Data Processing Addendum | Policy

Last Updated Date: December 21st, 2022

This Instructure Data Processing Addendum (“DPA”) forms part of the Instructure Services Order Form and Instructure Standard Terms and Conditions, or other written or electronic agreement (“Agreement”) between Customer Instructure, Inc., or its Affiliates (collectively “Instructure”) (each a “Party”, collectively “Parties”). The Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. In case of any discrepancy or conflict between this DPA and the Agreement, this DPA shall prevail. In case of any discrepancy between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Any capitalized terms not defined herein shall have the meanings set forth in the Agreement.

How this DPA Applies: Instructure provides the Services (as defined in the Agreement) to Customer which may include the Processing of Personal Data by Instructure during the provision of the Services. This DPA does not replace any rights related to the Processing of Customer Personal Data previously negotiated by Customer in the Agreement. Instructure agrees to comply with this DPA with respect to any Customer Personal Data Processed by Instructure in the provision of the Services under applicable Data Protection Laws. 

  1. DEFINITIONS. In this DPA, the following terms shall have the meanings set out below:
    1. Affiliates” means any entity which is controlled by, controls or is in common control with a Party. 
    2. Customer Personal Data” means Personal Data provided by or on behalf of Customer to be Processed by Instructure in connection with providing the Services.
    3. Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 
    4. Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. 
    5. Data Protection Laws” means the laws and regulations which are applicable to the Processing of Personal Data under the Agreement. 
    6. Data Subject” means an individual whose Personal Data is being processed by the Data Processor under the Agreement.
    7. EEA” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein, and Norway.
    8. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the UK equivalent.
    9. Personal Data” means any information relating to an identified or reasonably identifiable person. 
    10. Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning). 
    11. Sell,” “Selling,” “Sale,” and “Sold” shall have the meanings provided under applicable Data Protection Laws. 
    12. Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored, or otherwise processed by Instructure.
    13. “Standard Contractual Clauses” means the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the UK International Data Transfer Addendum (“UK Addendum”), and any similar measures promulgated pursuant to the GDPR to address the transfer of Personal Data to a Third-country and any amendments and replacements thereto as may be promulgated from time to time.
    14. Supplementary Measures” means technical, organizational, and contractual measures as described in EDPB Guideline adopted on 18th June 2021 (“Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”).
    15. Sub-processor” means any Data Processor acting on behalf of Instructure.
    16. Third-country” means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission according to the mechanism lined out in Article 45 GDPR.
    17. UK” means the United Kingdom, Wales, and Northern Ireland. 
  2. PROCESSING OF CUSTOMER PERSONAL DATA.
    1. The Parties agree that with regard to the Processing of Customer Personal Data, Customer is the Data Controller and Instructure is the Data Processor, except for certain services provided by Instructure where Instructure is also a Data Controller with respect to the Customer Personal Data. 
    2. Customer shall, in its use or receipt of the Services, process Customer Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Customer Personal Data comply with the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data, the means by which Customer obtained the Customer Personal Data, and for fulfilling all requirements under Data Protection Laws necessary to make the Customer Personal Data available to Instructure for Processing as provided herein and under the Agreement. 
    3. During the Term of the Agreement, Instructure shall only Process Customer Personal Data on behalf of and in accordance with the Agreement and Customer’s written instructions unless required to do so by law to which Instructure is subject; in such case Instructure shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.  
    4. Customer instructs Instructure to Process Customer Personal Data for the following limited and specified purposes: (i) Processing in accordance with the Agreement, any applicable orders, and Data Protection Laws; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and Data Protection Laws.  Instructure shall not Sell, or share for targeted advertising purposes, Customer’s Personal Data except as expressly instructed by Customer.  Instructure shall not combine Customer Personal Data with other Personal Data except as permitted by Data Protection Laws.
    5. The objective of Processing of Customer Personal Data by Instructure is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1, Annex I B. 
    6. If Instructure determines that it can no longer comply with Data Protection Laws, Instructure will notify Customer within five (5) business days of making such determination.
  3. ASSISTANCE TO CUSTOMER AND RIGHTS OF DATA SUBJECTS. 
    1. To the extent Customer, in its use or receipt of the Services, does not have the ability to take steps required to comply with Data Protection Laws, including without limitation correcting, amending, restricting, blocking or deleting Customer Personal Data, and implementing reasonable security procedures or practices designed to protect Customer Personal Data, as and to the extent required by the Data Protection Laws, Instructure will use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent Instructure is legally permitted to do so, taking into account the nature of the Processing of Customer Personal Data and the information available to Instructure.  
    2. Instructure shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. Instructure shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer or as otherwise required by Data Protection Laws. Instructure shall provide Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Services, taking into account the nature of the Processing of Customer Personal Data and the information available to Instructure.
  4. PROCESSOR PERSONNEL.
    1. Instructure shall use commercially reasonable efforts to ensure that its personnel engaged in the Processing of Customer Personal Data are subject to obligations of confidentiality. 
    2. Instructure shall use commercially reasonable efforts to ensure that access to Customer Personal Data is limited to those personnel who require such access to perform the Services. 
  5. SUB-PROCESSORS.
    1. Instructure shall not transfer or otherwise make available Customer Personal Data to any third party without Customer's prior authorization.
    2. Upon signing of the DPA, Customer gives its general authorization to Instructure to use Instructure Affiliates as Sub-processors; and third-party Sub-processors in connection with the provision of the Services provided that the following conditions are met:
