Product-Specific Terms
These Product-Specific Terms are a part of the Order Form under which the Customer ordered the Kong Product. The Order Form and these Product-Specific Terms are governed by the Kong Customer Agreement or other master agreement for the purchase of subscriptions to Kong Products entered into by Customer or an Affiliate of Customer (“Agreement”). If the Customer and Kong have entered into a Kong Cloud Services Addendum, a reference to the Agreement also includes the Kong Cloud Services Addendum.
These Product-Specific Terms adjust certain terms of the Agreement, solely with respect to the applicable Product listed below, if Customer has ordered the Product. Except as otherwise modified in these Product-Specific Terms, all other terms and conditions of the Agreement will remain in full force and effect. All capitalized terms not defined in these Product-Specific Terms will have the meaning given to them in the Agreement. On and after the date of the Order Form, any reference to the Agreement means the Agreement as modified by these Product-Specific Terms. In the event of a conflict between these Product-Specific Terms and the terms of the Agreement less these Product-Specific Terms, these Product-Specific Terms will prevail for the purposes of the applicable Product.
Terms set forth in these Product-Specific Terms as of the effective date of the Customer's applicable Order Form will apply to the Products on that Order Form for the duration of the applicable Subscription Term.
DEFINITIONS
The following definition will apply to these Product-Specific Terms, where applicable:
“Data Processing Addendum” or “DPA” means the then-current data processing addendum found at https://konghq.com/legal/data-protection-addendum (or such updated URL provided by Kong from time to time), unless there is a separately negotiated and signed data processing addendum or agreement with Kong, in which case “Data Processing Addendum” or “DPA” means such separately negotiated and signed addendum or agreement.
KONG GATEWAY ENTERPRISE, KONG MESH
Kong Gateway Enterprise is Kong’s customer self-managed (on-premises) API gateway management software. Kong Mesh is Kong’s customer self-managed (on-premises) service mesh.
Verification. At Kong's request, Customer will promptly provide Kong with (i) a Software-generated report as specified in the Documentation or (ii) provide Kong with data as reasonably requested by Kong, in each case to verify that Customer is using the Software in accordance with this Agreement and any purchased usage limits under an Order Form.
Disablement of Usage Data Telemetry. Customer may choose to disable the feature in the Software which permits transmission of Usage Data to Kong, in which case Kong will not collect Usage Data automatically from the Software.
SBOMs. The Software Bill of Materials, including Third Party Open Source, for Kong Gateway Enterprise is found at https://docs.konghq.com/gateway/latest/support/sbom/ and the Software Bill of Materials, including Third Party Open Source, for Kong Mesh is found at https://docs.konghq.com/mesh/latest/sbom/ (in each case, or such updated URL provided by Kong from time to time).
KONG KONNECT HYBRID
Kong Konnect Hybrid refers to a hybrid SaaS and on-premises deployment where the Customer uses the Kong-hosted Kong Konnect Cloud Service as the control plane for Kong software instances self-managed by the Customer in the Customer Network Environment.
Customer Content Retrieval and Deletion. The following will apply to the exclusion of any term in the Agreement related to post-termination or expiration availability of the Cloud Services or Customer Content:
Customer may access the Cloud Services for 30 days following termination or expiration of the Agreement or Subscription Term (if not renewed) for the sole purpose of retrieving Customer Content. Kong will delete any Customer Content promptly after such period.
KONG KONNECT DEDICATED CLOUD GATEWAYS
Kong Konnect Dedicated Cloud Gateways is a fully-hosted API management Cloud Service, where the Customer uses Kong Konnect as the control plane for single tenant Kong Gateway instances managed by Kong.
With Dedicated Cloud Gateways, the Customer’s network traffic is processed through the single tenant Kong-hosted Kong Gateway instances managed by Kong. This traffic is proxied and not stored or at rest within the hosted Kong Gateway instances other than possible transitory caching.
Customer Content Definition. The definition of Customer Content in the Agreement is replaced with the following:
“Customer Content” means data and information submitted by or for Customer to the Cloud Services, or routed to, passed through, processed and/or cached on or within, or otherwise transmitted or routed using the Cloud Service by or for Customer. Customer Content does not include Account Information or Usage Data.
