Data Processing Addendum | Policy

Last Updated: 01 October 2024

To see the previous version of the DPA please view here. If the Customer has signed an agreement with Instructure prior to 01 October 2024, the DPA dated December 21st 2022, shall apply. For any agreements signed on, or after 01 October 2024, this DPA shall apply.

This Instructure Global Data Processing Addendum (“DPA”) forms part of the Agreement between Customer (as defined below) and Instructure, Inc., (or its Affiliates, collectively “Instructure”) (each a “Party”, collectively “Parties”). 

The Parties hereby agree that this DPA shall be added as an addendum to the Agreement (defined below in Section 1). In case of any discrepancy or conflict between this DPA and the Agreement, this DPA shall prevail regarding the subject matter herein. Any capitalized terms not defined herein shall have the meanings set forth in the Agreement.

How this DPA Applies: This DPA consists of two parts - the main body of the DPA and the Schedules. The Schedules apply as described in each Schedule.

  • Schedule 1 – Data Processing Schedule
  • Schedule 2 – U.S. K-12 & Higher Education Addendum
  • Schedule 3 – EEA & UK Addendum
  • Schedule 4 – Jurisdiction Specific Addendum
  • Schedule 5 – LearnPlatform Research Services Customer Addendum
  1. Definitions. In this DPA, the following terms shall have the meanings set out below:
    1. Affiliate(s)” means any entity which is controlled by, controls, or is in common control with a Party. 
    2. Agreement” means the Instructure Services Order Form, Instructure Standard Terms and Conditions, or other written or electronic agreement in effect between the Parties.
    3. Account Data” means the Personal Data of Customer employees, personnel, contractors, business contacts, and/or agents that relates to Customer’s relationship with Instructure, including without limitation the names or contact information of such individuals authorized by Customer to access Customer’s account for or on behalf of Customer, and contact and billing information of individuals that Customer has associated with its account. Account Data also includes without limitation any Personal Data Instructure may need to Process to perform support services, or as part of its legal obligation to retain records.
    4. Customer” means the entity that signed an Agreement with Instructure.
    5. Customer Personal Data” means Personal Data provided by or on behalf of Customer to be Processed by Instructure as a Processor in connection with providing the Services and excludes Account Data.
    6. Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 
    7. Processor” means the entity which Processes Personal Data on behalf of a Controller. 
    8. Data Protection Laws” means the laws and regulations which are applicable to the Processing of Personal Data under the Agreement. 
    9. Data Subject” means an individual whose Personal Data is being processed by Instructure under the Agreement.
    10. Data Subject Request” means a request from or on behalf of a Data Subject to exercise its rights granted to a Data Subject under Data Protection Laws
    11. De-Identified Data and De-Identification means data and information where all Personal Data has been removed or obscured, such that the remaining information does not reasonably identify a specific individual, including, but not limited to, any information that, alone or in combination is linkable to a specific Data Subject.
    12. Personal Data” means any information relating to an identified or reasonably identifiable person. 
    13. Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning). 
    14. Sell,” “Selling,” “Sale,” and “Sold” shall have the meanings provided under Data Protection Laws. 
    15. Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Instructure.
    16. Services” means Instructure’s proprietary software as a service offering(s) made available through a URL in a hosted environment made available by or on behalf of Instructure to Customer and identified in the Agreement. 
    17. Sub-processor(s)” means any third-party processing Customer Personal Data for or on behalf of Instructure.
  2. Term and Termination. This DPA is effective upon the signature date on the Agreement by the Customer and shall remain in effect until the Agreement is terminated, or until Instructure deletes all Customer Personal Data.
  3. Processing Of Personal Data.
    1. Instructure as Processor for Customer Personal Data.  The Parties agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Instructure is the Processor. The objective of Processing of Customer Personal Data by Instructure as Processor is the performance of the Services pursuant to the Agreement. Instructure shall only Process Customer Personal Data on behalf of and in accordance with the Agreement and Customer’s written instructions unless required to do so by law to which Instructure is subject; in such case Instructure shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification. Instructure shall comply with applicable Data Protection Laws, including, where required by such laws, by providing the same level of privacy protection required of Customer under such laws. As between Instructure and Customer, Customer retains all ownership of Customer Personal Data.
    2. Customer Instructions.  Customer instructs Instructure to Process Customer Personal Data for the following purposes: (a) Processing in accordance with the Agreement and Data Protection Laws; and (b) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and Data Protection Laws. Instructure shall promptly notify Customer in the event Instructure determines that any Customer instructions violate Data Protection Laws. If Instructure determines that it can no longer comply with Data Protection Laws, Instructure will promptly notify Customer.
    3. Consents for the Processing of Customer Personal Data.  Customer represents, warrants, and covenants that it has complied with all applicable Data Protection Laws, including without limitation providing all notices and obtaining all consents and rights necessary under applicable Data Protection Laws for Instructure to Process any Customer Personal Data in its’s provision of the Services. In the event Customer determines that the foregoing representation, warranty and covenant is untrue with respect to any Customer Personal Data, Customer will promptly notify Instructure. Unless prohibited by applicable laws, Customer shall indemnify Instructure from and against all claims, directly resulting from any material breach of this Section 3.3 by Customer, its employees, agents, contractors, Sub-processors, or subcontractors. A breach of this Section 3.3 shall be considered a material breach of this DPA.
    4. Instructure as a Controller for Account Data.  The Parties agree that with regard to the processing of Account Data, Customer and Instructure are both independent Controllers (and not joint Controllers). Instructure will process Account Data as a Controller in order to (a) manage and administer the relationship with Customer; (b) carry out Instructure’s business operations, such as and without limitation, billing, accounting, and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) provide end-user support services; (e) comply with Instructure’s legal or regulatory obligations; (f) exercise its rights and carry out its obligations under the Agreement; (g) improve, troubleshoot, and market its products and services; and (h) as otherwise permitted under applicable Data Protection Laws and in accordance with this DPA, the Agreement, and the Instructure Product Privacy Notice.
    5. No Sale.  Instructure shall not Sell, or share for targeted advertising purposes, Customer Personal Data except as expressly instructed by Customer. Instructure shall not combine Customer Personal Data with other Personal Data except as permitted under Data Protection Laws. Instructure shall not collect, retain, use, or otherwise disclose Customer Personal Data outside of the direct business relationship with Customer, and shall only Process Customer Personal Data for limited and specified purposes consistent with this DPA and the Agreement.
    6. Customer Obligations.  Customer shall, in its use or receipt of the Services, Process Customer Personal Data and Account Data in accordance with applicable Data Protection Laws and Customer will ensure that its instructions for the Processing of Customer Personal Data comply with applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and Account Data; the means by which Customer obtained the Customer Personal Data and Account Data; and for fulfilling all requirements under Data Protection Laws necessary to make the Customer Personal Data and Account Data available to Instructure for Processing as provided herein and under the Agreement. Customer shall notify Instructure promptly of any known unauthorized access to the Services. Customer will assist Instructure in any efforts by Instructure to investigate and respond to any unauthorized access to the Services.
    7. Jurisdiction Specific Terms.  To the extent that Instructure Processes Personal Data originating from one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), the terms specified in Schedule 4 (Jurisdiction Specific Terms) with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.
  4. Assistance To Customer and Data Subject Rights. 
    1. To the extent Customer in its use or receipt of the Services, does not have the ability to take steps required to comply with Data Protection Laws, including (a) fulfilling Data Subject Requests, and (b) implementing reasonable security designed to protect Customer Personal Data, Instructure will use commercially reasonable efforts to comply with reasonable requests by Customer to the extent required by the Data Protection Laws and Instructure is legally permitted to do so, taking into account the nature of the Processing of Customer Personal Data and the information available to Instructure.  
    2. Instructure shall to the extent legally permitted, promptly notify Customer if it receives a Data Subject Request. Instructure shall not respond to any Data Subject Request relating to Customer Personal Data without Customer’s prior written consent except to confirm that the request relates to Customer or as otherwise required by Data Protection Laws. Instructure shall provide Customer with commercially reasonable assistance in handling a Data Subject Request, to the extent (a) legally permitted, and (b) Customer does not have access to such Customer Personal Data through its use or receipt of the Services, taking into account the nature of the Processing of Customer Personal Data and the information available to Instructure.
    3. Instructure shall, upon written notice, use reasonable efforts to permit Customer to take reasonable and appropriate steps to (a) stop and remediate unauthorized processing of Customer Personal Data upon notice of same, and (b) ensure that Instructure Processes Customer Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws.
