legal claims, compliance, regulatory, and audit functions, protecting against misuse or abuse of our products and services, and protecting personal property or safety. For example, we may review compliance with applicable usage terms in our customer contracts, assess capacity requirements for our products, websites, and offices, improve your user experience, respond to requests by you for support or for contact, or identify customer opportunities. If you sign up to participate in specific programs, such as the Okta Ideas forum or other product feedback programs, we may analyze Ancillary Data, including Usage Data, related to your use of our Service, along with the data you choose to provide to us through Okta Ideas, to provide you with a better customer experience.

Other purposes with your consent: We may use your Personal Data if you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote our products and services or record phone calls for quality and training purposes, with your permission.

If we process your Personal Data for a purpose other than those set out above, we will provide you with information prior to such processing.

Legal Bases for Processing Personal Data (for United Kingdom and European Economic Area and other relevant jurisdictions)

If you are an individual in the United Kingdom, the European Economic Area (EEA), or of another relevant jurisdiction, we collect and process information about you only where we have a legal basis or bases for doing so under applicable laws. The legal bases depend on the products and services that your organization has purchased from Okta, how such products and services are used, and how you choose to interact and communicate with Okta’s websites, systems, and whether you attend Okta events. This means we collect and use your Personal Data only where:

  • We need it to operate and provide you with our products and services, provide customer support and personalized features, and to protect the safety and security of our products and services;
  • It satisfies a legitimate interest of Okta’s (which is not overridden by your data protection interests and rights), such as for research and development, to provide information to you about our products and services that we believe you and your organization may find useful, and to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • We need to comply with a legal obligation.

If you have consented to our use of Personal Data about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.  Where we are using your Personal Data because we or a third party (for example, your employer) have a legitimate interest to do so, you have the right to object to that use; however, in some cases, this may mean that you no longer use our products and services. 

V. Personal Data Shared by Okta and Data You Choose to Share with Third Parties

Personal Data Shared by Okta

In the course of doing business (and over the 12 months preceding the effective date of this Privacy Policy), Okta may share Personal Data as described below.

Service Providers. For all categories of information that we collect, we share Personal Data with our service providers for various business purposes, including, but not limited to, auditing interactions with users, debugging our websites, products and services, security purposes, internal research and gleaning insights through machine learning, short-term uses such as credit verification, payment processing, IT services, quality control and safety, gift fulfillment, in-person and virtual event management, as well as to perform other services on our behalf. For example, we may use service providers to help us proctor and score Okta certification exams, or host our customer relationship management system.

In-person and Virtual Events. If you choose to register for or attend a virtual or in-person event or webinar that we host (such as our Oktane customer conference), enter a contest or raffle with us and a sponsor, or download content (such as a whitepaper) from our website, then we will share your contact information, content interest information or other activity data, and any other information, including Personal Data, collected in the course of these activities for commercial purposes with those sponsors. In many cases, you intentionally disclose your details by providing your information to these sponsors through consent via a registration form or by scanning your badge at the applicable sponsor’s booth. Virtual events hosted by third party platforms may also collect additional data from you when you visit their sites. The treatment of this information is subject to each of these third parties’ respective privacy statements.

Partners and Resellers. We share your Personal Data, such as contact information, business details, and content interest and activity details, with our partners and resellers for business purposes, such as to carry out our business or for joint marketing efforts to reach our customers and prospective customers. In many cases, you intentionally disclose your details by providing your information to these sponsors through consent via a registration form. You can review a list of our current partners here.

Protection of Rights, Security and Fraud Detection. For all categories of data we collect, we share your Personal Data with third parties for business purposes to protect our customers, users, secure our physical and intellectual property, and to prevent or investigate security or fraudulent attempts against our users through our platform.

Law Enforcement and Legal Requests. For all categories of data we collect, we may share Personal Data to comply with applicable law or respond to valid legal requests, such as a subpoena, from law enforcement or other authorities.

