Partner Program Terms and Conditions | Partners

1. SCOPE.        
   1. These Partner Program Terms and Conditions are between Instructure, Inc. and/or its Affiliates (“ Instructure ”) and the entity agreeing to these terms and conditions (“ Partner ”). An “ Order Form ” means any order for the provision of products or services signed by Partner. These terms and any applicable supplement or addendum related thereto (“ Supplement ”) are incorporated into the Order Form and together with the Order Form, form the “ Agreement .” To the extent there is any conflict between the Order Form, these Partner Program Terms and Conditions, or any Supplement related thereto, such conflict shall be resolved pursuant to the following order of precedence: (i) the Order Form, (ii) any applicable Supplement, and (iii) these Partner Program Terms and Conditions. 
   2. By signing this Agreement, Partner agrees to participate in the Instructure partner program. Additional information on the partner program is located at https://partners.instructure.com (“ Program Website ”).      
   3. Instructure and the Partner may be referred to herein each as a “Party” and collectively, as the “ Parties .” “ Affiliate ” with respect to Instructure means any entity that directly, or indirectly through one or more intermediaries’ controls, is controlled by or is under common control with such Party.
2. SERVICES AND RESTRICTIONS.

2.1 “ Services ” means the proprietary software as a service offering(s) provided by Instructure, together with any other related products and services to be provided by Instructure. “ Partner Applications ” means the applications, integrations and related content created by Partner that interface with Instructure products and Services. 

2.2 Prohibited uses of the Services shall include: (a) selling,  sublicensing, or otherwise transfering or providing access to the Services, or any output from the Services, to any third party, except as expressly authorized under this Agreement; (b) use of or access to the Services for competitive purposes; (c) copying, modifying, adapting, or creating derivative works from or any feature, function, interface or graphic, in the Services; (d) removing or modifying Instructure’s policies, notices or proprietary markings displayed within the Services or output from the Services; (e) using, interfering with, overloading, probing, scanning, disrupting, altering, translating, or modifying the Services, or circumventing the integrity of the Services or any of Instructure’s data, systems, or network; (f) permitting direct or indirect access to or using the Services in a way that circumvents the contractual usage limit; (g) attempting to gain unauthorized access to the Services, their related systems or networks; (i) using the Services to store or transmit any malicious code or data, infringing, libelous, or otherwise unlawful or tortious material, or material which violates any third-party privacy rights; (j) modifying, reverse engineering, decompiling, disassembling, decrypting, extracting, or otherwise attempting to derive or determine the source code, underlying ideas, algorithms, structure, organization, or training data associated with the Services; or (k) using the Services to distribute software or tools that gather information, distribute advertisements, or engage in conduct that may result in retaliation against Instructure or its data, systems, or networks. Violations of any of the foregoing prohibitions will be a material breach of this Agreement.  Use and access to the Application Program Interface (“ API ”) will be subject to the Instructure API Policy available at https://www.instructure.com/policies/api-policy .

3. PARTNER RESPONSIBILITIES . Partner shall have sole responsibility for use of the Services by users in compliance with this Agreement and the Acceptable Use Policy provided by Instructure (within the Services) and available at https://www.instructure.com/policies/acceptable-use   (the “ AUP ”), and Partner agrees to enforce such terms and conditions against its users. Partner further agrees to: (a) maintain the confidentiality and security of passwords and abide by any access protocols or credential requirements set by Instructure; (b) obtain from users any consents necessary under this Agreement or to allow Instructure to provide the Services; (c) use commercially reasonable efforts to prevent unauthorized access to or use of the Services; (d) notify Instructure promptly of any such unauthorized access or use of which it learns; and (e) cooperate reasonably in all respects with respect to implementation and maintenance of the Services.

4. TERM AND TERMINATION .   The initial term of this Agreement is stated on the Order Form (the “ Term ”) and shall continue for its full duration unless earlier terminated by a Party in accordance with this Section 4. Either party may terminate this Agreement for the material breach of any provision of this Agreement by the other party if such material breach remains uncured for thirty (30) days after receipt of written notice of such breach from the non-breaching party.  In the event the Agreement is terminated, all Order Forms are simultaneously terminated. Such termination right shall be in addition to any other rights and remedies that may be available to the non-breaching party. Any terms that by their nature survive termination or expiration of this Agreement, will survive (including Sections 4, 5, 6, 7, 9-19).