  5. Instructure Personnel.  Instructure shall use commercially reasonable efforts to ensure that its employees engaged in the Processing of Customer Personal Data are subject to either contractual or statutory obligations of confidentiality, and that access to Customer Personal Data is limited to those employees who require such access to perform the Services. Instructure shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data and have received appropriate training on their responsibilities. As required by Data Protection Laws, Instructure shall ensure that its employees have gone through appropriate back-ground checks prior to accessing Customer Personal Data. Instructure shall take commercially reasonably steps to ensure the reliability of any Instructure personnel engaged in the Processing of Customer Personal Data.
  6. Sub-processors.
    1. Except as permitted in this DPA or the Agreement Instructure shall not transfer or otherwise make available Customer Personal Data to any third-party without Customer's prior written authorization.
    2. Customer gives its general authorization to Instructure to use Instructure Affiliates as Sub-processors, and Sub-processors in connection with the provision of the Services provided that; (a) Instructure shall ensure that obligations not materially less protective than those set out in this DPA are imposed on its Sub-processors; (b) Instructure shall be liable towards Customer for the acts and omissions of its Sub-processors as if, and to the same extent Instructure would be liable if performing the services of each Sub-processor directly under the terms of this DPA, unless otherwise set forth in the Agreement; and (c) Instructure shall provide the list of its Sub-processors either upon request, or by giving a link to a website where the information about the Sub-processors is kept up-to-date.
    3. Instructure shall inform Customer of any replacement or addition to its Sub-processors at least 30 days prior to such change. Customer may object to such changes (on reasonable grounds) by notifying Instructure in writing within 30 days after the receipt of Instructure’s notice. Instructure shall not use the proposed Sub-processor to Process Customer Personal Data until reasonable steps have been taken to address Customer’s objections and Customer has been provided with a reasonable written explanation of the steps taken. 
  7. Security; Audits; Data Protection Impact Assessments.
    1. Security.  Instructure shall maintain appropriate technical and organizational measures for the protection of security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data or Account Data) confidentiality, and integrity of Customer Personal Data and Account Data as set forth in the Instructure security documentation. Instructure regularly monitors compliance with these measures. Instructure will not materially decrease the overall security of the Services during the term of the Agreement.
    2. Audits.  Customer will first use all reasonable efforts to satisfy Customer audit needs through (a) copies of Instructure’s most recently completed SOC-2 Type II audit report, its public ISO 27001 certificate; (b) a summary of Instructure’s operational practices related to data protection and security; (c) summary of the most recent annual penetration test; and (d) making Instructure’s personnel reasonably available for security-related discussions.
      1. No more than once annually, Customer may engage a mutually agreed upon third party to audit Instructure solely for the purposes of meeting its audit requirements pursuant to Data Protection Laws (“Audit”) provided that, Customer or its third-party representatives are contractually bound by obligations of confidentiality for such Audit information. Customer must promptly provide Instructure with information regarding any non-compliance discovered during the Audit. To request an Audit, Customer must submit a detailed plan at least 3 weeks in advance of the proposed Audit date describing the proposed scope, duration, and start date of the Audit. Audit requests must be sent to security@Instructure.com with a copy to privacy@instructure.com. The Audit must be conducted during regular business hours, subject to Instructure’s policies, and may not unreasonably interfere with Instructure’s business activities. Customer is responsible for its own expenses in conducting an Audit. 
      2. If any such Audit requires the use of Instructure resources different from, or in addition to those required by Data Protection Laws, Customer shall reimburse Instructure for any time spent for an Audit at rates agreed to by the Parties. All reimbursement rates shall be reasonable, considering the resources expended by, or on behalf of Instructure.  
      3. Any Audit right under this Section 7.3 shall not require Instructure to disclose to Customer or its third- party auditors (a) any information of any other Instructure customer; (b) any internal accounting or financial information unless otherwise agreed to in writing; (c) any trade secret, and/or; (d) any information that could compromise the security of Instructure’s systems or information, or cause Instructure to breach any applicable law or contractual obligation.
    3. Data Protection Impact Assessments.  Upon Customer’s written request, Instructure shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations under Data Protection Laws to carry out a data protection impact assessment or other mandated privacy assessment related to Customer’s use of the Services to the extent that Customer does not otherwise have access to the relevant information, and to the extent such information is available to Instructure.
  8. Restrictions on Receipt of Information.  Nothing under this DPA shall require Instructure to disclose (a) any data or information of any other customer of Instructure, or any third party not directly involved in the provision of the Services; (b) any confidential accounting or financial information; (c) any trade secret of Instructure; or (d) any information that, in Instructure’s reasonable opinion could (i) compromise the security of Instructure’s networks, systems, or premises, (ii) cause Instructure to breach its security or privacy obligations to any third party, or (iii) any information sought for any reason other than the reasons outlined in this DPA. Instructure may require Customer’s agreement to reasonable terms and conditions prior to providing audit reports under this DPA.
  9. Security Breach Management and Notification.  In the event of a Security Breach, Instructure shall; (a) notify Customer of the Security Breach without undue delay after becoming aware of the Security Breach and such notification shall include at least the information required by the Data Protection Laws; (b) investigate the Security Breach and provide Customer with information about the Security Breach; and (c) take commercially reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach, and to allow Customer to take reasonable and appropriate steps to do the same to the extent such steps are within Customer’s control. Instructure shall cooperate with Customer and with any third parties designated by Customer to respond to the Security Breach.
  10. De-Identified Data:  De-Identified Data may be used by the Instructure for those purposes allowed under Data Protection Law and the following purposes: (a) assisting the Customer or other governmental agencies in conducting research and other studies; and (b) research and development of the Instructure's educational sites, services, or applications, and to demonstrate or improve the effectiveness of the Services; and (c) for adaptive learning purpose and for customized student learning. Instructure's use of De-Identified Data shall survive termination of this DPA or any request by Customer to return or destroy Customer Personal Data. Instructure agrees (i) not to attempt to re-identify De-Identified Data, and (ii) not to transfer De-Identified Data to any party unless that party agrees in writing not to attempt re-identification.
  11. Government Access Requests.  If Instructure receives a legally binding request to access Customer Personal Data from a public authority, Instructure shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent that Instructure is prohibited from providing such notification, Instructure shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Instructure to communicate with Customer. Instructure shall challenge such request if, after careful assessment, it concludes that there are reasonable grounds to consider such request unlawful. Instructure agrees to provide the minimum amount of information permissible when responding to a public authority request for disclosure based on a reasonable interpretation of the request. Instructure shall promptly notify Customer if Instructure becomes aware of any direct access by a public authority to Customer Personal Data and provide information available to Instructure in this respect to the extent permitted by law. 
    1. This DPA shall not require Instructure to pursue action or inaction that could result in civil or criminal penalty for Instructure such as contempt of court. Instructure certifies that (a) it has not purposefully created back doors or similar programming for the purpose of allowing access to the Services and/or Personal Data by any public authority, (b) it has not purposefully created or changed its business processes in a manner that facilitates access to the Services and/or Customer Personal Data by any public authority, and (c) as of the Effective Date is not currently aware of any national law or government policy requiring Instructure to create or maintain back doors, or to facilitate access to the Services and/or Customer Personal Data, or to handover any encryption key to any public authority.
  12. Return And Deletion of Customer Personal Data.  Within 90 days after termination or expiration of the Agreement, Instructure shall provide functionality for Customer to download its Customer Personal Data stored in the Services to the extent possible, or securely delete Customer Personal Data in accordance with Instructure’s data retention policies which adhere to requirements of the Data Protection Laws, and in a manner consistent with the terms of the Agreement.
  13. Severance.  Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
  14. Legal Effect.  This DPA shall only become legally binding between the Customer and Instructure when both Parties sign the Agreement.
  15. Limitation of Liability.  To the extent permitted by Data Protection Laws, Customer’s remedies with respect to any breach by Instructure or its Affiliates of the terms of this DPA or Data Protection Laws will be subject to any aggregate limitation of liability that applies to Instructure and/or Customer under the Agreement.