With our Affiliates, Related to Corporate Transactions, and Provision of Professional Services. For all categories of data we collect, we share Personal Data among our affiliates and subsidiaries for business purposes, including any service providers and agents that work on our behalf. For example, we may share your Personal Data with support service providers with whom we have in place agreements to protect your Personal Data. We may also share your information as required for us to carry out a corporate transaction, such as a merger or sale of assets of all or part of our company. We will also share your Personal Data with our professional service providers (for example, our auditors, insurance providers, financial service providers, and legal advisors) as needed for us to run our business. When we share Personal Data with our affiliate Auth0, Inc. and its affiliates, the terms posted at https://auth0.com/privacy shall apply.

Platform, Training, and Community Analytics Data. We share Ancillary Data, such as metadata (for example, unique identifiers and Usage Data), collected through our platform with analytics service providers for our business purposes, such as to provide a better user experience and improve our products and services.

Advertising and Marketing. We share your Personal Data, such as metadata and contact data, with third-party advertising and marketing providers, to allow us to better reach our customers and prospective customers, and to sell our products and services. In some circumstances, we may ask you to consent to directly disclosing your Personal Data with these third parties prior to sharing your Personal Data, such as via a consent banner on our website.

Anonymous or De-identified Usage Data. We share anonymized or aggregated usage data or security threat information with third parties or the public. For example, this may include sharing trends regarding organizations’ use of Okta’s products and services to customers and prospective customers in our “Businesses at Work” report. The data shared in this category is not Personal Data.

Okta Community, Help Center, and Other User Generated Content. We make available a community forum and self-help support materials, as well as blogs and other means for you to post information on our websites. This information you post is publicly-available information that you choose to share and it may be read, collected, and processed by others that visit these websites. Except for username (which may be your real name) and the details that you choose to include in your profile, the categories of data shared in these circumstances will depend on what information you choose to provide.

Recruitment Data. When you apply for a job at Okta, we share your Personal Data, including applicant data, biographical information, and other Personal Data we possess with our affiliate companies for business reasons, such as human resource management and internal reporting; our service providers for business reasons, such as the recruitment platform and to manage background checks; and law enforcement or government authorities, or as otherwise necessary to comply with law or as needed for the recruitment and human resources process.

Okta Social Media Outlets

Okta’s websites may use social media features, such as the Facebook “like” button, the Instagram “heart” button, Twitter sharing features, and other sharing widgets (“Social Media Features”). You may be given the option by such Social Media Features to post information about your activities on a website to a profile page of yours that is provided by a third-party social media network in order to share content with others within your network. Social Media Features are either hosted by the respective social media network, or hosted directly on our websites. To the extent the Social Media Features are hosted by the respective social media networks and you click through to these from our website, the latter may receive information showing that you have visited our website. If you are logged in to your social media account, it is possible that the respective social media network can link your visit to our websites with your social media profile.

Your interactions with Social Media Features are governed by the privacy policies (and any other applicable terms) of the respective companies that provide the relevant Social Media Features.

Data You Choose to Share with Third Parties

As part of the functionality we make available on our websites and to better communicate with our customers and prospective customers, there may be categories of third parties that are authorized by us to operate on our websites and access your Personal Data, such as your contact data, IP address or cookies. Depending on your location, (for example, for visitors from California, the United Kingdom, and the European Economic Area), Okta only shares Personal Data with such third parties if you agree to such sharing through a website banner or form. In other parts of the world, this information may be automatically collected when you visit our websites. These categories of third parties include, but are not limited to, advertising networks and social networks. At any time, you may choose to withdraw your decision to share Personal Data with these third parties through our websites by visiting the section on Your Information Choices below. For specific details on these companies’ privacy practices, please visit their privacy policies.

VI. Okta’s Security Posture & Measures Taken

Security is a critical priority for Okta. We maintain a comprehensive, written information security program that contains industry-standard administrative, technical, and physical safeguards designed to prevent unauthorized access to Personal Data.

However, no security system is perfect, and due to the inherent nature of the Internet, we cannot guarantee that data, including Personal Data, is absolutely safe from intrusion or other unauthorized access by others. You are responsible for protecting your password(s) and other authentication factors, as well as maintaining the security of your devices.

