Data Processing Addendum | Policy 2022

Last Updated Date: December 21st, 2022

This Instructure Data Processing Addendum (“DPA”) forms part of the Instructure Services Order Form and Instructure Standard Terms and Conditions, or other written or electronic agreement (“Agreement”) between Customer Instructure, Inc., or its Affiliates (collectively “Instructure”) (each a “Party”, collectively “Parties”). The Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. In case of any discrepancy or conflict between this DPA and the Agreement, this DPA shall prevail. In case of any discrepancy between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Any capitalized terms not defined herein shall have the meanings set forth in the Agreement.

How this DPA Applies: Instructure provides the Services (as defined in the Agreement) to Customer which may include the Processing of Personal Data by Instructure during the provision of the Services. This DPA does not replace any rights related to the Processing of Customer Personal Data previously negotiated by Customer in the Agreement. Instructure agrees to comply with this DPA with respect to any Customer Personal Data Processed by Instructure in the provision of the Services under applicable Data Protection Laws. 

APPENDIX 1 - EU STANDARD CONTRACTUAL CLAUSES

ANNEX I

A.   LIST OF PARTIES

Data exporter(s): As defined in the Agreement

Name: As defined in the Agreement

Address: As defined in the Agreement

Contact person’s name, position and contact details: As defined in the Agreement

Activities relevant to the data transferred under these Clauses: As defined in the Agreement

Signature and date: As defined in the Agreement 

Role: Controller

     

Data importer(s): As defined in the Agreement

Name: As defined in the Agreement

Address: As defined in the Agreement

Contact person’s name, position, and contact details: As defined in the Agreement 

Activities relevant to the data transferred under these Clauses:

The data importer provides a Software-as-a-Service Internet accessible learning management software, for use by the data exporter as described in the Agreement.

Signature and date: As defined in the Agreement 

Role:  Processor 

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Users of the services as authorized by the data exporter. 

Categories of personal data transferred:

Canvas LMS & Canvas for Corporate Education Data (including mobile applications):

- Name (e.g., John Doe) 

 - Username/ID

 - Password

- Short Name (e.g., John) 

- Email (e.g., John.Doe@awesomeu)

- School Name (e.g., Awesome University)

- School Position (e.g., Student) 

- Avatar URL (e.g., URL of Avatar image) 

- Pronouns (e.g., she/her) (Optional) 

- Locale (e.g., en - language selection) 

- Browser Locale (e.g., en, browser language setting) 

- Country Code (e.g., CAN) 

- Submitted content (e.g., research paper, assignments) 

- Assessment results (e.g., 86%) 

- Course results (e.g., B+) 

- Conversation comments (e.g., discussion) 

- Course content (e.g., Lesson #4) 

- IP Address (e.g., 127.0.0.1) 

- Messages (e.g., notifications and course conversations)

    - Video content created by the user (e.g., images, voice recording, comments)

Canvas Commons:

  • Canvas User Id
  • Canvas User Login name
  • Name (e.g., John Doe) 
  • Email (e.g., John.Doe@awesomeu)
  • Avatar Url (e.g., URL of Avatar image)
  • Commons resource ids favorited by the user
  • Comments the user made to any resources
  • IP Address (e.g., 127.0.0.1)

Canvas Catalog:

  • Credit card processing token via third party credit card processor
  • Canvas LMS User ID
  • Order ID
  • Account ID
  • Item ID and Item Type (e.g., Intro to Statistics, online class)
  • Name (e.g., John Doe) 
  • Email (e.g., John.Doe@awesomeu)
  • External ID (Canvas enrollment ID)
  • Canvas Root Account ID (Institution ID)
  • Product ID (e.g., class name/ID)
  • Class Completed Date
  • Enrollment status
  • Purchase date

Canvas Studio:

  • Video content created by the user (e.g., images, voice recording, comments)
  • Name (e.g., John Doe) 
  • Email (e.g., John.Doe@awesomeu.com
  • Canvas LMS User ID
  • Username/ID
  • Password
  • Messages

Canvas Credentials:

  • Name (e.g., John Doe) 

-  Email (e.g., John.Doe@awesomeu)

 - Physical address of badge recipients

 - Phone number of badge recipients

 - IP address 

 - Badge information such as issuing institution or program

 - User name and password

Elevate Data (Elevate Data Quality, Elevate K-12 Analytics, Elevate Standards Alignment, Elevate Data Sync):

  • All data from the Student Information System authorized by the applicable customer engagement.