5. PAYMENT. There is no charge for participation in the Partner Program. However, if Partner would like to upgrade its membership to one of the Tiered Integration Partnership Benefits , Partner shall pay Instructure the amounts specified in the applicable Order Form within thirty (30) days of the invoice date (the “ Upgrade Fee ”). All amounts shall be stated (and payment made) in the applicable currency identified in the Order Form.  For each renewal term, Partner shall pay Instructure the applicable Upgrade Fee, unless Partner notifies Instructure in writing thirty (30) days prior to renewal of its intent to cancel the upgraded item. The Upgrade Fee and any other fees owed by Partner are exclusive of, and Partner shall pay, all sales, use, VAT, excise and other taxes that may be levied in connection with this Agreement. Except as expressly set forth in this Agreement, (a) payment obligations are non-cancelable and all fees are non-refundable; (b) fees are based on subscriptions purchased and not actual usage; and (c) quantities purchased cannot be decreased during the relevant subscription term.

6. PARTNER REPRESENTATIONS .  Partner represents that (a) it has the power and authority to validly enter into this Agreement and fulfill its obligations hereunder; (b) the execution and delivery of this Agreement does not violate or conflict with any other agreement, license, or obligation; (c) it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from or on behalf of any employees or agents of Instructure in connection with this Agreement; and (d) it is financially solvent and has the ability to perform its obligations hereunder.

7. TRADEMARK USAGE RIGHTS .  Partner shall not print or distribute any materials, including press releases, or make any other public statement or announcement, including via social media, relating to the terms and conditions of this Agreement or otherwise bearing Instructure’s name or mark(s), without first obtaining Instructure’s written approval. When written approval is provided by Instructure, such use shall be in accordance with Instructure’s brand guidelines found at https://www.instructure.com/about/brand-guide , which may be updated from time to time and solely in connection with this Agreement.  Partner agrees to allow Instructure to use its name, logo and non-competitive use details in both text and pictures in its various marketing communications and materials, in accordance with Partner’s brand guidelines and solely in connection with this Agreement.  Neither party may register any internet domain name using any tradename or trademark of the other party. The licenses granted in this Agreement set forth the full extent of each party’s rights to use, distribute, display, make available, and otherwise deal in the services, trademarks and Intellectual Property of the other party. Except for the rights and licenses expressly granted in this Agreement, nothing in this Agreement will be deemed to license or transfer to anyone any of either party’s Intellectual Property or proprietary rights.

8. INSTRUCTURE PROPRIETARY ASSETS AND RIGHTS. As between Partner and Instructure, Instructure owns, and shall retain all right, title and interest in (a) the Instructure Services and any and all other Instructure products; (b) all improvements, changes, enhancements and components, source code, object code, documentation, criteria, designs, report formats, know-how, underlying ideas, algorithms, or structure associated with the Services; (c) all other proprietary materials of Instructure and/or its licensors; (d) all individual questions on any assessment, as well as all revisions, modifications, translations, or other adaptations or transformations thereof; and (e) all intellectual property related to the aforementioned, including but not limited to, all copyrights, patents, trademarks and trade names, and trade secrets (“ Instructure Intellectual Property ”). The Instructure Intellectual Property is and shall at all times remain the sole and exclusive property of Instructure.  Instructure shall have the right, in its sole discretion, to modify any Instructure Intellectual Property. Notwithstanding the foregoing, the Partner Applications and all intellectual property rights therein shall remain the sole and exclusive property of Partner. 
9. MUTUAL CONFIDENTIALITY .  