      1. Instructure shall ensure that obligations not materially less protective than those set out in this DPA are imposed on Sub-processors by way of a written contract;
      2. Instructure remains liable towards Customer for the work of its Sub-processors as if and to the extent such work was performed by Instructure;
      3. Instructure shall provide the list of its Sub-processors by giving a link to a website where the information about the Sub-processors is kept up to date; and
      4. Instructure shall inform Customer of any intended changes to Sub-processors concerning the addition or replacement of Sub-processors.  To the extent required by Data Protection Laws, Instructure shall thereby give Customer the opportunity to object to such changes by notifying Instructure in writing within 30 days after the receipt of Instructure’s notice about the changes, and if, within 20 days of receipt of that notice, Customer notifies Instructure in writing of any objections on reasonable grounds to the proposed engagement of a Sub-processor, Instructure shall not use that proposed Sub-processor to Process Customer Personal Data until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.
  6. INTERNATIONAL DATA TRANSFERS 
    1. Customer acknowledges and agrees that Instructure is established in a Third Country and that providing the Services defined in the Agreement require transfer to, and Processing of Customer Personal Data within, a Third Country. All transfers to a Third Country are subject to the following conditions:
      1. Customer has given prior authorization for the transfer by signing the Agreement as documented in Appendix 1; 
      2. The Customer Personal Data is Processed under the terms of the Agreement;
      3. There is a valid transfer mechanism in place in accordance with the GDPR; and
      4. Instructure shall implement the Supplementary Measures, where necessary.
    2. EU/UK Standard Contractual Clauses: The valid transfer mechanism referred in Section 6.1(iii) is, where Instructure acts as a Processor and Customer acts as a Controller, the Standard Contractual Clauses, Module TWO: Transfer Controller to Processor; where Instructure acts as a Controller and Customer acts as a Controller, the Standard Contractual Clauses, Module ONE: Transfer Controller to Controller; and in both cases, the UK Addendum thereto attached as Appendix 2, and all of the foregoing are deemed to be incorporated herein by reference as set forth below. In respect of the Standard Contractual Clauses, the Parties agree on the following:
      1. in clause 7, the Parties choose to include the “docking clause”;
      2. where Module Two applies, in clause 9, the Parties choose Option 2: “general written authorization”;
      3. where Module Two applies, in clause 9, the Parties choose twenty (20) days as the specific time period;
      4. in clause 11, the Parties do not choose the optional complaint mechanism;
      5. in clause 17, the governing law is the law of the EU Member State :
        1. Option 1: Where Customer is established in an EU Member State, the law in that EU Member State;
        2. Option 2: Where Customer is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of the GDPR, the law in the EU Member State in which the Customer’s representative is located;
        3. Option 3: Where the data exporter is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of Hungary, or as defined in the Agreement; and
      6. in clause 18, the country of the applicable court in respect of any disputes arising from Standard Contractual Clauses is the courts of the EU Member State in which in which the Parties have denoted choice of law per 6.2(v) above.
    3. To the extent that Instructure uses a Sub-processor in a Third-Country for the Processing of Customer Personal Data, the following shall apply in addition to Section 5 above:
      1. Customer has given prior authorization for the transfer by signing the DPA; 
      2. There is a valid transfer mechanism in place in accordance with the GDPR; and
      3. Instructure makes information on the transfer mechanism, and where applicable, the Standard Contractual Clauses, available without undue delay to Customer. 
  7. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS.
    1. Instructure shall maintain technical and organizational measures designed to protect of the security, confidentiality, and integrity of Customer Personal Data. 
    2. No more than once per year, Customer may engage a mutually agreed upon third party to audit Instructure solely for the purposes of meeting its audit requirements pursuant to the Data Protection Laws. To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to privacy@Instructure.com. The audit must be conducted during regular business hours, subject to Instructure’s policies, and may not unreasonably interfere with Instructure’s business activities. Any audits are at Customer's expense.
    3. Any request for Instructure to assist with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law.  Customer shall reimburse Instructure for any time spent for any such audit at the rates agreed to by the Parties. Before the commencement of any such audit, Customer and Instructure shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, considering the resources expended by Instructure. Customer shall promptly notify Instructure with information regarding any non-compliance discovered during an audit.
    4. Instructure will reasonably cooperate with Customer, at Customer’s expense, where Customer is conducting a privacy impact assessment that is required by Data Protection Laws.
  8. SECURITY BREACH MANAGEMENT AND NOTIFICATION. 
    1. In the event of a Security Breach, Instructure shall: (i) notify Customer of the Security Breach without undue delay after becoming aware of the Security Breach. Notification shall include at least the information required by the Data Protection Laws; (ii) investigate the Security Breach and provide Customer with information about the Security Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach and to allow Customer to take reasonable and appropriate steps to do the same to the extent such steps are within Customer’s control.
    2. Instructure shall cooperate with Customer, and with any third parties designated by Customer, to respond to the Security Breach.
  9. RETURN AND DELETION OF CUSTOMER DATA.
    1. Instructure shall provide functionality for Customer to download Customer Personal Data from the Services, to the extent possible, and/or delete Customer Personal Data in accordance with Instructure’s data retention policies which adhere to requirements of the Data Protection Laws, and in a manner consistent with the terms of the Agreement.
  10. SEVERANCE.
    1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
  11. LEGAL EFFECT.
    1. This DPA shall only become legally binding between Customer and Instructure when the Parties the Agreement for the Services.
  12. LIMITATION OF LIABILITY.
    1. To the extent permitted by Data Protection Laws, Customer’s remedies with respect to any breach by Instructure of the terms of this DPA or Data Protection Laws will be subject to any aggregate limitation of liability that applies to Instructure and/or Customer under the Agreement.