Schedule 1 – Data Processing Schedule

  1. Schedule of Data. The following Personal Data elements Processed by the Services are described below.

Services Name

Personal Data Elements

Canvas Learning Management System (including mobile apps)

Application username/ID &  hashed password

Assessment results (e.g., 86%) 

Avatar URL (if enabled by the Customer, e.g., URL of Avatar image) 

Browser locale (e.g., en, browser language setting) 

Calendar events (e.g., event location)

Comments (e.g., discussions, media comments, submissions) 

Country (e.g., CAN) 

Course content (e.g., Lesson #4, Syllabus) 

Course results (e.g., B+) 

Email address (e.g., John.Doe@awesomeu)

Enrollment status (end-users association with a specific course or section, e.g., Student or Teacher)

First and last name 

IP Address (e.g., 127.0.0.1) 

Locale (The end-user’s locale. This is an optional field and may not be entered by the end-user, e.g., en - language selection) 

Messages (e.g., notifications and course conversations)

Media content created by the user (e.g., images, voice recording, comments)

Phone number (if enabled by the customer, for SMS messages)

Pronouns (if enabled by the customer, preferred pronouns selected by the end-user, e.g., she/her) 

Session ID

School Name 

School Position (e.g., Student) 

Short name (selected by the end-user, e.g., Sam)

Student Information System (SIS) Identification Number

SIS source ID (ID for the correlated record in the SIS if a SIS integration has been configured)

Submitted content (e.g., research paper, assignments) 

Turnitin ID (unique identifier used by Turnitin)

Webconference data (participant ID, particpant comments, user ID. If enabled by the Customer)

Canvas Commons

Canvas LMS user ID/username & hashed password 

Email address (e.g., John.Doe@awesomeu)

First and last name

IP Address (e.g., 127.0.0.1) 

Messages/comments related to the learning object

Canvas Catalog

Account ID for the Customer

Application username/ID & hashed password

Canvas LMS user ID

Class completed date (e.g., March 4, 2000)

Credit card processing token via third party credit card processor

Email address (e.g., John.Doe@awesomeu)

Enrollment status (e.g., enrolled, registered)

External ID (Canvas enrollment ID)

First and last name

Item ID and Item Type (e.g., Intro to Statistics, online class)

Order ID (The order for the cart. The unique identifier of an order.)

Product ID (e.g., class name/ID)

Purchase date (e.g., May 5, 1999)

Canvas Studio

Application username/ID & hashed password

Canvas LMS user ID

Email address (e.g., John.Doe@awesomeu)

First and last name

IP Address (e.g., 127.0.0.1)

Messages related to video content

Video or media content created by the end-user (e.g., images, voice recording, comments)

Canvas Credentials 

Application username/ID and hashed password

Badge data such as issuing institution or program

Email address (e.g., John.Doe@awesomeu)

First and last name

Institution/organization (Issuer) affiliation

IP address (e.g., 127.0.0.1)

Elevate Services 

All data from the Student Information System authorized by the Customer

Application Username/ID & Password

Email address (e.g., John.Doe@awesomeu)

First and last name

IP Address (e.g., 127.0.0.1)

Impact by Instructure

Application activity (e.g., page clicks in an application)

Application Username/ID & password

Browser locale (e.g., en, browser language setting)

Customer Learning Management System username

Education level

Email address (e.g., John.Doe@awesomeu)

First and last name

IP Address (e.g., 127.0.0.1)

Language (e.g., Eng)

School name 

School role (e.g., student, teacher)

Slack notifications (Customer administrators)

Student identification number

Intelligent Insights

All data sets from the Data Access Platform (described at https://api-gateway.instructure.com/doc/)

LTI usage data of end-users

LearnPlatform Services

District provided identifier

Email address (e.g., John.Doe@awesomeu)

English as a Second Language status

Ethnicity 

First and last name 

Free or Reduced Lunch eligibility

Gender 

Mobile device mac address (mobile application only)

Mobile device serial number (mobile application only)

Mobile device UDID (universal device identifier)

Name (e.g., John Doe)

Platform usage metrics (e.g., time on platform, activities completed, etc.)

Provider collected mastery/assessment metrics 

Student grade level 

Student Grade Level

Student identifier

Mastery Services

Application Username/ID & hashed password

Assessment Data 

  • Accommodations
  • Assessment content
  • Student Assessment Scores 

Biographic Data

  • Address (e.g., 123 Main Street)
  • Avatar image or photograph 
  • Biographic data for teachers and administrators
  • Birthdate (e.g., 01/01/0000)
  • Email address (e.g., John.Doe@awesomeu)
  • English language learner status (True/False/Null) 
  • Ethnicity (e.g., Native Hawaiian, Irish) 
  • First and last name
  • Free or reduced lunch status (True/False/Null) 
  • Gender (ItemLogic user profiles only)
  • Grade level (e.g., 5th)
  • Individualized Education Program status (True/False/Null) 
  • Phone Number
  • Race (e.g., Hispanic, White, Asian) 

Conversation comments (e.g., discussion) 

Course Data (Trackers)

  • Curriculum Plans
  • Student Notes 
  • Parent Notes
  • Tracker Title (e.g., Classrooms.title, Clasrooms.teacher name)
  • Tracker “Fancy Name” (classroom.teacher name)

IP Address (e.g., 127.0.0.1)

Section Data

  • Teacher enrollments
  • Student enrollments

School Name 

School Position (e.g., Student)

School Student ID Number

State Student ID Number

Student Information System (SIS) Identification Number

Student report card data

Teacher Social Features (messages, comments, pinned content and connections)

Portfolium 

Application username/ID & password

Avatar image or photograph

Biographical information such as: phone number, gender, social media url, resume, C.V., occupation, job title, schools attended, graduation year, skills, certificates, publications, project samples, work experiences, and microcredentials.