7.1 Definition of Confidential Information.   Each Party acknowledges that it, or any entity that directly, or indirectly through one or more intermediaries’ controls, is controlled by or is under common control with such party (an “Affiliate”), or Instructure’s licensors, may disclose (in such capacity the “ Disclosing Party ”) Confidential Information to the other Party or its Affiliates or Instructure’s licensors (in such capacity, the “ Receiving Party ”) in the performance of this Agreement. As used herein, “ Confidential Information ” means  includes, without limitation, any and all non-public, confidential and proprietary information, data, or know-how, including all Personal Information (as defined in Section 15 below) and information about the Disclosing Party’s businesses, operations, finances, properties, employees, relationships with third parties, plans, trademarks, trade secrets, and other intellectual property and all analyses, compilations, forecasts, studies, summaries, notes, reports, memoranda, interpretations, data, and other materials which contain or are generated from the Confidential Information, whether disclosed in writing, orally, electronically, or by other means, and whether or not identified as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. For the avoidance of doubt, any non-public aspect of the Services will be considered the Confidential Information of Instructure or Instructure’s licensors. 

7.2 Protection of Confidential Information.  Accordingly, the Receiving Party shall: (a) protect the Confidential Information using the same degree of care that it uses to protect the confidentiality of its own Confidential Information (but in no event less than reasonable care); (b) keep the Confidential Information disclosed by the other Party confidential; (c) use Confidential Information only for purposes of fulfilling its obligations and exercising its rights hereunder; and (d) disclose such Confidential Information only to the Receiving Party’s employees or Affiliates who have a need to know and only for the purposes of fulfilling this Agreement or to the extent required by law.

7.3 Exclusions. Confidential Information shall not include information that: (a) is or becomes generally known to the public as a matter of public knowledge through no fault of the Receiving Party without breach of any obligation owed to the Disclosing Party; (b)  was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is rightfully received by the Receiving Party from a third party without a duty of confidentiality or knowledge of breach of any obligation owed to the Disclosing Party; (d) is was independently developed by the Receiving Party without the use of any Confidential Information of the Disclosing Party; or (e) is identified by the Disclosing Party in writing as no longer confidential and proprietary. 

7.4 Compelled Disclosure. Notwithstanding the restrictions above, the Receiving Party may disclose the Confidential Information pursuant to law, regulation, subpoena or court orders, provided that the Receiving Party promptly notifies the Disclosing Party in writing prior to making any such disclosure to permit the Disclosing Party, at the Disclosing Party’s cost, an opportunity to prevent disclosure or seek an appropriate remedy from the proper authority. The Receiving Party agrees to cooperate with the Disclosing Party in seeking such order or other remedy. The Receiving Party further agrees that if the Disclosing Party is not successful in precluding the requesting legal body from requiring the disclosure of the Confidential Information, it will furnish only that portion of the Confidential Information which is legally required (based on the advice of counsel) and will exercise all reasonable efforts to obtain reliable assurances that confidential treatment will be afforded the Confidential Information. Further, any information obtained by monitoring, reviewing, or recording is subject to review by law enforcement organizations in connection with investigation or prosecution of possible criminal or unlawful activity on the Service as well as to disclosures required by or under applicable law or related government agency actions. Instructure will also comply with all court orders or subpoenas involving requests for such information.

10. CONDUCT OF BUSINESS AND NON-SOLICIT . Partner must conduct its business in a manner favorably representing Instructure and its technology. Partner agrees to maintain the quality of the Partner Applications such that they remain current, in good taste, and compliant with all applicable laws, rules and regulations. Partner is solely responsible for providing all support and assistance to end users of the Partner Applications. 

In no event may either party make any representations, warranties, or guarantees on behalf of the other party.

During the term of this Agreement and twelve (12) months after expiration or termination, Partner will not attempt to recruit or solicit for employment or hire any Instructure employee or contractor without the prior written approval of Instructure. The posting of any general recruitment advertisement by Partner in the normal course of business without specifically targeting or approaching the personnel of Instructure, and any employment of Instructure’s personnel that results from such general recruitment advertisement, shall not be deemed a violation of this Section 10. 