Impact by Instructure Data:

  • User ID
  • Password
  • School role (e.g., student, teacher)
  • Full name (e.g, first, middle, last)
  • Student ID number
  • Email address (e.g., John.Doe@awesomeu)
  • School Name (e.g., Awesome University)
  • Education Level
  • Birthdate (Optional) 
  • Language (e.g., Eng)
  • Zip code
  • City (e.g., London)
  • Country (e.g., CAN)
  • State 
  • Browser Locale (e.g., en, browser language setting)
  • Profile Image (Optional)
  • Gender (Optional)
  • Learning Management System Username
  • Slack notifications (Administrators)
  • Application activity (e.g., page clicks in the application)

Mastery Data (Item Bank, Mastery View Predictive Assessmntes, Mastery View Interim Assessments, Mastery Connect):

  • Name (e.g., John Doe) 
  • School Student ID Number
  • State Student ID Number
  • Username/ID
  • Password
  • Short Name (e.g., John) 
  • Email (e.g., John.Doe@awesomeu)
  • Phone Number (Optional) 
  • School Name (e.g., Awesome University)
  • School Position (e.g., Student) 
  • Assessment results (e.g., 86%)
  • Birthdate
  • Race (e.g., Hispanic, White, Asian)
  • Ethnicity (e.g, Native Hawaiian, Irish, Austrian)
  • English Language Learner status (True/False/Null)
  • Individualized Education Program status (True/False/Null)
  • Free or reduced lunch status (True/False/Null)

Sensitive data transferred:

None

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Continuous for the duration of the Agreement.

Nature of the processing:

Performance of the Services described in the Agreement.

Purpose(s) of the data transfer and further processing:

Processing Customer Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Data Subjects as required under EU/UK Data Protection Law; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.

 

Instructure’s data centers for the Services are in the following regions for EU, EEA, or UK based customers: Ireland and/or Germany.

Canvas Commons is hosted in the USA exclusively.

Instructure’s limited Processing that occurs outside of the European Union is related to the following activities: 

  • Contract Management. This Processing includes providing contract and customer relationship management services.
  • Customer Support. This Processing includes user helpdesk support and technical operations support. Instructure’s user support ticketing system is hosted in the USA. Any Customer Personal Data submitted through a support ticket is stored and Processed in the USA. 
  • Professional Services. This Processing includes integration services, implementation services, and configuration services as purchased by Customer.
  • Engineering and Security Support. This Processing includes, user issue tickets, application logs, security logs, database logs, systems logs, and security alerting tools may be reviewed by security and engineering personnel located in the EU, USA, and UK. 
  • Data Anonymization for Internal Analytics. Instructure transfers Services databases to its data center in the USA for a period of 48 hours where Customer Personal Data is anonymized prior to being used by Instructure. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Processor will process Customer Personal Data for the duration of the Agreement. Upon termination of the Agreement, it will be deleted in accordance with this DPA or the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: 

The duration will be until the termination of the Agreement.

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: The competent supervisory authority is the supervisory authority denoted in Section 6.2 of the DPA. 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Instructure’s technical and organizational measures are described at: https://www.instructure.com/products/canvas/security

ANNEX III

LIST OF SUB-PROCESSORS

This Annex must be completed in case of the specific authorization of sub-processors (Clause 9(a), Option 1).  

APPENDIX 2

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date

The effective date of the DPA to which this Addendum has been attached

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

Full legal name: As described in the Agreement.

Trading name (if different): As described in the Agreement.

Main address (if a company registered address): As described in the Agreement.

Official registration number (if any) (company number or similar identifier): As described in the Agreement.

Full legal name: As described in the Agreement.

Trading name (if different): As described in the Agreement.

Main address (if a company registered address): As described in the Agreement.

Official registration number (if any) (company number or similar identifier): As described in the Agreement.

Key Contact

Full Name (optional): As described in the Agreement.

Job Title: As described in the Agreement.

Contact details including email: As described in the Agreement.

Full Name (optional): As described in the Agreement.

Job Title: As described in the Agreement.

Contact details including email: As described in the Agreement.

Signature (if required for the purposes of Section ‎2)

As described in the Agreement.