Date of birth 

Device indentifier

Email address (e.g., John.Doe@awesomeu)

First and last name

IP Address (e.g., 127.0.0.1)

Messages

Porfolio artifacts such as: skills, projects, writing samples, articles, videos, photos, website links, and social media links.

Section 2 – Description of the Processing and Transfer (when data are transferred)

Categories of data subjects whose personal data is transferred:

End-users of the Services as authorized by Customer. 

Categories of personal data transferred:

As described in Schedule 1, Section 1.

Sensitive data transferred:

The Services are generally not intended to process sensitive personal data, or special categories of personal data. Any processing of these data is determined and controlled by Customer in compliance with Data Protection Laws.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Continuous for the duration of the Agreement.

Nature of the processing:

Performance of the Services described in the Agreement.

Purpose(s) of the data transfer and further processing:

As described in Section 3 of the DPA.

Instructure’s data centers for the Services are located in the following regions based on the Customer’s location.

  • EU, EEA, or UK based customers: Ireland or Germany.
  • Australia: Australia, Singapore, India (Impact only)
  • Singapore: Australia, Singapore, India (Impact only)
  • Canada: Canada
  • U.S.: U.S. 
  • Latin America: U.S. 
  • Africa: U.S., or Ireland
  • Instructure’s data centers for all Mastery Services and Elevate Services are in the U.S. regardless of Customer location.

Instructure’s Processing locations for its support services where Instructure operates as a Controller is described at https://community.canvaslms.com/t5/Privacy-Articles/Instructure-s-Third-Party-Processing-Guide/ta-p/606339.

Instructure may Process and/or transfer Customer Personal Data and Account Data outside of the Customer’s home region for the underlying support services. 

  • Relationship and Contract Management. Including providing contract and customer relationship management services.
  • Customer Support. Including end-user helpdesk support and technical operations support. 
  • Professional Services. Including integration services, implementation services, and configuration services as purchased by Customer. 
  • Engineering and Security Support. Including Customer Personal Data included in, user support tickets, application logs, security logs, database logs, systems logs, application databases, and security alerting tools may be reviewed by Instructure authorized personnel. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Processor will process Customer Personal Data for the duration of the Agreement. Upon termination of the Agreement, it will be deleted in accordance with this DPA or the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: 

The duration will be until the termination of the Agreement.

 

Schedule 2 - U.S. K-12 & Higher Education Addendum

This Schedule 2 applies to Customers that are classified as U.S. based K-12 or higher education institution that are government recognized, formally-accredited educational institutions delivering nationally approved certifications or diplomas at primary, secondary, or third levels, and supplements the DPA to which it is attached. 

  1. Definitions In addition to the terms defined in the DPA, the following definitions apply to this Schedule 2.
    1. Education Records” means records, files, documents, and other materials directly related to a student and maintained by the Customer, or by a person acting the Customer as defined under FERPA.
    2. School Official” for the purposes of this Schedule and pursuant to 34 CFR § 99.31(b), a School Official is a contractor that, (a) performs an institutional service or function for which the agency or institution would otherwise use employees; (b) is under the direct control of the agency or institution with respect to the use and maintenance of Student Data including Education Records; and (c) Is subject to 34 CFR § 99.33(a) governing the use and re-disclosure of Personally Identifiable Information from Education Records.
    3. Student Data” means any data, whether gathered by Instructure or provided by Customer or its users of the Services, that is descriptive of a student including but not limited to, information in the student’s Education Record, email address, first and last name, birthdate, home or other physical address, telephone number, or other information allowing physical or online contact, videos, test results, special education data, grades, evaluations, disabilities, socioeconomic information, documents, student identifiers, search activity, photos, voice recordings, geolocation information, parents’ names, or any other information or identification number that would provide information about a specific student. Student Data includes metadata that is not De-identified. Student Data also includes “Personally Identifiable Information or (PII),” as defined in 34 C.F.R. § 99.3 or as defined under any applicable U.S. state law. Student Data shall constitute Education Records for the purposes of this DPA, and for the purposes of U.S. federal, state, and local laws, and regulations. Student Data as specified in Schedule 1 is confirmed to be collected or processed by the Instructure pursuant to the Services. Student Data shall not constitute that information that has been anonymized or De-Identified, or anonymous usage data regarding a user’s use of the Services.
    4. “Student Generated Content” means materials or content created by a student in the Services including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, and videos. Student Generated Content does not include assessments.
  2. FERPA. To the extent that the Customer is subject to FERPA, the Parties agree that Instructure operates as a School Official under FERPA and has a legitimate educational interest in Personally Identifiable Information from Education Records received from the Customer pursuant to this DPA. For purposes of the Agreement and this DPA, Instructure, (a) provides a service or function for which the Customer would otherwise use employees, (b) is under the direct control of the Customer with respect to the use and maintenance of Education Records; and (c) is subject to the requirements of FERPA governing the use and redisclosure of Personally Identifiable Information from the Education Records received from Customer.
  3. Parent Access.  To the extent required by Data Protection Laws, Instructure shall establish reasonable procedures by which a parent, legal guardian, or eligible student (as defined under FERPA) may review Education Records and/or Student Data, correct erroneous information, and procedures for the transfer of Student Generated Content to a personal account consistent with the functionality of Services. Instructure shall respond in a reasonably timely manner from the date of the request or pursuant to the time frame required under Data Protection Law for a Customer to respond to a parent, legal guardian, or eligible student, whichever is sooner, to the Customer’s request for Student Data in an Education Record held by the Instructure to view or correct as necessary. If a parent or legal guardian of a student or eligible student contacts the Instructure to review any of the Student Data accessed pursuant to the Services, Instructure shall refer the individual making the request to the Customer for access to such Education Records and/or Student Data.
  4. Separate Account.  To the extent required by Data Protection Laws, if Student Generated Content is stored or maintained by Instructure, Instructure shall, at the request of the Customer, transfer or provide a mechanism for the Customer to transfer such Student Generated Content to a separate account created by the student consistent with the functionality of the Services.
  5. Customer Obligations.  Customer shall provide Student Data for the purposes of obtaining the Services in compliance with all applicable Data Protection Laws.
  6. Children’s Privacy. Children under 13 may only use the Services with prior consent of a parent or of educational institution acting on behalf of the child’s parent. Customer agrees that it has obtained such consent prior to permitting any child under 13 from accessing or using the Services.
  7. Schedule of Data. The list of Student Data Processed by Instructure is described in Schedule 1.

