Data Processing Addendum

1. Definitions. The following definitions apply solely to this DPA.
   1. “Affiliate(s)” means any entity which is controlled by, controls, or is in common control with a Party.
   2. “Account Data” means the Personal Data of Business Account, its employees, personnel, contractors, business contacts, and/or agents that relates to the Business Account’s relationship with Instructure, including without limitation the names or contact information of such individuals authorized by Business Account to access Business Account’s account for or on behalf of Business Account, and contact and billing information of individuals that Business Account has associated with its account. Account Data also includes without limitation any Personal Data Instructure may need to Process to perform support services, or as part of its legal obligation to retain records.
   3. “Badge Recipient” means the individual awarded a badge by a Business Account that establishes a Canvas Badges Backpack Account.
   4. “Business Account” means a Canvas Badges account created on behalf of and maintained by an organization and which is used for non-personal reasons (i.e., not used solely for receiving badges). Examples of the types of organizations that might have a Business Account are, a corporation or other for-profit business entity, a public institution, such as a university or state agency, a public charity, or a private foundation.
   5. “Canvas Badges Backpack Account” means the “backpack” where a Badge Recipient may store badges awarded by a Business Account or other organizations.
   6. “Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
   7. “Data Protection Laws” means the laws and regulations applicable to the Processing of Personal Data under the Agreement.
   8. “Data Subject” means an individual whose Personal Data is being processed by Instructure under the Agreement.
   9. “Personal Data” means any information relating to an identified or reasonably identifiable individual or as otherwise defined under Data Protection laws provided by Customer to Instructure for Processing.
   10. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process,” “Processes” and “Processed” will be construed accordingly.
   11. “Processor” means the entity that Processes Personal Data on behalf of the Controller.
   12. “Sell,” “Selling,” “Sale,” and “Sold” shall have the meanings provided under applicable Data Protection Laws.
   13. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Instructure.
   14. “Services” means the Canvas Badges offering(s) made available through our websites, Canvas Credentials, and our APIs made available by or on behalf of Instructure to the Customer.
   15. “Sub-Processor” means any third-party organization engaged by Instructure to process Customer Personal Data.
2. Processing of Personal Data
   1. The Parties agree that with regard to the Processing of Personal Data, the Customer is the Controller and Instructure is the Processor. Instructure shall comply with applicable Data Protection Laws. Customer retains ownership, rights, and title to Customer Personal Data.
   2. The Customer will use the Services in accordance with the requirements of Data Protection Laws and will ensure that the instructions issued to Instructure for Processing of Personal Data comply with applicable Data Protection Laws. Customer acknowledges and agrees that it will be solely responsible for: (a) the accuracy, quality, and legality of Personal Data provided to Instructure and the means by which it acquired Personal Data; and (b) and for fulfilling all requirements under Data Protection Laws necessary to make Personal Data available to Instructure for Processing as provided herein and under the Terms. Customer shall notify Instructure promptly of any known unauthorized access to the Services of which it becomes aware. Customer agrees to reasonably assist Instructure in any efforts by Instructure to investigate and respond to any unauthorized access to the Services.
   3. Customer is responsible for independently determining whether the data security of the Services adequately meets Customer’s obligations under applicable Data Protection Laws. Customer is also responsible for Customer’s secure use of the Services, including protecting the security of Personal Data in transit to and from the Service.
   4. Instructure shall only Process Personal Data on behalf of and in accordance with the Terms and Customer’s written instructions, except where and to the extent otherwise required by applicable law. In such case, Instructure shall inform Customer of such legal requirement before processing, unless prohibited by applicable law.
   5. Customer instructs Instructure to Process Personal Data for the following limited and specified purposes: (i) Processing in accordance with the Terms, any applicable orders, and Data Protection Laws; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the Terms and applicable Data Protection Laws. Instructure shall promptly notify Customer in the event Instructure determines that any Customer instructions violate Data Protection Laws. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 3.