As described in the Agreement.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

X the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: 

Module

Module in operation

Clause 7 (Docking Clause)

Clause 11
(Option)

Clause 9a (Prior Authorisation or General Authorisation)

Clause 9a (Time period)

Is personal data received from the Importer combined with personal data collected by the Exporter?

1

Yes

Yes

No

     

2

Yes

Yes

No

General

20 days

N/A

3

No

N/A

N/A

N/A

N/A

N/A

4

No

N/A

N/A

   

N/A

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Appendix 1, Annex IA

Annex 1B: Description of Transfer: Appendix 1, Annex IB

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Appendix 1, Annex II

Annex III: List of Sub processors (Modules 2 and 3 only): Not applicable to a general authorisation to engage subprocessors, but a list of Instructure subprocessors is available as descrived in Section 5.2(iii) of the DPA.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19:

☒ Importer

☒ Exporter

☐ neither Party

Part 2: Mandatory Clauses

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

APPENDIX 3: JURISDICTION SPECIFIC TERMS

To the extent that Services involve Customer Personal Data originating from the following countries, the relevant provisions set out below will apply.

  1. Provisions relevant to Turkey
    1. The provisions of this paragraph 1 apply where Instructure processes Customer Personal Data that originates from Turkey.
    2. Instructure will comply with the Turkish Data Protection Act (“Turkish DPA”) numbered 6698 and dated 7 April 2016 and any related regulations, and all decisions of the Turkish Data Protection Authority. 
    3. Instructure will promptly assist the Customer:
      1. by implementing appropriate technical and organizational measures, insofar as this is possible, taking into account the nature of the processing, to fulfil the Customer's obligations to respond to requests from individuals exercising their rights under data protection law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data); and
      2. in ensuring compliance with the Customer's obligations pursuant to Article 12 of the Turkish Data Protection Act (security, notification of personal data breaches to authorities and individuals), taking into account the nature of the processing and the information available to Instructure.
    4. Where Instructure processes, outside of Turkey, Customer Personal Data subject to the Turkish DPA originating from Turkey, then Instructure shall cooperate with Customer with any formalities required by the Turkish Data Protection Authority.
  2. Provisions relevant to Switzerland
    1. The provisions of this paragraph 2 apply where Instructure processes Customer Personal Data that originates from Switzerland.
    2. The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
    3. When Instructure engages a Sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this DPA, it will:
      1. require any appointed Sub-processor to protect the Customer Personal Data to the standard required by applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR, and
      2. require any appointed Sub-processor to (i) agree in writing to only Process Customer Personal Data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process Customer Personal Data on terms equivalent to the EU Standard Contractual Clauses.
    4. To the extent that Customer Personal Data transfers from Switzerland are subject to the EU Standard Contractual Clauses, the following amendments will apply to the EU Standard Contractual Clauses:
      1. references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and
      2. insofar as the transfer or onward transfers are subject to the FADP:
        1. references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
        2. the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
        3.  in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
        4. in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
  3. Provisions relevant to Australia
    1. The provisions of this paragraph 3 apply where Instructure processes Customer Personal Data that originates from Australia.
    2. APPs shall mean the Australian Privacy Principles in the Privacy Act.
    3. Personal Information has the meaning given to that term in the Privacy Act.
    4. Privacy Act shall mean the Australian Privacy Act 1988 (Cth).
    5. Instructure shall in respect of any Customer Personal Data it receives or has access to under the Agreement:
      1. comply with the APPs (except for APP 1) as if it were bound by the APPs to the same extent as the Customer; and
      2. without limiting sub-paragraph (i), enter into a similar contractual arrangement with any third party to whom it discloses the Personal Information (whereby the third party agrees to comply with the APPs in respect of such information (except for APP 1) as if that third party were bound by the APPs to the same extent as the Customer).
  4. Provisions relevant to Hong Kong
    1. The provisions of this paragraph 4 apply where Instructure processes Customer Personal Data that originates from Hong Kong.
    2. To the extent that Instructure carries out direct marketing on behalf of the Customer, Instructure shall implement effective measures designed to inform data subjects of the scope of the marketing and provide effective means designed to allow data subjects to give consent in accordance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").