APPENDIX 1 - EU STANDARD CONTRACTUAL CLAUSES

ANNEX I

A.   LIST OF PARTIES

Data exporter(s): As defined in the Agreement

Name: As defined in the Agreement

Address: As defined in the Agreement

Contact person’s name, position and contact details: As defined in the Agreement

Activities relevant to the data transferred under these Clauses: As defined in the Agreement

Signature and date: As defined in the Agreement 

Role: Controller

     

Data importer(s): As defined in the Agreement

Name: As defined in the Agreement

Address: As defined in the Agreement

Contact person’s name, position, and contact details: As defined in the Agreement 

Activities relevant to the data transferred under these Clauses:

The data importer provides a Software-as-a-Service Internet accessible learning management software, for use by the data exporter as described in the Agreement.

Signature and date: As defined in the Agreement 

Role:  Processor 

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Users of the services as authorized by the data exporter. 

Categories of personal data transferred:

Canvas LMS & Canvas for Corporate Education Data (including mobile applications):

- Name (e.g., John Doe) 

 - Username/ID

 - Password

- Short Name (e.g., John) 

- Email (e.g., John.Doe@awesomeu)

- School Name (e.g., Awesome University)

- School Position (e.g., Student) 

- Avatar URL (e.g., URL of Avatar image) 

- Pronouns (e.g., she/her) (Optional) 

- Locale (e.g., en - language selection) 

- Browser Locale (e.g., en, browser language setting) 

- Country Code (e.g., CAN) 

- Submitted content (e.g., research paper, assignments) 

- Assessment results (e.g., 86%) 

- Course results (e.g., B+) 

- Conversation comments (e.g., discussion) 

- Course content (e.g., Lesson #4) 

- IP Address (e.g., 127.0.0.1) 

- Messages (e.g., notifications and course conversations)

    - Video content created by the user (e.g., images, voice recording, comments)

Canvas Commons:

  • Canvas User Id
  • Canvas User Login name
  • Name (e.g., John Doe) 
  • Email (e.g., John.Doe@awesomeu)
  • Avatar Url (e.g., URL of Avatar image)
  • Commons resource ids favorited by the user
  • Comments the user made to any resources
  • IP Address (e.g., 127.0.0.1)

Canvas Catalog:

  • Credit card processing token via third party credit card processor
  • Canvas LMS User ID
  • Order ID
  • Account ID
  • Item ID and Item Type (e.g., Intro to Statistics, online class)
  • Name (e.g., John Doe) 
  • Email (e.g., John.Doe@awesomeu)
  • External ID (Canvas enrollment ID)
  • Canvas Root Account ID (Institution ID)
  • Product ID (e.g., class name/ID)
  • Class Completed Date
  • Enrollment status
  • Purchase date

Canvas Studio:

  • Video content created by the user (e.g., images, voice recording, comments)
  • Name (e.g., John Doe) 
  • Email (e.g., John.Doe@awesomeu.com
  • Canvas LMS User ID
  • Username/ID
  • Password
  • Messages

Canvas Credentials:

  • Name (e.g., John Doe) 

-  Email (e.g., John.Doe@awesomeu)

 - Physical address of badge recipients

 - Phone number of badge recipients

 - IP address 

 - Badge information such as issuing institution or program

 - User name and password

Elevate Data (Elevate Data Quality, Elevate K-12 Analytics, Elevate Standards Alignment, Elevate Data Sync):

  • All data from the Student Information System authorized by the applicable customer engagement.

Impact by Instructure Data:

  • User ID
  • Password
  • School role (e.g., student, teacher)
  • Full name (e.g, first, middle, last)
  • Student ID number
  • Email address (e.g., John.Doe@awesomeu)
  • School Name (e.g., Awesome University)
  • Education Level
  • Birthdate (Optional) 
  • Language (e.g., Eng)
  • Zip code
  • City (e.g., London)
  • Country (e.g., CAN)
  • State 
  • Browser Locale (e.g., en, browser language setting)
  • Profile Image (Optional)
  • Gender (Optional)
  • Learning Management System Username
  • Slack notifications (Administrators)
  • Application activity (e.g., page clicks in the application)

Mastery Data (Item Bank, Mastery View Predictive Assessmntes, Mastery View Interim Assessments, Mastery Connect):

  • Name (e.g., John Doe) 
  • School Student ID Number
  • State Student ID Number
  • Username/ID
  • Password
  • Short Name (e.g., John) 
  • Email (e.g., John.Doe@awesomeu)
  • Phone Number (Optional) 
  • School Name (e.g., Awesome University)
  • School Position (e.g., Student) 
  • Assessment results (e.g., 86%)
  • Birthdate
  • Race (e.g., Hispanic, White, Asian)
  • Ethnicity (e.g, Native Hawaiian, Irish, Austrian)
  • English Language Learner status (True/False/Null)
  • Individualized Education Program status (True/False/Null)
  • Free or reduced lunch status (True/False/Null)

Sensitive data transferred:

None

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Continuous for the duration of the Agreement.

Nature of the processing:

Performance of the Services described in the Agreement.

Purpose(s) of the data transfer and further processing:

Processing Customer Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Data Subjects as required under EU/UK Data Protection Law; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.

 

Instructure’s data centers for the Services are in the following regions for EU, EEA, or UK based customers: Ireland and/or Germany.

Canvas Commons is hosted in the USA exclusively.

Instructure’s limited Processing that occurs outside of the European Union is related to the following activities: 

  • Contract Management. This Processing includes providing contract and customer relationship management services.
  • Customer Support. This Processing includes user helpdesk support and technical operations support. Instructure’s user support ticketing system is hosted in the USA. Any Customer Personal Data submitted through a support ticket is stored and Processed in the USA. 
  • Professional Services. This Processing includes integration services, implementation services, and configuration services as purchased by Customer.
  • Engineering and Security Support. This Processing includes, user issue tickets, application logs, security logs, database logs, systems logs, and security alerting tools may be reviewed by security and engineering personnel located in the EU, USA, and UK. 
  • Data Anonymization for Internal Analytics. Instructure transfers Services databases to its data center in the USA for a period of 48 hours where Customer Personal Data is anonymized prior to being used by Instructure. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Processor will process Customer Personal Data for the duration of the Agreement. Upon termination of the Agreement, it will be deleted in accordance with this DPA or the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: 

The duration will be until the termination of the Agreement.

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: The competent supervisory authority is the supervisory authority denoted in Section 6.2 of the DPA. 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Instructure’s technical and organizational measures are described at: https://www.instructure.com/products/canvas/security

ANNEX III

LIST OF SUB-PROCESSORS

This Annex must be completed in case of the specific authorization of sub-processors (Clause 9(a), Option 1).  