   6. Instructure shall not Sell or Share for targeted advertising purposes Customer Personal Data unless expressly instructed by Customer. Instructure shall not combine Customer Personal Data with other data except as permitted by Data Protection Laws. Instructure shall not collect, retain, use, or otherwise disclose Customer Personal Data outside of the direct business relationship with Customer, and shall only Process Customer Personal Data for limited and specified purposes consistent with this DPA and the Terms.
   7. If Instructure determines that it can no longer comply with Data Protection Laws with regard to the Processing of Customer Personal Data, Instructure will promptly notify Customer.
   8. The Parties agree that with regard to the processing of Account Data, Customer and Instructure are both independent Controllers (and not joint Controllers). Instructure will process Account Data as a Controller in order to (a) manage and administer the relationship with Customer; (b) carry out Instructure’s business operations, such as and without limitation, billing, accounting, and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) provide end-user support services; (e) comply with Instructure’s legal or regulatory obligations; (f) exercise its rights and carry out its obligations under the Agreement; (g) improve, troubleshoot, and market its products and services; and (h) as otherwise permitted under applicable Data Protection Laws and in accordance with this DPA, the Terms, and the Canvas Badges Privacy Notice.
3. Security; Audit Rights; Privacy Impact Assessments.
   1. Instructure shall maintain technical and organizational measures designed to protect of the security, confidentiality, and integrity of Customer Personal Data. 
   2. Instructure shall, upon written notice, use reasonable efforts to permit Customer to take reasonable and appropriate steps to (a) stop and remediate unauthorized processing of Customer Personal Data upon notice of same; and (b) ensure that Instructure Processes Customer Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws.
   3. Customer will first use all reasonable efforts to satisfy any audit needs through (a) copies of Instructure’s most recently completed SOC-2 Type II audit report, its public ISO 27001 certificate; (b) a summary of Instructure’s operational practices related to data protection and security; and (c) a summary of the Services annual penetration test. 
      1. If required or permitted under applicable Data Protection Laws, the Business Account may engage a mutually agreed upon third party to audit Instructure solely for the purposes of meeting its audit requirements pursuant to Data Protection Laws (“ Audit ”) provided that, the Business Account or its third-party representatives are contractually bound by obligations of confidentiality for such Audit information. the Business Account must promptly provide Instructure with information regarding any non-compliance discovered during the Audit. To request an Audit, the Business Account must submit a detailed plan at least 3 weeks in advance of the proposed Audit date describing the proposed scope, duration, and start date of the Audit. Audit requests must be sent to security@Instructure.com with a copy to privacy@instructure.com . The Audit must be conducted during regular business hours, subject to Instructure’s policies, and may not unreasonably interfere with Instructure’s business activities. The Business Account is responsible for its own expenses in conducting an Audit. 
      2. If any such Audit requires the use of Instructure resources different from, or in addition to those required by Data Protection Laws, the Business Account shall reimburse Instructure for any time spent for an Audit at rates agreed to by the Parties. All reimbursement rates shall be reasonable, considering the resources expended by, or on behalf of Instructure.  
      3. Any Audit right under this Section 7.3 shall not require Instructure to disclose to the Business Account or its third-party auditors: (a) any information of any other Instructure customer; (b) any internal accounting or financial information unless otherwise agree to in writing; (c) any trade secret, and/or; (d) any information that could compromise the security of Instructure’s systems or information, or cause Instructure to breach any applicable law or contractual obligation.
   4. Upon the Business Account’s written request, Instructure shall provide the Business Account with reasonable cooperation and assistance needed to fulfill the Business Account’s obligations under Data Protection Laws to carry out a data protection impact assessment or other mandated privacy or data protection assessment required under Data Protection Laws related to the Business Account’s use of the Services, to the extent that the Business Account does not otherwise have access to the relevant information, and to the extent such information is available to Instructure.
4. Instructure Personnel. Instructure will use commercially reasonable efforts to ensure that any personnel whom Instructure authorizes to Process Customer Personal Data are subject to appropriate confidentiality obligations with respect to that Customer Personal Data. Instructure shall use commercially reasonable efforts to ensure that access to Customer Personal Data is limited to those personnel who require such access to perform the Services.