    3. Instructure shall comply with the data retention requirement (DDP2) and data security requirement (DPP4) as contained in the PDPO.
  5. Provisions relevant to India
    1. The provisions of this paragraph 5 apply where Instructure processes Customer Personal Data that originates from India.  When Providing the Services, Instructure shall comply with the requirements of the Information Technology Act 2000, the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (each as amended, modified, supplemented from time to time) as applicable to a body corporate, and any other laws, rules, regulations, notifications, judgements relating to data protection or privacy that are in force as of date of the Agreement, or that may be brought into force in India at any time in the future during the term of the Agreement.
  6. Provisions relevant to Japan
    1. The provisions of this paragraph 6 apply where Instructure processes Customer Personal Data that originates from Japan.
    2. Instructure shall not obtain any Customer Personal Data from the Customer in Japan or another party through any deceptive, fraudulent, or other wrongful means. 
    3. Instructure shall make a reasonable effort to ensure that the transferred Customer Personal Data is accurate and up to date and within the scope necessary to perform the Services.
    4. Instructure will take the appropriate technical and organizational security measures designed to adequately protect all Customer Personal Data in Japan against not only misuse and loss, but also leakage and damage, in accordance with any relevant Order, the Agreement, this DPA, and the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) (the “APPI”).
    5. Instructure will implement appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under applicable Data Protection Law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data);
    6. If Instructure acquires Customer Personal Data of Data Subjects in Japan directly from those Data Subjects, in connection with the Services by Instructure to those Data Subjects, Instructure will process Customer Personal Data of those Data Subjects in compliance with the APPI and all accompanying regulations and guidelines issued by the Personal Information Protection Commission of Japan, and all other privacy legislation and other laws which the Instructure is subject to, even when it handles Customer Personal Data of those data subjects outside Japan.
    7. Instructure will notify the Customer of any notices, requests, orders or queries from Data Subjects, any data protection or other governmental authority, law enforcement agency, court order or tribunal, which the Customer or Instructure is obliged to comply with under the APPI or other applicable laws to facilitate timely resolution of any matter arising in connection with the foregoing or any related investigation.
  7. Provisions relevant to Malaysia
    1. The provisions of this paragraph 7 apply where Instructure processes Customer Personal Data that originates from Malaysia.
    2. For the purposes of this paragraph 6, “Personal Data”, “Sensitive Personal Data” and “Data User” have the meanings given to those terms in the Personal Data Protection Act 2010.
    3. Instructure shall comply with the Personal Data Protection Act 2010 to the extent that this applies to Data Processors and the Customer Personal Data to be Processed hereunder.
    4. No Personal Data shall be transferred to a country outside Malaysia unless to such country as specified by the Minister by notification published in the Gazette (if any) or with the consent of the data subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the transfer of Personal Data.
    5. No processing of special categories of data/sensitive data within the meaning of Sensitive Personal Data, including any transfer thereof, may be made without the explicit consent of the data subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the processing of Sensitive Personal Data.
    6. Instructure will promptly assist the Data User to fulfil the Data User’s obligations to respond to requests from individuals exercising their rights under data protection law which applies to the Data User within the time as prescribed by the Personal Data Protection Act 2010.
  8. Provisions relevant to New Zealand
    1. The provisions of this paragraph 8 apply where Instructure processes Customer Personal Data that originates from New Zealand. Instructure shall comply with the Information Privacy Principles set out in the New Zealand Privacy Act 1993 (as though Instructure were Customer) and shall cooperate with the Customer in a manner designed to ensure that the Customer can meet its obligations (including in relation to information privacy requests and investigations) under that Act.
  9. Provisions relevant to the Philippines
    1. The provisions of this paragraph 9 apply: (i) where Instructure processes Customer Personal Data about a Philippine citizen or resident; (ii) where Instructure, Data Processor or Customer is found or established in the Philippines; (iii) where the processing of Customer Personal Data is done in the Philippines; or (iv) where the processing of Customer Personal Data is done or engaged in by an entity with links to the Philippines.
    2. Instructure will comply with the following obligations:
      1. comply with applicable local laws and regulations and issuances of the Philippine National Privacy Commission;
      2. assist the Customer, by appropriate technical and organizational measures and to the extent possible, to fulfil the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