Schedule 3 - EEA & UK Addendum

This Schedule 3 shall apply if Customer is in the EEA, UK, or is subject to the jurisdiction of Data Protection Laws of the EEA or UK and supplements the DPA to which it is attached. 

  1. Definitions. In addition to the terms defined in the DPA, the following definitions apply to this Schedule 3.
    1. EEA” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein, and Norway.
    2. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the UK equivalent.
    3. Data Privacy Framework” means the EU-US Data Privacy Framework (“EU-US DPF”), Swiss-US Data Privacy Framework, and the UK Extension to the EU-U.S. DPF self-certification program operated by the U.S. Department of Commerce.
    4. Data Privacy Principles” mean the Data Privacy Framework principles (as supplemented by the Supplemental Principles).
    5. Standard Contractual Clauses” means the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the UK International Data Transfer Addendum (“UK Addendum”), and any similar measures promulgated pursuant to the GDPR to address the transfer of Personal Data to a Third-country and any amendments and replacements thereto as may be promulgated from time to time.
    6. Supplementary Measures” means technical, organizational, and contractual measures as described in EDPB Guideline adopted on 18th June 2021 the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of Personal Data.
    7. Third-country” means a country that is neither part of the EEA nor UK, nor has been declared adequate by a decision of the European Commission according to the mechanism described in Article 45 GDPR or covered by the UK adequacy regulations.
    8. UK” means the United Kingdom, Wales, and Northern Ireland. 
  2. Instructure as Processor for Customer Personal Data. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects about whom Personal Data is Processed under this DPA are further specified in Schedule 1. 
  3. Cross Border Data Transfers. Customer acknowledges and agrees that providing the Services may require transfer to, and Processing of Customer Personal Data and Account Data within a Third-country. All transfers to a Third-country are subject to the following conditions: (a) Customer has given prior authorization for the transfer by signing the Agreement;  (b) Customer Personal Data and Account Data are Processed under the terms of the Agreement and this DPA; (c) there is a valid transfer mechanism in place in accordance with applicable Data Protection Laws; and (d) Instructure shall implement the Supplementary Measures, where necessary.
  4. Order of Precedence. In the event the Services are covered by more than one transfer mechanism under Data Protection Laws, the transfer of Customer Personal Data will be subject to a single transfer mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Framework as set forth in Section 4.1; (b) the Standard Contractual Clauses as set forth in Section 4.2; (c) the Jurisdiction Specific Terms as set forth in Schedule 4; and, if neither (a), (b), nor (c) is applicable, then (d) other applicable data transfer mechanisms permitted under Data Protection Laws.
    1. Data Privacy Framework. To the extent that Instructure processes any Personal Data via the Services originating in the EU, UK, or Switzerland, Instructure represents that Instructure, Inc., is self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such Personal Data. To the extent that Customer is (a) located in the United States of America and is self-certified under the Data Privacy Framework, or (b) located in the EEA, UK, or Switzerland, Instructure further agrees (i) to provide at least the same level of protection to any Customer Personal Data as required by the Data Privacy Principles; (ii) to notify Customer in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, the Standard Contractual Clauses will apply in accordance with Section 4.2; and (iii) upon written notice, to work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Customer Personal Data.
    2. Standard Contractual Clauses: A valid transfer mechanism referred in Section 4 is: (a) where Instructure acts as a Processor and Customer acts as a Controller, the Standard Contractual Clauses, Module TWO: Transfer Controller to Processor; (b) where Instructure acts as a Controller and Customer acts as a Controller, the Standard Contractual Clauses, Module ONE: Transfer Controller to Controller; (c) and in both cases, the UK Addendum thereto attached as Appendix 2, and all of the foregoing are deemed to be incorporated herein by reference as set forth below. 
      1. In respect of the Standard Contractual Clauses, the Parties agree on the following: (a) in clause 7, the Parties choose to include the “docking clause”; (b) where Module Two applies, in clause 9, the Parties choose Option 2: “general written authorization”; (c) where Module Two applies, in clause 9, the Parties choose twenty (20) days as the specific time period; (d) in clause 11, the Parties do not choose the optional complaint mechanism; (e) in clause 17, the governing law is the law of the EU Member State: Option 1 - where Customer is established in an EU Member State, the law in that EU Member State; or Option 2 - where Customer is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of the GDPR, the law in the EU Member State in which the Customer’s representative is located; or Option 3 - where Customer is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of UK, or as defined in the Agreement; and in clause 18, the country of the applicable court in respect of any disputes arising from Standard Contractual Clauses is the courts in which in which the Parties have denoted choice of law above.
    3. To the extent that Instructure uses a Sub-processor in a Third-Country for the Processing of Customer Personal Data, the following shall apply in addition to Section 4 above: (a) Customer has given prior authorization for the transfer by signing the Agreement; (b) there is a valid transfer mechanism in place in accordance with Data Protection Laws; and (c) Instructure makes information on the transfer mechanism, and where applicable, the Standard Contractual Clauses, available without undue delay to Customer.

APPENDIX 1 - STANDARD CONTRACTUAL CLAUSES

Annex I

A.  LIST OF PARTIES

Data exporter(s): As defined in the Agreement

Name: As defined in the Agreement

Address: As defined in the Agreement

Contact person’s name, position and contact details: As defined in the Agreement

Activities relevant to the data transferred under these Clauses: As defined in the Agreement

Signature and date: As defined in the Agreement 

Role: Controller

Data importer(s): 

Name: Instructure, Inc., and/or Instructure Global Limited

Address: 

6330 S 3000 E, Suite 700, Salt Lake City, Utah 84121, USA. 

Birchin Court, 5th Floor, 19-25 Birchin Lane, London EC3V 9DU United Kingdom

Contact person’s name, position, and contact details: Data Protection Officer, privacy@instructure.com,

Activities relevant to the data transferred under these Clauses: As defined in the Agreement.

Signature and date: As defined in the Agreement

Role:  Processor (Customer Personal Data) and Controller (Account Data)

B.  DESCRIPTION OF TRANSFER. As described in Schedule 1.

C.  COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the supervisory authority denoted in Section 4.2. 

Annex II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Instructure’s technical and organizational measures are described at: https://www.instructure.com/trust-center/resources

Annex III - LIST OF SUB-PROCESSORS

https://community.canvaslms.com/t5/Privacy-Articles/Instructure-s-Third-Party-Processing-Guide/ta-p/606339

APPENDIX 2 - UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses - VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date

The effective date of the DPA to which this Appendix has been attached.

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

As described in the Agreement.

As described in Schedule 3 - Appendix 1

Key Contact

As described in the Agreement.

As described in Schedule 3 - Appendix 1

Signature (if required for the purposes of Section ‎2)

As described in the Agreement.

As described in Schedule 3 - Appendix 1

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

X the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: 

 

Module

Module in operation

Clause 7 (Docking Clause)

Clause 11
(Option)

Clause 9a (Prior Authorisation or General Authorisation)

Clause 9a (Time period)

Is personal data received from the Importer combined with personal data collected by the Exporter?

1

Yes

Yes

No

     

2

Yes

Yes

No

General

30 days

 

3

N/A

N/A

N/A

N/A

N/A

 

4

N/A

N/A

N/A

   

N/A

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Schedule 3 - Appendix 1, Annex IA

Annex 1B: Description of Transfer: Schedule 1

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Schedule 3 - Appendix 1, Annex II

Annex III: List of Sub processors (Modules 2 and 3 only): Not applicable to a general authorisation to engage sub-processors, but a list of Instructure subprocessors is available as described in Section 5 of the DPA.