Personal Data in Customer Content. To the extent that Kong processes Customer Content on behalf of Customer that includes personal data, Kong will handle the personal data in compliance with the DPA.
No Payment Cardholder Information. Customer may not store or process any payment cardholder information (PCI) in its use of the Cloud Services.
No Protected Health Information. Customer may not store or process protected health information (PHI) using the Cloud Services.
Network Traffic. Kong may monitor and inspect the traffic on the Cloud Services, including any related logs as necessary to perform the Cloud Services and to derive and compile Usage Data. To the extent Usage Data includes any personal data, Kong will handle it in compliance with applicable data protection laws.
Customer Content Retrieval and Deletion. The following will apply to the exclusion of any term in the Agreement related to post-termination or expiration availability of the Cloud Services or Customer Content:
Notwithstanding anything in the Agreement, Kong will have no obligation to store, cache or make available through the Cloud Services any Customer Content processed through the hosted Kong Gateway instances on termination or expiration of the Agreement or a Subscription Term (if not renewed); provided, however, that Customer may access the Cloud Services control plane for 30 days following termination or expiration of the Agreement or Subscription Term (if not renewed) for the sole purpose of retrieving Customer Content in the Cloud Services control plane. Kong will delete any Customer Content in the Cloud Services control plane promptly after such period.
KONG KONNECT DEVELOPER PORTAL
Customer Responsible for Content. The developer portal Product is a hosted service. Customer is responsible for all content, including Customer Content, which it submits to or makes available on or through the Product, and for any content its users submit to or make available through the Product. Customer is solely responsible for complying with applicable data protection or privacy laws and regulations including any notice, cookie and consent requirements.
Independently Controlled Data. Kong and Customer are independent data controllers (or similar terms under applicable law) with respect to technical browsing information related to the Customer’s end users’ visits to any developer portal hosted on the Product. This information includes IP addresses, preferences, web pages visited prior, information about an end user’s browser, network or device and information about how an end user interacts with Customer’s hosted developer portal. If applicable law requires, Customer must include or link a legally-compliant privacy policy on its hosted developer portal which must disclose Kong’s use of independently controlled information.
Personal Data in Customer Content. To the extent that Kong processes Customer Content on behalf of Customer that includes personal data, Kong will handle the personal data in compliance with the DPA.
KONG INSOMNIA
Kong Insomnia is a hybrid SaaS and on-prem API development and testing platform. The software is a desktop application, and the SaaS portion provides for central administration and optional storage of API specifications or projects and related data (“Project Data”).
Kong Insomnia also provides local and the Customer’s own Git storage alternatives for Project Data as well as the ability for Customer administrators to centrally control what storage and sharing options Customer teams can use. If local or the Customer’s own Git storage alternatives for Project Data are used by the Customer, Identity management and authentication are still hosted by Kong on the Google Cloud Platform (GCP) in the United States.
Project Data. Project Data is Customer Content if Customer uses the Insomnia Cloud Services to store and share Project Data.
Personal Data in Customer Content. If Kong processes Customer Content on behalf of Customer, then to the extent the Project Data includes personal data, Kong will handle the personal data in compliance with the DPA.
No Payment Cardholder Information or Protected Health Information. Customer may not store or process any payment cardholder information (PCI) or protected health information (PHI) in Project Data through the Cloud Services.
Use of Third-Party Hosting Services. If Customer’s Project Data includes PCI or PHI, the Customer must configure the Product to host the Project Data locally or through the Customer’s own Git storage alternatives.
SBOM. The Software Bill of Materials, including Third Party Open Source, for Kong Insomnia is found at https://docs.insomnia.rest/insomnia/sbom (or such updated URL provided by Kong from time to time).
Customer Content Retrieval and Deletion. The following will apply to the exclusion of any term in the Agreement related to post-termination or expiration availability of the Cloud Services or Customer Content:
Notwithstanding anything in the Agreement, Kong will have no obligation to store, cache or make available through the Cloud Services any Customer Content on termination or expiration of the Agreement or a Subscription Term (if not renewed).