      3. assist the Customer in ensuring compliance with applicable local laws and regulations and issuances of the Philippine National Privacy Commission, taking into account the nature of processing and the Customer Personal Data available to Instructure;
      4. make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in applicable local laws and regulations; and
      5. immediately inform the Customer if, in its opinion, a Direction from the Customer infringes any applicable local law, regulation or issuance of the Philippine National Privacy Commission.
    3. Instructure shall process Customer Personal Data contained in the Services in Australia and Singapore.
  10. Provisions relevant to Singapore
    1. Instructure shall comply with the Personal Data Protection Act 2012 to the extent that this applies to Data Processors and the Customer Personal Data to be Processed hereunder. Instructure shall host the Customer Personal Data contained in the Services in Australia and Singapore
  11. Provisions relevant to South Korea
    1. The provisions of this paragraph 11 apply: (i) where Instructure processes Customer Personal Data that originates from South Korea; or (ii) where Instructure is an entity located in South Korea.
    2. Instructure will comply with the Personal Data Protection Act (as amended), and the Act on Promotion of Data and Communications Network Utilization and Data Protection, etc., (as amended).
    3. Subject to the limitations and waivers of liability in the Agreement, Instructure shall be liable to the Customer for damages that it causes by any breach of provisions in this DPA.
    4. Instructure hosts the Services in Singapore for customers located in South Korea.
  12. Provisions relevant to Taiwan
    1. The provisions of this paragraph 12 apply where Instructure processes Customer Personal Data that originates from Taiwan or is the Customer Personal Data of Taiwanese national Data Subjects anywhere in the world. Instructure hosts the Services in Singapore for Customers located in Taiwan.
    2. Instructure will comply with the provisions of the current Taiwan Personal Information Act (the “PIPA”), the Enforcement Rules to the Personal Information Protection Act (the “PIPA Enforcement Rules”), and any other data protection regulations currently in force in Taiwan.
    3. Instructure will promptly assist the Customer:
      1. by implementing appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under the PIPA which apply to the Customer (such as, but not limited to, rights to review, to copy, to rectify, to cease collection, processing, or use, or to erase Customer Personal Data);
      2. in ensuring compliance with the Customer’s obligations pursuant to Article 12 of the PIPA (prompt investigation of data breach and notice to individuals) and any applicable industry-specific regulations issued under Article 27 of the same (including but not limited to any industry-specific duty to notify the regulator of a data breach) taking into account the nature of the processing and the information available to Instructure; and
      3. by immediately informing the Customer if, in Instructure’s opinion, an instruction from the Customer to collect, process, or use Customer Personal Data violates the PIPA.
    4. Instructure shall adopt the technical and organizational measures set forth in Article 12(2) of the PIPA Enforcement Rules proportional to the purpose of the prevention of Customer Personal Data from being stolen, altered, damaged, destroyed or disclosed.
    5. In addition to informing the Customer of any serious interruption of Instructure’s processing operations, any suspicion of security breaches, or violation of the PIPA, the PIPA Enforcement Rules, or other Taiwan data protection regulations, Instructure shall inform the Customer of all remedial measures taken to remedy the interruption, breach, or violation.
    6. Instructure shall comply with any reserved instruction from the Customer and has an obligation to provide information evidencing compliance with any such reserved instruction to the Customer.
  13. Provisions relevant to China
    1. The provisions of this paragraph 13 apply where Instructure processes Customer Personal Data that originates from the People’s Republic of China.
    2. The definition of Customer Personal Data shall include all information specifically identified as "personal information" under the applicable local law.
    3. Instructure shall, at no additional cost, assist each Customer to obtain all consents necessary from the individuals regarding the collection, processing or use of Customer Personal Data in China.
    4. Instructure shall at all times comply with all applicable local law, including if applicable, the Cyber Security Law on the protection of personal information, as if Instructure were the user in respect of all Personal Identifiable Information.
    5. Instructure hosts the Services in Singapore for Customers located in China.
    1. South America: Instructure hosts the Services in the USA for customers located in South America.
  14. Provisions relevant to Brazil
    1. The provisions of this paragraph 14 apply where Instructure processes Customer Personal Data that originates from Brazil.
    2. The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (LGPD).
    3. The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to Data Subjects.
    4. The definition of “processor” includes “operator” as defined under the LGPD.