 

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section Error! Reference source not found.:

☒ Importer

☒ Exporter

☐ neither Party

Part 2: Mandatory Clauses - Alternative Part 2 Mandatory Clauses:

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎Error! Reference source not found. of those Mandatory Clauses.


Schedule 4 – Jurisdiction Specific Terms

To the extent that Services involve the Processing of Customer Personal Data originating from the following countries, the relevant provisions set out below will apply and supplement the applicable DPA provisions.

  1. Provisions relevant to Turkey. The provisions of this Section 1 apply where Instructure processes Customer Personal Data that originates from Turkey.
    1. Instructure will comply with the applicable provisions of the Turkish Data Protection Act (“Turkish DPA”) numbered 6698 and dated 7 April 2016 and any related regulations, and all decisions of the Turkish Data Protection Authority. 
    2. Instructure will promptly assist the Customer: (a) by implementing appropriate technical and organizational measures, insofar as this is possible, taking into account the nature of the processing, to fulfil the Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data); and (b) in ensuring compliance with the Customer's obligations pursuant to Article 12 of the Turkish Data Protection Act (security, notification of personal data breaches to authorities and individuals), taking into account the nature of the Processing and the information available to Instructure.
    3. Where Instructure processes, outside of Turkey, Customer Personal Data subject to the Turkish DPA originating from Turkey, then Instructure shall cooperate with Customer with any formalities required by the Turkish Data Protection Authority.
  2. Provisions relevant to Switzerland. The provisions of this Section 2 apply where Instructure processes Customer Personal Data and/or Account Data that originates from Switzerland.
    1. The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
    2. When Instructure engages a Sub-processor under Section 6 (Sub-processors) of this DPA, it will: (a) require any appointed Sub-processor to protect the Customer Personal Data to the standard required by applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR, and (b) require any appointed Sub-processor to (i) agree in writing to only Process Customer Personal Data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process Customer Personal Data on terms equivalent to the EU Standard Contractual Clauses.
    3. To the extent that Customer Personal Data and/or Account Data transfers from Switzerland are subject to the EU Standard Contractual Clauses, the following amendments will apply to the EU Standard Contractual Clauses; (a) references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and (b) insofar as the transfer or onward transfers are subject to the FADP: (i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP; (ii) the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner; (iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and (iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
  3. Provisions relevant to Australia. The provisions of this Section 3 apply where Instructure processes Customer Personal Data that originates from Australia.
    1. APPs shall mean the Australian Privacy Principles in the Privacy Act. 
    2. Personal Information has the meaning given to that term in the Privacy Act. 
    3. Privacy Act shall mean the Australian Privacy Act 1988 (Cth). 
    4. Instructure shall in respect of any Customer Personal Data it receives or has access to under the Agreement; (a) comply with the APPs (except for APP 1) as if it were bound by the APPs to the same extent as the Customer; and (b) without limiting sub-paragraph (a), enter into a similar contractual arrangement with any third party to whom it discloses the Personal Information (whereby the third party agrees to comply with the APPs in respect of such information (except for APP 1) as if that third party were bound by the APPs to the same extent as the Customer).
  4. Provisions relevant to Hong Kong. The provisions of this Section 4 apply where Instructure processes Customer Personal Data that originates from Hong Kong.
    1. To the extent that Instructure carries out direct marketing on behalf of the Customer, Instructure shall implement effective measures designed to inform data subjects of the scope of the marketing and provide effective means designed to allow data subjects to give consent in accordance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").
    2. Instructure shall comply with the data retention requirement (DDP2) and data security requirement (DPP4) as contained in the PDPO.
  5. Provisions relevant to India. The provisions of this Section 5 apply where Instructure processes Customer Personal Data that originates from India. When Providing the Services, Instructure shall comply with the requirements of the Information Technology Act 2000, the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (each as amended, modified, supplemented from time to time) as applicable to a body corporate, and any other laws, rules, regulations, notifications, judgements relating to data protection or privacy that are in force as of date of the Agreement, or that may be brought into force in India at any time in the future during the term of the Agreement.
  6. Provisions relevant to Japan. The provisions of this Section 6 apply where Instructure processes Customer Personal Data that originates from Japan.
    1. Instructure shall not obtain any Customer Personal Data from the Customer in Japan or another party through any deceptive, fraudulent, or other wrongful means. 
    2. Instructure shall make a reasonable effort to ensure that the transferred Customer Personal Data is accurate and up to date and within the scope necessary to perform the Services.
    3. Instructure will take the appropriate technical and organizational security measures designed to adequately protect all Customer Personal Data in Japan against not only misuse and loss, but also leakage and damage, in accordance with any relevant Order, the Agreement, this DPA, and the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) (the “APPI”). 
    4. Instructure will implement appropriate technical and organizational measures, insofar as this is possible considering the nature of the Processing, to fulfil the Customer’s obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data).
    5. If Instructure acquires Customer Personal Data of Data Subjects in Japan directly from those Data Subjects, in connection with the Services by Instructure to those Data Subjects, Instructure will process Customer Personal Data of those Data Subjects in compliance with the APPI and all accompanying regulations and guidelines issued by the Personal Information Protection Commission of Japan, and all other privacy legislation and other laws which the Instructure is subject to, even when it handles Customer Personal Data of those data subjects outside Japan.
    6. Instructure will notify the Customer of any notices, requests, orders or queries from Data Subjects, any data protection or other governmental authority, law enforcement agency, court order or tribunal, which the Customer or Instructure is obliged to comply with under the APPI or other applicable laws to facilitate timely resolution of any matter arising in connection with the foregoing or any related investigation.
  7. Provisions relevant to Malaysia. The provisions of this Section 7 apply where Instructure processes Customer Personal Data that originates from Malaysia.
    1. For the purposes of this Section 7, “Personal Data”, “Sensitive Personal Data” and “Data User” have the meanings given to those terms in the Personal Data Protection Act 2010.
    2. Instructure shall comply with the Personal Data Protection Act 2010 to the extent that this applies to Processors and the Customer Personal Data to be Processed hereunder.
    3. No Customer Personal Data shall be transferred to a country outside Malaysia unless to such country as specified by the Minister by notification published in the Gazette (if any) or with the consent of the Data User or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the transfer of Personal Data.
    4. No processing of special categories of data/sensitive data within the meaning of Sensitive Personal Data, including any transfer thereof, may be made without the explicit consent of the Data Subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the processing of Sensitive Personal Data.
    5. Instructure will promptly assist the Data User to fulfil the Data User’s obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws which apply to the Data User within the time as prescribed by the Personal Data Protection Act 2010.
  8. Provisions relevant to New Zealand. The provisions of this Section 8 apply where Instructure processes Customer Personal Data that originates from New Zealand. Instructure shall comply with the Information Privacy Principles set out in the New Zealand Privacy Act 1993 (the “Act”) (as though Instructure were Customer) and shall cooperate with the Customer in a manner designed to ensure that the Customer can meet its obligations (including in relation to information privacy requests and investigations) under that Act.
  9. Provisions relevant to the Philippines. The provisions of this Section 9 apply: (a) where Instructure processes Customer Personal Data about a Philippine citizen or resident; (b) where Instructure, Processor or Customer is found or established in the Philippines; (c) where the processing of Customer Personal Data is done in the Philippines; or (d) where the processing of Customer Personal Data is done or engaged in by an entity with links to the Philippines.