5. Assistance To Customer and Rights of Data Subjects.
   1. The Services provide Customers with several controls that Customer can use to retrieve, correct, delete or restrict Customer Personal Data which Customer can use in connection with Customer’s obligations under applicable Data Protection Laws, including Customer’s obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws. 
   2. To the extent Customer, in its use or receipt of the Services, does not have the ability to take steps required to comply honor a Data Subject rights request, and to the extent required by the Data Protection Laws, Instructure will use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent Instructure is legally permitted to do so, taking into account the nature of the Processing of Customer Personal Data and the information available to Instructure.  
6. Sub-Processors.
   1. Except as permitted in this DPA, Instructure shall not transfer or otherwise make available Customer Personal Data to any third party without Customer's prior authorization.
   2. Customer gives its general authorization to Instructure to use Instructure Affiliates as Sub-processors; and third-party Sub-processors in connection with the provision of the Services provided that the following conditions are met:
      1. Instructure shall ensure that obligations not materially less protective than those set out in this DPA are imposed on Sub-processors by way of a written contract;
      2. Instructure remains liable towards Customer for the work of its Sub-processors as if and to the extent such work was performed by Instructure; and
      3. Instructure shall provide the list of its Sub-processors by giving a link to a website where the information about the Sub-processors is kept up to date.
   3. Instructure shall inform Customer of any intended changes to Sub-processors concerning the addition or replacement of Sub-processors. To the extent required by Data Protection Laws, Instructure shall thereby give Customer the opportunity to object to such changes by notifying Instructure in writing within 30 days after the receipt of Instructure’s notice about the changes, and if, within 20 days of receipt of that notice, Customer notifies Instructure in writing of any objections on reasonable grounds to the proposed engagement of a Sub-processor. If Instructure is not able to resolve Customer’s objections, Customer may cease use of the Services.
7. Government Access Requests.  If Instructure receives a legally binding request to access Customer Personal Data from a public authority, Instructure shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent that Instructure is prohibited from providing such notification, Instructure shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Instructure to communicate with Customer. Instructure shall promptly notify Customer if Instructure becomes aware of any direct access by a public authority to Customer Personal Data and provide information available to Instructure in this respect, to the extent permitted by law. 
8. Security Breach Management and Notification. 
   1. Instructure will notify Customer without undue delay after becoming aware of any Security Breach and will provide timely information relating to the Security Breach as it becomes known or as reasonably requested by Customer. 
   2. In the event of a Security Breach, Instructure shall: (a) notify Customer of the Security Breach without undue delay after becoming aware of the Security Breach. Notification shall include at least the information required by the Data Protection Laws; (b) investigate the Security Breach and provide Customer with information about the Security Breach; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach and to allow Customer to take reasonable and appropriate steps to do the same to the extent such steps are within Customer’s control. Instructure shall cooperate with Customer, and with any third parties designated by Customer, to respond to the Security Breach.
   3. At Customer’s request, Instructure will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify competent authorities and/or affected Data Subjects of a Security Breach, if Customer is required to do so under Data Protection Laws.
9. Deletion of Customer Personal Data. Instructure shall securely delete Customer Personal Data in accordance with Instructure’s data retention policies which adhere to requirements of the Data Protection Laws, and in a manner consistent with the terms of the Agreement. Customer may request deletion of Customer Personal Data by contacting the Canvas Badges support team, or by emailing privacy@instructure.com.
10. Limitation of Liability. To the extent permitted by Data Protection Laws, Customer’s remedies with respect to any breach by Instructure or its Affiliates of the terms of this DPA or Data Protection Laws will be subject to any aggregate limitation of liability that applies to Instructure and/or Customer under the Terms.
11. Instructure’s Contact Information: If you have questions about this DPA or our privacy practices you may contact us at: 
    Instructure, Inc. – 6330 S 3000 E, Suite 700, Salt Lake City, Utah 84121 USA, privacy@instructure.com
    Instructure Global Limited – Birchin Court 5th Floor, 19-25 Birchin Lane, London EC3V 9DU, privacy@instructure.com
     