APPENDIX 2

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date

The effective date of the DPA to which this Addendum has been attached

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

Full legal name: As described in the Agreement.

Trading name (if different): As described in the Agreement.

Main address (if a company registered address): As described in the Agreement.

Official registration number (if any) (company number or similar identifier): As described in the Agreement.

Full legal name: As described in the Agreement.

Trading name (if different): As described in the Agreement.

Main address (if a company registered address): As described in the Agreement.

Official registration number (if any) (company number or similar identifier): As described in the Agreement.

Key Contact

Full Name (optional): As described in the Agreement.

Job Title: As described in the Agreement.

Contact details including email: As described in the Agreement.

Full Name (optional): As described in the Agreement.

Job Title: As described in the Agreement.

Contact details including email: As described in the Agreement.

Signature (if required for the purposes of Section ‎2)

As described in the Agreement.

As described in the Agreement.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

X the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: 

Module

Module in operation

Clause 7 (Docking Clause)

Clause 11
(Option)

Clause 9a (Prior Authorisation or General Authorisation)

Clause 9a (Time period)

Is personal data received from the Importer combined with personal data collected by the Exporter?

1

Yes

Yes

No

      

2

Yes

Yes

No

General

20 days

N/A

3

No

N/A

N/A

N/A

N/A

N/A

4

No

N/A

N/A

    

N/A

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Appendix 1, Annex IA

Annex 1B: Description of Transfer: Appendix 1, Annex IB

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Appendix 1, Annex II

Annex III: List of Sub processors (Modules 2 and 3 only): Not applicable to a general authorisation to engage subprocessors, but a list of Instructure subprocessors is available as descrived in Section 5.2(iii) of the DPA.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19:

☒ Importer

☒ Exporter

☐ neither Party

Part 2: Mandatory Clauses

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

APPENDIX 3: JURISDICTION SPECIFIC TERMS

To the extent that Services involve Customer Personal Data originating from the following countries, the relevant provisions set out below will apply.