    1. Instructure will comply with the following obligations: (a) comply with applicable local laws and regulations and issuances of the Philippine National Privacy Commission; (b) assist the Customer, by appropriate technical and organizational measures and to the extent possible, to fulfil the obligation to respond to requests by Data Subjects relative to the exercise of their rights; (c) assist the Customer in ensuring compliance with applicable local laws and regulations and issuances of the Philippine National Privacy Commission, taking into account the nature of processing and the Customer Personal Data available to Instructure;  (d) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in applicable local laws and regulations; and (e) immediately inform the Customer if, in its opinion, a Direction from the Customer infringes any applicable local law, regulation or issuance of the Philippine National Privacy Commission. 
    2. Instructure shall host and Process the Customer Personal Data stored in the Services as described in Schedule 1. 
  10. Provisions relevant to Singapore. Instructure shall comply with the Personal Data Protection Act 2012 to the extent that this applies to Processors and the Customer Personal Data to be Processed hereunder. Instructure shall host the Customer Personal Data stored in the Services as described in Schedule 1. Instructure shall Process Customer Personal Data in as described in Schedule 1.
  11. Provisions relevant to South Korea. The provisions of this Section 11 apply: (a) where Instructure processes Customer Personal Data that originates from South Korea; or (b) where Instructure is an entity located in South Korea. 
    1. Instructure will comply with the applicable provisions of the Personal Data Protection Act (as amended), and the Act on Promotion of Data and Communications Network Utilization and Data Protection, etc., (as amended).
    2. Subject to the limitations and waivers of liability in the Agreement, Instructure shall be liable to the Customer for damages that it causes by any breach of provisions in this DPA.
    3. Instructure shall host and Process the Customer Personal Data stored in the Services as described in Schedule 1. 
  12. Provisions relevant to Taiwan. The provisions of this Section 12 apply where Instructure Processes Customer Personal Data that originates from Taiwan or is the Customer Personal Data of Taiwanese national Data Subject anywhere in the world. Instructure shall host the Customer Personal Data stored in the Services as described in Schedule 1. Instructure shall Process Customer Personal Data in as described in Schedule 1.
    1. Instructure will comply with the applicable provisions of the current Taiwan Personal Information Act (the “PIPA”), the Enforcement Rules to the Personal Information Protection Act (the “PIPA Enforcement Rules”), and any other data protection regulations currently in force in Taiwan.
    2. Instructure will promptly assist the Customer: (a) by implementing appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from Data Subjects exercising their rights under the PIPA which apply to the Customer (such as, but not limited to, rights to review, to copy, to rectify, to cease collection, processing, or use, or to erase Customer Personal Data); (b) in ensuring compliance with the Customer’s obligations pursuant to Article 12 of the PIPA (prompt investigation of data breach and notice to individuals) and any applicable industry-specific regulations issued under Article 27 of the same (including but not limited to any industry-specific duty to notify the regulator of a data breach) taking into account the nature of the processing and the information available to Instructure; and (c) by immediately informing the Customer if, in Instructure’s opinion, an instruction from the Customer to collect, process, or use Customer Personal Data violates the PIPA.
    3. Instructure shall adopt the technical and organizational measures set forth in Article 12(2) of the PIPA Enforcement Rules proportional to the purpose of the prevention of Customer Personal Data from being stolen, altered, damaged, destroyed or disclosed.
    4. In addition to informing the Customer of any serious interruption of Instructure’s Processing operations, any suspicion of Security Breaches, or violation of the PIPA, the PIPA Enforcement Rules, or other Taiwan data protection regulations, Instructure shall inform the Customer of all remedial measures taken to remedy the interruption, breach, or violation. 
    5. Instructure shall comply with any reserved instruction from the Customer and has an obligation to provide information evidencing compliance with any such reserved instruction to the Customer.
  13. Provisions relevant to Brazil.  The provisions of this Section 14 apply where Instructure processes Customer Personal Data that originates from Brazil.
    1. The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (LGPD).
    2.  The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to Data Subjects.
    3.  The definition of “Processor” includes “operator” as defined under the LGPD.
    4.  To the extent Customer Personal Data is processed through the Internet, the provisions of the Brazilian Internet Act (Law 12,965/2014) must be observed. Instructure will comply with the so-called Habeas Data Law (Law 9,507/1997) to the extent applicable.
  14. Provisions relevant to Chile.  The provisions of this Section 15 apply where Instructure processes Customer Personal Data that originates from Chile.
    1.  Instructure will comply with Section 14 of this Schedule 4.
    2.  Instructure will comply with the Data Protection Act Nº 19.628, as amended. The substantive provisions of the Data Protection Act entered into force on October 27, 1999, and August 22, 2000.
  15. Provisions relevant to Colombia.  The provisions of this Section 15 apply where Instructure processes Customer Personal Data that originates from Colombia.
    1. Instructure will comply with Section 15 of this Schedule 4.
    2. For the purposes of this Section 15: (a) “Colombian GDP” shall mean the Colombian General Data Protection legal framework (Law 1581 of 2012 and Decree 1074 of 2015); and (b) Customer Persona Data flows between Instructure and Customer will be understood as ‘data transmissions’ under the Colombian GDP.
    3.  Instructure will comply with the following obligations: (a) Process Customer Personal Data only for the purposes authorized by the individuals who are the subjects of such information; (b) Process Customer Personal Data pursuant to the Customer’s instructions and privacy notice; and (c) Process Customer Personal Data pursuant to the principles set forth in the Colombian GDP.
  16. Provisions relevant to Mexico.  The provisions of this Section 16 apply where Instructure processes Customer Personal Data that originates from Mexico.
    1. Instructure will comply with Section 16 of this Schedule 4. 
    2. Instructure will comply with the security measures set out in Article 52 of the Mexican Data Protection Regulations (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) where applicable.
    3.  Instructure will process Customer Personal Data in accordance with the privacy notice of the Customer, provided that Customer shall ensure that the Customer’s privacy notice adequately describes the processing of Customer Personal Data by Instructure under the Agreement in a manner compliant with Mexican law.
  17. Provisions relevant to the Republic of Argentina.  The provisions of this Section 17 apply where Instructure processes Customer Personal Data that originates from the Republic of Argentina.
    1. Instructure agrees to comply with the obligations of a data importer as set out in the model contract titled Contrato Modelo de Transferencia Internacional de Datos Personales con Motivo de Prestación de Servicios adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60 — E/2016 (the “Argentinian SCCs”) for the transfer of Personal Data to data processors established in third countries (as defined thereunder).
    2.  Instructure acknowledges that each Customer Affiliate in the Republic of Argentina will be a Customer. In particular, and without limiting the above obligation: (a) Instructure agrees to grant third party beneficiary rights to Data Subjects, as set out in Clause 3 of the Argentinian SCCs, provided that Instructure's liability shall be limited to its own Processing operations; and ( (b) Instructure agrees that its obligations under the Argentinian SCCs shall be governed by the laws of the Republic of Argentina in which the Customer Affiliates that are the data exporter(s) are established; and (c) the details of the appendices applicable to the Argentinian SCCs are set out in Schedule 1 to this DPA.
    3. For the purposes of Annex A to the Argentinian SCCs, the data exporter is an educational institution; the data importer is an international education technology company and details about the data subjects, categories of data, processing operations and security measures are as set out in Schedule 1 to this DPA.
    4. Instructure shall neither apply nor use the Customer Personal Data for any purpose other than the one specified in this DPA nor shall Instructure, except as permitted in this DPA and the Agreement, communicate to other parties such Customer Personal Data, even for storage purposes. Once the corresponding contractual obligations have been performed, the Customer Personal Data processed must be destroyed, except where there is an express authorization given by the person for account of whom such services are rendered, by reason of a possibility of the Customer Personal Data being used for future services, in which case the Customer Personal Data may be stored under due security conditions for a maximum term of up to two (2) years. The parties agree to adopt confidentiality measures to protect the Customer Personal Data following section 9 of the Data Protection Act and its Regulations. Instructure shall process the Customer Personal Data following only instructions from the Customer.
  18. Provisions relevant to Canada. The provisions of this Section 18 apply where Instructure processes Customer Personal Data that originates from Canada.
    1. Instructure shall comply with the Personal Information Protection and Electronic Documents Act and any provincial statute that is declared substantially similar pursuant to section 26(2)(b), where applicable and Instructure shall promptly inform Customer if the location where the Customer Personal Data is hosted ever changes.