Schedule 1 – U.S. K-12 Addendum

This Schedule 1 applies to Business Accounts that are classified as U.S. based K-12 educational institutions that are government recognized, formally-accredited educational institutions delivering nationally approved certifications or diplomas at primary, secondary, or third levels.;

1. Definitions . For the purposes of this Schedule 1 the following definitions shall apply.
   1. “ De-Identified Data ” and “ De-Identification ” means data and information where all personally identifiable information has been removed or obscured, such that the remaining information does not reasonably identify a specific individual, including, but not limited to, any information that, alone or in combination is linkable to a specific Data Subject.
   2. “ Educational Records ” means records, files, documents, and other materials directly related to a student and maintained by the Business Account, including but not limited to, records encompassing all the material kept in the student’s cumulative folder.
   3. “ School Official ” for the purposes of this Schedule and pursuant to 34 CFR § 99.31(b), a School Official is a contractor that, (a) performs an institutional service or function for which the agency or institution would otherwise use employees; (b) is under the direct control of the agency or institution with respect to the use and maintenance of Student Data including Education Records; and (c) Is subject to 34 CFR § 99.33(a) governing the use and re-disclosure of Personally Identifiable Information from Education Records.
   4. “ Student Data ” means any data, provided by the Business Account to Instructure, that is descriptive of a student. Student Data also includes “ Personally Identifiable Information ( PII ),” as defined in 34 C.F.R. § 99.3 or as defined under any applicable U.S. state law. Student Data shall constitute Education Records for the purposes of this DPA, and for the purposes of U.S. federal, state, and local laws, and regulations. Student Data as specified in Schedule 3 is confirmed to be collected or processed by the Instructure pursuant to the Services. Student Data shall not constitute that information that has been anonymized or De-Identified, or anonymous usage data regarding a user’s use of the Services.
2. FERPA. To the extent that a Business Account is subject to the Family Educational Rights and Privacy Act (“FERPA”), the Parties agree that Instructure is a School Official under FERPA and has a legitimate educational interest in Personally Identifiable Information from Education Records received from the Business Account pursuant to this DPA. For purposes of the Terms and this DPA, Instructure (a) provides a service or function for which the Customer would otherwise use employees; (b) is under the direct control of the Business Account with respect to the use and maintenance of education records; and (c) is subject to the requirements of FERPA governing the use and redisclosure of Personally Identifiable Information from the Education Records received from the Business Account.
3. Parent Access . To the extent required by Data Protection Laws, Instructure shall establish reasonable procedures by which a parent, legal guardian, or eligible student may review Education Records and/or Student Data, and correct erroneous information. If a parent of a student or other individual contacts the Instructure to review any of the Student Data accessed pursuant to the Services, Instructure shall refer the parent or individual to the Business Account for access to such Education Records and/or Student Data.
4. Customer Obligations. Customer shall provide Student Data for the purposes of obtaining the Services in compliance with all applicable Data Protection Laws.
5. De-Identified Data: De-Identified Data may be used by the Instructure for those purposes allowed under FERPA and the following purposes: (a) assisting the Business Account or other governmental agencies in conducting research and other studies; and (b) research and development of the Instructure's educational sites, services, or applications, and to demonstrate the effectiveness of the Services; and (c) for adaptive learning purpose and for customized student learning. Instructure's use of De-Identified Data shall survive termination of this DPA or any request by the Business Account to destroy Student Data. Instructure agrees (i) not to attempt to re-identify De-Identified Data, and (ii) not to transfer De-Identified Student Data to any party unless that party agrees in writing not to attempt re-identification.
6. Children’s Privacy. Children under 13 may not use the Services. 
7. Schedule of Data . The list of Student Data Processed by Instructure is described in Schedule 3.

Schedule 2 - EEA & UK Addendum

This Schedule 2 shall apply if Customer is in the EEA, UK, Switzerland, or is subject to the jurisdiction of Data Protection Laws of the EEA, UK, or Switzerland. In case of any discrepancy between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
 