If you use the Okta online service via a subscription purchased for you by an Okta customer, then that customer is responsible for configuring your instance appropriately. Additional information about security settings and configurations can be found in the documentation related to our online service, including the Trust & Compliance documentation, which is available at https://www.okta.com/agreements.

VII. International Data Transfers

Your Personal Data may be collected, transferred to, processed, and stored by us in the United States, and by our affiliates and third parties that are based in other countries. The addresses of our offices where Okta, Inc. and its affiliates are located can be found online at https://www.okta.com/contact. The addresses of where Auth0, Inc. and its affiliates are located can be found online at https://auth0.com/about.

 

Some of the countries where your Personal Data may be processed, including the United States, are not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and may lack data protection laws as comprehensive as or may not provide the same level of data protection as your jurisdiction, such as the European Economic Area, the United Kingdom, or Japan. For example, as of the effective date of this policy, the United States does not have a federal privacy law that covers all types of data; however, privacy is regulated by federal and state agencies and by various state laws. In light of regional differences, Okta has put in place various safeguards and the security measures described above. For example, when we share Personal Data, we take reasonable steps so that the recipient of your Personal Data offers an adequate level of data protection, for example, by entering into the appropriate agreements containing relevant data protection provisions or we will ask you for your prior consent to such international data transfers.

VIII. Children

Okta’s websites are not directed at children. We do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us by using the information in the “How to Contact Us” section, below, and we will take steps to delete such Personal Data from our systems.

IX. How Long Does Okta Keep Your Data?

We will retain your Personal Data for a period of time that is consistent with the original purpose of the data collection, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We determine the appropriate retention period for Personal Data by considering the amount, nature and sensitivity of your Personal Data processed, the potential risk of harm from unauthorized use or disclosure of your Personal Data and whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation).

X. Your Information Choices

Your Privacy Choices

In the above sections, we describe how we may collect, use and share your Personal Data for providing relevant content and advertising. Below, we describe how you may unsubscribe, opt-out, or otherwise modify settings related to our processing of your Personal Data.

Direct Email Marketing. 

If you wish to withdraw from direct email marketing communications from Okta, you may click the “unsubscribe” button included in our emails or:

  • Visit our Subscription Center. Please note, you cannot unsubscribe from critical transactional emails that are related to our provision of our online Service (such as those related to security and your Okta account).
  • for the Okta Talent Community, then you may visit our Talent Community unsubscribe page here.
  • For Okta Consumer Products, then you may visit the unsubscribe page here.

Direct Marketing – Phone or Postal Mailings. If you wish to withdraw from phone call or postal mail marketing communications from Okta, please request to do so through our form.

Analytics. To opt-out of analytics on our websites, you may adjust your cookie preferences as described below. For more information on how to opt-out of tracking technology from Google Analytics, click here. To opt-out of Marketo’s tracking technology, click here.

If you are a user of the Okta online service via a subscription purchased for you by an Okta customer, to opt-out of platform-based analytics on an individual level, including participation in the Okta Ideas forum, please contact us at [email protected] or please make a request for this through our form

Cookie Preferences. To manage the use of relevant advertising and other non-essential cookies, please see details below:

  • We use OneTrust as a service provider to help you manage cookies. Click the following Cookies Settings OneTrust preference center to opt-out of relevant advertising and other non-essential cookies. (You may need to adjust your browser or cookie settings to access if you have already made a choice to accept cookies.)
  • You may also adjust your web browser settings to opt-out of non-essential cookies. Please understand that blocking or deleting non-essential cookies may affect our websites’ functionality.
  • Since there is no common standard adopted across the industry or regulators for “Do Not Track” signals, we are not able to commit to responding to requested preference changes.  However, we will continue to monitor developments around this issue.
  • If you came to our websites from personalized advertising, then you may further opt out of interest-based advertising from our advertising vendors through the Digital Advertising Alliance by using the following, applicable link(s): (i) USA; (ii) Europe; (iii) Canada; and (iv) Other regions.

