This privacy policy only covers Okta's own website and marketing activities — if you log into an app using Okta or Auth0, your data there is handled under a separate agreement between Okta and that app's operator, not this policy.
This analysis describes what Auth0's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause creates a carve-out from the general privacy policy framework, establishing that customer-specific data processing obligations are defined through individual service agreements rather than through this public-facing policy. This distinction separates Okta's obligations as a data controller under this policy from its obligations as a processor under customer contracts.
If your personal data — including login history, device information, and access logs — is processed through an Okta-powered application, this policy does not protect you; you must seek rights through the application operator, who may have separate and less visible data practices.
Cross-platform context
See how other platforms handle Product Data Carve-Out and similar clauses.
Compare across platforms →Monitoring
Auth0 has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"This Privacy Policy does not apply to personal data that Okta processes on behalf of its customers as a data processor or service provider in connection with Okta's identity products and platform services, which are governed by the applicable agreements between Okta and its customers.— Excerpt from Auth0's Auth0 Privacy Policy
(1) REGULATORY FRAMEWORK: This carve-out implicates GDPR Art. 28 (processor obligations), GDPR Art. 26 (joint controller arrangements where applicable), CCPA/CPRA §1798.140(j) (service provider definition), and raises questions under GDPR Arts. 12-22 regarding which entity is the appropriate contact for data subject rights. The Irish DPC and UK ICO are primary enforcement authorities for EU/UK data subjects. (2)
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause creates a carve-out from the general privacy policy framework, establishing that customer-specific data processing obligations are defined through individual service agreements rather than through this public-facing policy. This distinction separates Okta's obligations as a data controller under this policy from its obligations as a processor under customer contracts.
If your personal data — including login history, device information, and access logs — is processed through an Okta-powered application, this policy does not protect you; you must seek rights through the application operator, who may have separate and less visible data practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Auth0.