Schedule 5 – LearnPlatform Research Services Customer Addendum

This Schedule 5 applies to Customers that are education technology providers that have purchased LearnPlatform research services from Instructure under the Agreement and supplements the DPA to which it is attached.

  1. Definitions. For the purposes of this Schedule 5, the following definitions shall apply in addition the terms defined in the DPA.
    1. LEA” means educational institution, local education agency, school, or district that provides the Shared Data to Instructure for Processing under this DPA.
    2. Purpose” means evaluating the effectiveness of Customer’s educational products and services, including through collecting feedback from an LEA, and through the measuring of product utility, to enhance, supplement, and improve instruction for students.
    3. "Results” means the analysis of the Shared Data performed by Instructure.
    4. Shared Data” means as any data or information shared with Instructure by the Customer or an LEA in order for Instructure to provide the Services, including but not limited to any de-identified data, aggregated data sets, personally identifiable information (PII) about students, and other student information, including, but not limited to, student data, metadata, and user content.
  2. Purpose. Customer is an educational technology company that maintains “education records,” as defined by FERPA. Instructure is requesting access to certain education records provided by the Customer for the purpose of providing the Services to Customer. 
  3. Roles of the Parties. The parties agree that with respect to Shared Data, Customer is the “business” or “controller”, and Instructure is the “processor” or “service provider,” in each case as such terms are defined by applicable Data Protection Laws. 
  4. Ownership and Processing of the Shared Data
    1. Customer represents, warrants, and covenants that it has complied with all applicable Data Protection Laws, including without limitation providing all notices and obtaining all consents and rights necessary under applicable Data Protection Laws for Instructure to Process any Shared Data shared by Customer or the LEA with Instructure. In the event Customer determines that the foregoing representation, warranty and covenant is untrue with respect to any Shared Data, Customer will promptly notify Instructure. Customer shall indemnify Instructure from and against all claims, directly resulting from any material breach of this Section 4.1 by Customer, its employees, agents, contractors, Sub-processors, or subcontractors. A breach of this Section 4.1 shall be considered a material breach of this DPA. 
    2. Except as otherwise set forth expressly in this DPA and the Agreement, the Parties agree that the Shared Data and all rights to the Shared Data, shall, as between Instructure and Customer, remain the exclusive property of Customer or the LEA that provided the Shared Data to Instructure. Instructure understands that the DPA does not convey ownership of Shared Data to Instructure.
    3. Customer acknowledges that any Shared Data shared and provided to Instructure under the Agreement is for the sole purpose of evaluating educational products and services to enhance, supplement, and improve instruction for students. Customer shall use the Shared Data will for the sole purpose of evaluating educational products to inform instructional, operational and fiscal decisions, and the practices and processes related to education technology in schools. 
    4. The parties agree that the Results, including without limitation the De-identified Data derived from the Shared Data, shall as between LEA and the Customer be the exclusive property of Instructure. De-identified Data will have all direct and indirect personal identifiers removed, including, but not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID. Customer agrees not to attempt to re-identify any De-identified Data provided by Instructure to Customer. Customer agrees to grant the LEA a limited, nonexclusive, license to use the Results solely for its internal planning and purchasing decisions.
  5. Prohibition on Unauthorized Use or Disclosure of Shared Data. The parties agree to hold all Shared Data in strict confidence. The parties shall not use or disclose any Shared Data received from or on behalf of an LEA except as authorized in this DPA, or as otherwise in directed writing by the LEA, or as required by law. The parties agree not to disclose any Shared Data obtained from the LEA in a manner that could identify any individual student to any other entity or person, attempt to infer or deduce the identity of any individual student based on Shared Data provided by the LEA, or claim to have identified or deduced the identity of any student based on Shared Data provided by LEA.
    1. The parties are prohibited from mining Shared Data for any purposes other than those set forth in this DPA and the Agreement or otherwise agreed to in advance writing by the LEA. Data mining or scanning of user content for the purpose of advertising and/or marketing any non-educational products or services to students or their parents is strictly prohibited.
    2. In no event will the parties use any of the Shared Data for its own commercial marketing or advertising purposes, or for the commercial marketing or advertising purposes of any third-party. Without limiting the foregoing, the parties agree that use of the Results for a party’s marketing or advertising purposes is permitted so long as no individual student identity is disclosed or capable of being deduced. The parties will not use any Shared Data to advertise or market non-educational products or services to the LEA students or their parents.
    3. The parties may only share the Shared Data, or any part of it, with employees, agents, contractors, and subcontractors who have agreed in writing to adhere to, and be bound by, the terms of this DPA with respect to its possession and use of any Shared Data and acknowledging that employees, agents, contractors, and subcontractors is aware of its obligations under applicable law with regard to the possession, use and re-disclosure of the Shared Data. 
    4. Instructure acknowledges that the Shared Data is for the sole purpose of evaluating the effectiveness of Customer’s educational products and services, including through collecting feedback from the LEA under the Services. 
    1. Authorized Use of Shared Data. In the event Customer’s access to the Shared Data is pursuant the “school official exception” as set forth in 34 CFR 99.31(a)(1)(i), Customer’s use of the Shared Data shall at all times be limited to institutional functions of LEA that could otherwise be provided by a school official and which LEA is “outsourcing” to Customer pursuant to 34 CFR 99.31(a)(1)(B). Customer agrees to use the Shared Data for no other purpose other than the Purpose. Customer understands that this DPA does not convey ownership of Shared Data to Provider. Customer specifically acknowledges that Customer’s use of the Shared Data and Results in connection with any marketing activities shall not exceed the acceptable uses permitted by 20 U.S.C. § 1232h(c)(4)(A).