Note that any choice with regards to cookie-based advertising only applies to the web browser through which you exercise that choice. You will continue to see advertising, including potentially from Okta, even if you opt-out of personalized advertising.

Your Privacy Rights

Depending on your jurisdiction, you may have certain rights with respect to your Personal Data that we process in our capacity as a data controller, subject to applicable law:

Right to Access. You have the right to access your Personal Data held by us.

Right to Rectification. You have the right to rectify inaccurate Personal Data and, taking into account the purpose of processing, to ensure it is complete.

Right to Erasure (or “Right to be Forgotten”). You have the right to have your Personal Data erased or deleted.

Right to Restrict Processing. You have the right to restrict our processing of your Personal Data.

Right to Data Portability. You have right to transfer your Personal Data, when possible.

Right to Object. You have the right to object to the processing of your Personal Data that is carried out on the basis of legitimate interests, such as direct marketing.

Right Not to be Subject to Automated Decision-Making. You have the right not to be subject to automated decision-making, including profiling, which produces legal effects. Okta does not currently engage in the foregoing on our websites or in our products and services.

If you would like to make a request and exercise your rights described above or have questions or concerns, please complete our online form or reach out to us using the contact information below. You also have the right to lodge a complaint with your relevant supervisory authority.

Your California Privacy Rights

Under the California Consumer Privacy Act of 2018 (“CCPA”), if you are a California resident, you have rights to understand and request that we disclose how we collect, use, disclose, and sell your Personal Data to the extent permitted by applicable law. If you would like to learn about our verification process, including the details that you must provide to us to verify your request, click here.

Right to Know About Personal Data Collected, Disclosed, or Sold. You have the right to request that we disclose what Personal Data we collect, use, disclose, and sell.

Right to Request Deletion of Personal Data. You have the right to request the deletion of your Personal Data collected or maintained by us as a business.

Right to Opt-Out of the Sale of Personal Data.  You have the right to opt-out of the sale of your Personal Data by us as a business, in the event we sell Personal Data in the future.  Okta does not sell Personal Data and has not sold Personal Data in the 12 months preceding the effective date of this Privacy Policy.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

Authorized Agent. You may designate an authorized agent to make a request under the CCPA on your behalf by us with a copy of your power-of-attorney document granting that right.

Financial Incentives. We do not provide any financial incentives tied to the collection, sale, or deletion of your Personal Data.

If you would like to make a request and exercise your rights described above, please complete our online form, or contact us via the telephone number listed in the section below. If you would like to opt-out of Personal Data sharing with marketing and advertising third parties through the use of cookies, please see the section above on Your Privacy Choices.

XI. How to Contact Okta

If you would like to contact us with questions or concerns about our privacy policies and practices, you may contact us via any of the following methods:

Online Form: Click here.

Email: [email protected]

Toll-free Number (USA): 888-655-1161

Mailing Address: 

Okta, Inc.

ATTN: Okta Data Protection Officer (Okta Privacy Team)

100 First Street, Floor 6

San Francisco, CA 94105 

USA

Okta UK Limited

ATTN: Okta Data Protection Officer (Okta Privacy Team)

20 Farringdon Road

ECIM 3HE 

United Kingdom

Okta Japan K.K.

ATTN: Okta Data Protection Officer (Okta Privacy Team)

45F, Shibuya Scramble Square

2-24-12 Shibuya

Shibuya-ku, Tokyo, Japan, 150-6139

A representative director for Okta in Japan is Takashi Watanabe.

Accessibility

If you are not able to access our form, you may request that a copy be provided to you in an alternative format by calling 888-655-1161 (USA toll-free) or by emailing [email protected].

XII. Changes to the Policy

This Privacy Policy may be updated from time to time, to reflect changes in our practices, technologies, additional factors, and to be consistent with applicable data protection and privacy laws and principles, and other legal requirements. If we do make updates, we will update the “effective date” at the top of this Privacy Policy webpage. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you using the email address you provided.

For the 2021 archived Privacy Policy, please visit https://www.okta.com/privacy-policy/2021-archived/