  1. Provisions relevant to Turkey
    1. The provisions of this paragraph 1 apply where Instructure processes Customer Personal Data that originates from Turkey.
    2. Instructure will comply with the Turkish Data Protection Act (“Turkish DPA”) numbered 6698 and dated 7 April 2016 and any related regulations, and all decisions of the Turkish Data Protection Authority. 
    3. Instructure will promptly assist the Customer:
      1. by implementing appropriate technical and organizational measures, insofar as this is possible, taking into account the nature of the processing, to fulfil the Customer's obligations to respond to requests from individuals exercising their rights under data protection law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data); and
      2. in ensuring compliance with the Customer's obligations pursuant to Article 12 of the Turkish Data Protection Act (security, notification of personal data breaches to authorities and individuals), taking into account the nature of the processing and the information available to Instructure.
    4. Where Instructure processes, outside of Turkey, Customer Personal Data subject to the Turkish DPA originating from Turkey, then Instructure shall cooperate with Customer with any formalities required by the Turkish Data Protection Authority.
  2. Provisions relevant to Switzerland
    1. The provisions of this paragraph 2 apply where Instructure processes Customer Personal Data that originates from Switzerland.
    2. The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
    3. When Instructure engages a Sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this DPA, it will:
      1. require any appointed Sub-processor to protect the Customer Personal Data to the standard required by applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR, and
      2. require any appointed Sub-processor to (i) agree in writing to only Process Customer Personal Data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process Customer Personal Data on terms equivalent to the EU Standard Contractual Clauses.
    4. To the extent that Customer Personal Data transfers from Switzerland are subject to the EU Standard Contractual Clauses, the following amendments will apply to the EU Standard Contractual Clauses:
      1. references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and
      2. insofar as the transfer or onward transfers are subject to the FADP:
        1. references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
        2. the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
        3.  in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
        4. in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
  3. Provisions relevant to Australia
    1. The provisions of this paragraph 3 apply where Instructure processes Customer Personal Data that originates from Australia.
    2. APPs shall mean the Australian Privacy Principles in the Privacy Act.
    3. Personal Information has the meaning given to that term in the Privacy Act.
    4. Privacy Act shall mean the Australian Privacy Act 1988 (Cth).
    5. Instructure shall in respect of any Customer Personal Data it receives or has access to under the Agreement:
      1. comply with the APPs (except for APP 1) as if it were bound by the APPs to the same extent as the Customer; and
      2. without limiting sub-paragraph (i), enter into a similar contractual arrangement with any third party to whom it discloses the Personal Information (whereby the third party agrees to comply with the APPs in respect of such information (except for APP 1) as if that third party were bound by the APPs to the same extent as the Customer).
  4. Provisions relevant to Hong Kong
    1. The provisions of this paragraph 4 apply where Instructure processes Customer Personal Data that originates from Hong Kong.
    2. To the extent that Instructure carries out direct marketing on behalf of the Customer, Instructure shall implement effective measures designed to inform data subjects of the scope of the marketing and provide effective means designed to allow data subjects to give consent in accordance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").
    3. Instructure shall comply with the data retention requirement (DDP2) and data security requirement (DPP4) as contained in the PDPO.
  5. Provisions relevant to India
    1. The provisions of this paragraph 5 apply where Instructure processes Customer Personal Data that originates from India.  When Providing the Services, Instructure shall comply with the requirements of the Information Technology Act 2000, the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (each as amended, modified, supplemented from time to time) as applicable to a body corporate, and any other laws, rules, regulations, notifications, judgements relating to data protection or privacy that are in force as of date of the Agreement, or that may be brought into force in India at any time in the future during the term of the Agreement.
  6. Provisions relevant to Japan
    1. The provisions of this paragraph 6 apply where Instructure processes Customer Personal Data that originates from Japan.
    2. Instructure shall not obtain any Customer Personal Data from the Customer in Japan or another party through any deceptive, fraudulent, or other wrongful means. 
    3. Instructure shall make a reasonable effort to ensure that the transferred Customer Personal Data is accurate and up to date and within the scope necessary to perform the Services.
    4. Instructure will take the appropriate technical and organizational security measures designed to adequately protect all Customer Personal Data in Japan against not only misuse and loss, but also leakage and damage, in accordance with any relevant Order, the Agreement, this DPA, and the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) (the “APPI”).
    5. Instructure will implement appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under applicable Data Protection Law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data);
    6. If Instructure acquires Customer Personal Data of Data Subjects in Japan directly from those Data Subjects, in connection with the Services by Instructure to those Data Subjects, Instructure will process Customer Personal Data of those Data Subjects in compliance with the APPI and all accompanying regulations and guidelines issued by the Personal Information Protection Commission of Japan, and all other privacy legislation and other laws which the Instructure is subject to, even when it handles Customer Personal Data of those data subjects outside Japan.
    7. Instructure will notify the Customer of any notices, requests, orders or queries from Data Subjects, any data protection or other governmental authority, law enforcement agency, court order or tribunal, which the Customer or Instructure is obliged to comply with under the APPI or other applicable laws to facilitate timely resolution of any matter arising in connection with the foregoing or any related investigation.