    5. To the extent Customer Personal Data is processed through the Internet, the provisions of the Brazilian Internet Act (Law 12,965/2014) must be observed. Instructure will comply with the so-called Habeas Data Law (Law 9,507/1997) to the extent applicable.
  15. Provisions relevant to Chile
    1. The provisions of this paragraph 15 apply where Instructure processes Customer Personal Data that originates from Chile.
    2. Instructure will comply with paragraph 15 of this Appendix 3.
    3. Instructure will comply with the Data Protection Act Nº 19.628, as amended. The substantive provisions of the Data Protection Act entered into force on October 27, 1999, and August 22, 2000.
  16. Provisions relevant to Colombia
    1. The provisions of this paragraph 16 apply where Instructure processes Customer Personal Data that originates from Colombia.
    2. Instructure will comply with paragraph 16 of this Appendix 3.
    3. For the purposes of this paragraph 16:
      1. Colombian GDP” shall mean the Colombian General Data Protection legal framework (Law 1581 of 2012 and Decree 1074 of 2015); and
      2. Customer Persona Data flows between Instructure and Customer will be understood as ‘data transmissions’ under the Colombian GDP.
    4. Instructure will comply with the following obligations:
      1. process Customer Personal Data only for the purposes authorized by the individuals who are the subjects of such information;
      2. process Customer Personal Data pursuant to the Customer’s instructions and privacy notice; and
      3. process Customer Personal Data pursuant to the principles set forth in the Colombian GDP.
  17. Provisions relevant to Mexico
    1. The provisions of this paragraph 17 apply where Instructure processes Customer Personal Data that originates from Mexico.
    2. Instructure will comply with paragraph 17 of this Appendix 3. 
    3. Instructure will comply with the security measures set out in Article 52 of the Mexican Data Protection Regulations (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) where applicable.
    4. Instructure will process Customer Personal Data in accordance with the privacy notice of the Customer, provided that Customer shall ensure that the Customer’s privacy notice adequately describes the processing of Customer Personal Data by Instructure under the Agreement in a manner compliant with Mexican law.
  18. Provisions relevant to the Republic of Argentina
    1. The provisions of this paragraph 18 apply where Instructure processes Customer Personal Data that originates from the Republic of Argentina.
    2. Instructure agrees to comply with the obligations of a data importer as set out in the model contract titled Contrato Modelo de Transferencia Internacional de Datos Personales con Motivo de Prestación de Servicios adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60 — E/2016 (the 'Argentinian SCCs’) for the transfer of personal data to data processors established in third countries.
    3. Instructure acknowledges that each Customer Affiliate in the Republic of Argentina will be a Customer. In particular, and without limiting the above obligation:
      1. Instructure agrees to grant third party beneficiary rights to Data Subjects, as set out in Clause 3 of the Argentinian SCCs, provided that Instructure's liability shall be limited to its own Processing operations; and
      2. Instructure agrees that its obligations under the Argentinian SCCs shall be governed by the laws of the Republic of Argentina in which the Customer Affiliates that are the data exporter(s) are established; and
      3. the details of the appendices applicable to the Argentinian SCCs are set out in Appendix 1 to this DPA.
    4. For the purposes of Annex A to the Argentinian SCCs, the data exporter is an educational institution; the data importer is an international education technology company and details about the data subjects, categories of data, processing operations and security measures are as set out in Appendix 1 to this DPA.
    5. Instructure shall neither apply nor use the Customer Personal Data for any purpose other than the one specified in this DPA nor shall Instructure, except as permitted in this DPA and the Agreement, communicate to other parties such Customer Personal Data, even for storage purposes. Once the corresponding contractual obligations have been performed, the Customer Personal Data processed must be destroyed, except where there is an express authorization given by the person for account of whom such services are rendered, by reason of a possibility of the Customer Personal Data being used for future services, in which case the Customer Personal Data may be stored under due security conditions for a maximum term of up to two (2) years. The parties agree to adopt confidentiality measures to protect the Customer Personal Data following section 9 of the Data Protection Act and its Regulations. Instructure shall process the Customer Personal Data following only instructions from the Customer.
    1. North America
  19. Provisions relevant to Canada
    1. The provisions of this paragraph 19 apply where Instructure processes Customer Personal Data that originates from Canada.
    2. Instructure shall comply with the Personal Information Protection and Electronic Documents Act and any provincial statute that is declared substantially similar pursuant to section 26(2)(b), where applicable Instructure shall promptly inform Customer if the location where the Customer Personal Data is stored ever changes.