1. Definitions
   1. “ EEA ” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein, and Norway.
   2. “ GDPR ” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the UK equivalent.
   3. “ Data Privacy Framework ” means the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and/or Swiss-US Data Privacy Framework self-certification program operated by the U.S. Department of Commerce.
   4. “ Data Privacy Principles ” mean the Data Privacy Framework Principles (as supplemented by the Supplemental Principles).
   5. “ Standard Contractual Clauses ” means the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the UK International Data Transfer Addendum (“ UK Addendum ”), and any similar measures promulgated pursuant to the GDPR to address the transfer of Personal Data to a Third-country and any amendments and replacements thereto as may be promulgated from time to time.
   6. “ Supplementary Measures ” means technical, organizational, and contractual measures as described in EDPB Guideline adopted on 18th June 2021 the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
   7. “ Third-country ” means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission according to the mechanism lined out in Article 45 GDPR.
   8. “ UK ” means the United Kingdom, Wales, and Northern Ireland. 
2. Instructure as Processor. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects about whom Personal Data is Processed under this DPA are further specified in Schedule 3, Appendix 1 - Annex I B. 
3. Cross Border Data Transfers. Customer acknowledges and agrees that Instructure is established in a Third-country and that providing the Services may require transfer to, and Processing of Customer Personal Data within, a Third-country. All transfers to a Third-country are subject to the following conditions: (a) Customer has given prior authorization for the transfer by agreeing to the Terms ; (b) the Customer Personal Data are Processed under the Terms and this DPA; (c) there is a valid transfer mechanism in place in accordance with applicable Data Protection Laws; and (d) Instructure shall implement the Supplementary Measures, where necessary.
4. Order of Precedence. In the event the Services are covered by more than one transfer mechanism under the GDPR, the transfer of Customer Personal Data will be subject to a single transfer mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Framework as set forth in Section 4.1; (b) the Standard Contractual Clauses as set forth in Section 4.2; and, if neither (a) nor (b) is applicable, then (c) other applicable data transfer mechanisms permitted under applicable Data Protection Laws.
   1. Data Privacy Framework. To the extent that Instructure processes any Personal Data via the Services originating in the EEA, UK, or Switzerland, Instructure represents that Instructure, Inc., is self-certified under the Data Privacy Framework and compiles with the Data Privacy Principles when processing any such Personal Data. To the extent that Customer is (a) located in the United States of America and is self-certified under the Data Privacy Framework, or (b) located in the EEA, UK, or Switzerland, Instructure further agrees (i) to provide at least the same level of protection to any Customer Personal Data as required by the Data Privacy Principles; (ii) to notify Customer in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, the Standard Contractual Clauses will apply in accordance with Section 4.2; and (iii) upon written notice, to work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Customer Personal Data.
   2. Standard Contractual Clauses: A valid transfer mechanism as referred to in Section 3(c) is: (a) where Instructure acts as a Processor and Customer acts as a Controller, the Standard Contractual Clauses, Module TWO: Transfer Controller to Processor; (b) where Instructure acts as a Controller and Customer acts as a Controller, the Standard Contractual Clauses, Module ONE: Transfer Controller to Controller; (c) and the UK Addendum thereto attached as Appendix 2. In each case, all of the foregoing are deemed to be incorporated herein by reference as set forth below. In respect of the Standard Contractual Clauses, the Parties agree on the following: (i) in clause 7, the Parties choose to include the “docking clause”; (ii) where Module Two applies, in clause 9, the Parties choose Option 2: “general written authorization”; (iii) where Module Two applies, in clause 9, the Parties choose twenty (20) days as the specific time period; (iv) in clause 11, the Parties do not choose the optional complaint mechanism; (v) in clause 17, the governing law is the law of the EU Member State: Option 1: Where Customer is established in an EU Member State, the law in that EU Member State; or Option 2: Where Customer is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of the GDPR, the law in the EU Member State in which the Customer’s representative is located.
   3. To the extent that Customer Personal Data transfers from Switzerland are subject to the Standard Contractual Clauses, the following amendments will apply to the Standard Contractual Clauses: (a) references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and (b) insofar as the transfer or onward transfers are subject to the Swiss Federal Act on Data Protection (“FADP”): (i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP; (ii) the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner; (iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and (iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
5. To the extent that Instructure uses a Sub-processor in a Third-Country for the Processing of Customer Personal Data, the following shall apply in addition to Section 4 above: (a) Customer has given prior authorization for the transfer by agreeing to the Terms ; (b) there is a valid transfer mechanism in place in accordance with applicable Data Protection Laws; and (c) Instructure makes information on the transfer mechanism, and where applicable, the Standard Contractual Clauses, available without undue delay to Customer.

APPENDIX 1 - STANDARD CONTRACTUAL CLAUSES

ANNEX 1 – Details of Processing

A. List of Parties

Data exporter:

Name: the Customer 

Role: Controller (Customer Personal Data) and Controller (Account Data)

Data importer:

Name: Instructure, Inc.

Address: 6330 S 3000 E, Suite 700, Salt Lake City, Utah 84121, USA 

Contact person’s name, position, and contact details: DPO, privacy@instructure.com 

Activities relevant to the data transferred under these clauses: As defined in the Agreement

Role: Processor (Customer Personal Data) and Controller (Account Data)

B. Description of Transfer: The description of the transfer can be found in Schedule 3. 

C. Competent Supervisory Authority: The competent supervisory authority is the Information Commissioners Office of the United Kingdom.

ANNEX 2 - Security Measures

Instructure’s technical and organizational measures are described at: https://www.instructure.com/trust-center/resources . 

APPENDIX 2 - UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“ Appendix Information ” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

Alternative Part 2 Mandatory Clauses:

Schedule 3 – Description of Transfer