  7. Provisions relevant to Malaysia
    1. The provisions of this paragraph 7 apply where Instructure processes Customer Personal Data that originates from Malaysia.
    2. For the purposes of this paragraph 6, “Personal Data”, “Sensitive Personal Data” and “Data User” have the meanings given to those terms in the Personal Data Protection Act 2010.
    3. Instructure shall comply with the Personal Data Protection Act 2010 to the extent that this applies to Data Processors and the Customer Personal Data to be Processed hereunder.
    4. No Personal Data shall be transferred to a country outside Malaysia unless to such country as specified by the Minister by notification published in the Gazette (if any) or with the consent of the data subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the transfer of Personal Data.
    5. No processing of special categories of data/sensitive data within the meaning of Sensitive Personal Data, including any transfer thereof, may be made without the explicit consent of the data subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the processing of Sensitive Personal Data.
    6. Instructure will promptly assist the Data User to fulfil the Data User’s obligations to respond to requests from individuals exercising their rights under data protection law which applies to the Data User within the time as prescribed by the Personal Data Protection Act 2010.
  8. Provisions relevant to New Zealand
    1. The provisions of this paragraph 8 apply where Instructure processes Customer Personal Data that originates from New Zealand. Instructure shall comply with the Information Privacy Principles set out in the New Zealand Privacy Act 1993 (as though Instructure were Customer) and shall cooperate with the Customer in a manner designed to ensure that the Customer can meet its obligations (including in relation to information privacy requests and investigations) under that Act.
  9. Provisions relevant to the Philippines
    1. The provisions of this paragraph 9 apply: (i) where Instructure processes Customer Personal Data about a Philippine citizen or resident; (ii) where Instructure, Data Processor or Customer is found or established in the Philippines; (iii) where the processing of Customer Personal Data is done in the Philippines; or (iv) where the processing of Customer Personal Data is done or engaged in by an entity with links to the Philippines.
    2. Instructure will comply with the following obligations:
      1. comply with applicable local laws and regulations and issuances of the Philippine National Privacy Commission;
      2. assist the Customer, by appropriate technical and organizational measures and to the extent possible, to fulfil the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
      3. assist the Customer in ensuring compliance with applicable local laws and regulations and issuances of the Philippine National Privacy Commission, taking into account the nature of processing and the Customer Personal Data available to Instructure;
      4. make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in applicable local laws and regulations; and
      5. immediately inform the Customer if, in its opinion, a Direction from the Customer infringes any applicable local law, regulation or issuance of the Philippine National Privacy Commission.
    3. Instructure shall process Customer Personal Data contained in the Services in Australia and Singapore.
  10. Provisions relevant to Singapore
    1. Instructure shall comply with the Personal Data Protection Act 2012 to the extent that this applies to Data Processors and the Customer Personal Data to be Processed hereunder. Instructure shall host the Customer Personal Data contained in the Services in Australia and Singapore
  11. Provisions relevant to South Korea
    1. The provisions of this paragraph 11 apply: (i) where Instructure processes Customer Personal Data that originates from South Korea; or (ii) where Instructure is an entity located in South Korea.
    2. Instructure will comply with the Personal Data Protection Act (as amended), and the Act on Promotion of Data and Communications Network Utilization and Data Protection, etc., (as amended).
    3. Subject to the limitations and waivers of liability in the Agreement, Instructure shall be liable to the Customer for damages that it causes by any breach of provisions in this DPA.
    4. Instructure hosts the Services in Singapore for customers located in South Korea.
  12. Provisions relevant to Taiwan
    1. The provisions of this paragraph 12 apply where Instructure processes Customer Personal Data that originates from Taiwan or is the Customer Personal Data of Taiwanese national Data Subjects anywhere in the world. Instructure hosts the Services in Singapore for Customers located in Taiwan.
    2. Instructure will comply with the provisions of the current Taiwan Personal Information Act (the “PIPA”), the Enforcement Rules to the Personal Information Protection Act (the “PIPA Enforcement Rules”), and any other data protection regulations currently in force in Taiwan.
    3. Instructure will promptly assist the Customer:
      1. by implementing appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under the PIPA which apply to the Customer (such as, but not limited to, rights to review, to copy, to rectify, to cease collection, processing, or use, or to erase Customer Personal Data);
      2. in ensuring compliance with the Customer’s obligations pursuant to Article 12 of the PIPA (prompt investigation of data breach and notice to individuals) and any applicable industry-specific regulations issued under Article 27 of the same (including but not limited to any industry-specific duty to notify the regulator of a data breach) taking into account the nature of the processing and the information available to Instructure; and
      3. by immediately informing the Customer if, in Instructure’s opinion, an instruction from the Customer to collect, process, or use Customer Personal Data violates the PIPA.
    4. Instructure shall adopt the technical and organizational measures set forth in Article 12(2) of the PIPA Enforcement Rules proportional to the purpose of the prevention of Customer Personal Data from being stolen, altered, damaged, destroyed or disclosed.
    5. In addition to informing the Customer of any serious interruption of Instructure’s processing operations, any suspicion of security breaches, or violation of the PIPA, the PIPA Enforcement Rules, or other Taiwan data protection regulations, Instructure shall inform the Customer of all remedial measures taken to remedy the interruption, breach, or violation.
    6. Instructure shall comply with any reserved instruction from the Customer and has an obligation to provide information evidencing compliance with any such reserved instruction to the Customer.
  13. Provisions relevant to China
    1. The provisions of this paragraph 13 apply where Instructure processes Customer Personal Data that originates from the People’s Republic of China.
    2. The definition of Customer Personal Data shall include all information specifically identified as "personal information" under the applicable local law.
    3. Instructure shall, at no additional cost, assist each Customer to obtain all consents necessary from the individuals regarding the collection, processing or use of Customer Personal Data in China.
    4. Instructure shall at all times comply with all applicable local law, including if applicable, the Cyber Security Law on the protection of personal information, as if Instructure were the user in respect of all Personal Identifiable Information.
    5. Instructure hosts the Services in Singapore for Customers located in China.
    1. South America: Instructure hosts the Services in the USA for customers located in South America.
  14. Provisions relevant to Brazil
    1. The provisions of this paragraph 14 apply where Instructure processes Customer Personal Data that originates from Brazil.
    2. The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (LGPD).
    3. The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to Data Subjects.
    4. The definition of “processor” includes “operator” as defined under the LGPD.
    5. To the extent Customer Personal Data is processed through the Internet, the provisions of the Brazilian Internet Act (Law 12,965/2014) must be observed. Instructure will comply with the so-called Habeas Data Law (Law 9,507/1997) to the extent applicable.
  15. Provisions relevant to Chile
    1. The provisions of this paragraph 15 apply where Instructure processes Customer Personal Data that originates from Chile.
    2. Instructure will comply with paragraph 15 of this Appendix 3.
    3. Instructure will comply with the Data Protection Act Nº 19.628, as amended. The substantive provisions of the Data Protection Act entered into force on October 27, 1999, and August 22, 2000.
  16. Provisions relevant to Colombia
    1. The provisions of this paragraph 16 apply where Instructure processes Customer Personal Data that originates from Colombia.
    2. Instructure will comply with paragraph 16 of this Appendix 3.
    3. For the purposes of this paragraph 16:
      1. Colombian GDP” shall mean the Colombian General Data Protection legal framework (Law 1581 of 2012 and Decree 1074 of 2015); and
      2. Customer Persona Data flows between Instructure and Customer will be understood as ‘data transmissions’ under the Colombian GDP.
    4. Instructure will comply with the following obligations:
      1. process Customer Personal Data only for the purposes authorized by the individuals who are the subjects of such information;
      2. process Customer Personal Data pursuant to the Customer’s instructions and privacy notice; and
      3. process Customer Personal Data pursuant to the principles set forth in the Colombian GDP.
  17. Provisions relevant to Mexico
    1. The provisions of this paragraph 17 apply where Instructure processes Customer Personal Data that originates from Mexico.
    2. Instructure will comply with paragraph 17 of this Appendix 3. 
    3. Instructure will comply with the security measures set out in Article 52 of the Mexican Data Protection Regulations (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) where applicable.
    4. Instructure will process Customer Personal Data in accordance with the privacy notice of the Customer, provided that Customer shall ensure that the Customer’s privacy notice adequately describes the processing of Customer Personal Data by Instructure under the Agreement in a manner compliant with Mexican law.
  18. Provisions relevant to the Republic of Argentina
    1. The provisions of this paragraph 18 apply where Instructure processes Customer Personal Data that originates from the Republic of Argentina.
    2. Instructure agrees to comply with the obligations of a data importer as set out in the model contract titled Contrato Modelo de Transferencia Internacional de Datos Personales con Motivo de Prestación de Servicios adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60 — E/2016 (the 'Argentinian SCCs’) for the transfer of personal data to data processors established in third countries.
    3. Instructure acknowledges that each Customer Affiliate in the Republic of Argentina will be a Customer. In particular, and without limiting the above obligation:
      1. Instructure agrees to grant third party beneficiary rights to Data Subjects, as set out in Clause 3 of the Argentinian SCCs, provided that Instructure's liability shall be limited to its own Processing operations; and
      2. Instructure agrees that its obligations under the Argentinian SCCs shall be governed by the laws of the Republic of Argentina in which the Customer Affiliates that are the data exporter(s) are established; and
      3. the details of the appendices applicable to the Argentinian SCCs are set out in Appendix 1 to this DPA.
    4. For the purposes of Annex A to the Argentinian SCCs, the data exporter is an educational institution; the data importer is an international education technology company and details about the data subjects, categories of data, processing operations and security measures are as set out in Appendix 1 to this DPA.
    5. Instructure shall neither apply nor use the Customer Personal Data for any purpose other than the one specified in this DPA nor shall Instructure, except as permitted in this DPA and the Agreement, communicate to other parties such Customer Personal Data, even for storage purposes. Once the corresponding contractual obligations have been performed, the Customer Personal Data processed must be destroyed, except where there is an express authorization given by the person for account of whom such services are rendered, by reason of a possibility of the Customer Personal Data being used for future services, in which case the Customer Personal Data may be stored under due security conditions for a maximum term of up to two (2) years. The parties agree to adopt confidentiality measures to protect the Customer Personal Data following section 9 of the Data Protection Act and its Regulations. Instructure shall process the Customer Personal Data following only instructions from the Customer.
    1. North America
  19. Provisions relevant to Canada
    1. The provisions of this paragraph 19 apply where Instructure processes Customer Personal Data that originates from Canada.
    2. Instructure shall comply with the Personal Information Protection and Electronic Documents Act and any provincial statute that is declared substantially similar pursuant to section 26(2)(b), where applicable Instructure shall promptly inform Customer if the location where the Customer Personal Data is stored ever changes.