11. LIMITATION OF LIABILITY. NOTHING IN THIS AGREEMENT SHALL LIMIT OR EXCLUDE EITHER PARTY’S LIABILITY FOR: (A) DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE; (B) FRAUD OR FRAUDULENT MISREPRESENTATION; OR (C) ANY OTHER LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW. SUBJECT TO THE PRECEDING SENTENCE, NEITHER PARTY HAS ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR CONSEQUENTIAL, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR OTHER INDIRECT DAMAGES (INCLUDING WITHOUT LIMITATION, LOST PROFITS OR LOSS OF REVENUE), OR THE USE OR INABILITY TO USE THE SERVICES (INCLUDING, WITHOUT LIMITATION, COSTS OF DELAY, LOSS OR INACCURACY OF DATA, RECORDS OR INFORMATION, COST(S) OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, AND ANY FAILURE OF DELIVERY OF THE SERVICES), EVEN IF EITHER PARTY IS AWARE OF THE LIKELIHOOD OF SUCH DAMAGE. EXCEPT FOR (i) PARTNER’S PAYMENT OBLIGATIONS IN SECTION 5, OR (ii) A PARTY’S INDEMNITY OBLIGATIONS IN SECTION 13, IN NO EVENT SHALL EITHER PARTY’S TOTAL AND CUMULATIVE LIABILITY TO THE OTHER PARTY ARISING UND ER OR RELATED TO THIS AGREEMENT EXCEED THE GREATER OF $50 OR THE AMOUNT PAID BY PARTNER UNDER THIS AGREEMENT WITHIN THE 12 MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY, WHICHEVER IS GREATER .

12. WARRANTY DISCLAIMER. INSTRUCTURE DISCLAIMS ALL WARRANTIES, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, TITLE, ACCURACY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. INSTRUCTURE DOES NOT WARRANT (A) THE FUNCTIONALITY OR FEATURES OF ANY THIRD-PARTY SERVICE USED IN CONNECTION WITH THE SERVICE; (B) THE RESULTS OR OUTCOMES FROM USE OF THE SERVICES WILL BE UNINTERRUPTED, SECURE OR ERROR-FREE; OR (C) THE VALIDITY, FAIRNESS OR QUALITY OF ANY CONTENT PROVIDED BY INSTRUCTURE.

13. INDEMNIFICATION. Instructure will indemnify and defend Partner from and against any and all losses, liabilities, and claims (including reasonable legal fees) arising out of any claim by a third party alleging that the Services infringe or misappropriate the intellectual property rights of that third party. Notwithstanding the foregoing, Instructure shall not be obligated to indemnify Partner if any Fees remain unpaid after they become due or where  such infringement or misappropriation claim arises from: (a) the Partner’s content or Partner Application; (b) Partner's misuse of the Services, including any use of the Services by unauthorized users or after the termination of the Agreement; or (c) Partner's use of the Services in combination with any products, services, or technology provided by a party other than Instructure. If such a claim of infringement or misappropriation is made or threatened, Instructure may, in its sole discretion: (i) modify the Services so that they become non-infringing; (ii) obtain a license for Partner to continue its use of the Services; or (iii) notwithstanding Instructure's obligation to indemnify hereunder, terminate the Agreement with no liability to Partner. The aforesaid remedies are Partner’s sole and exclusive remedies for any third-party claims of infringement or misappropriation of intellectual property rights relating to the Services. To the extent permitted under applicable law, Partner will indemnify and defend Instructure from and against any and all losses, liabilities, and claims (including reasonable legal fees) arising from: (a) the Partner’s acts or omissions; (b) any claim by a third party regarding the Partner Application or use of the Services by Partner (or any of its customers or users) in violation of this Agreement; or (c) a breach of Partner’s data protections set forth in the Agreement. The party seeking indemnification (the “ Indemnified Party ”) shall provide the other party (the “ Indemnifying Party ”) with prompt written notice upon becoming aware of any claim subject to indemnification hereunder and shall provide reasonable cooperation to the Indemnifying Party in the defense of or investigation of any claim, suit or proceeding. The Indemnifying Party, at its option, will have sole control of such defense, provided that the Indemnified Party is entitled to participate in its own defense at its sole expense. The Indemnifying Party shall not enter into any settlement or compromise of any such claim, suit or proceeding without the Indemnified Party's prior written consent, except that the Indemnifying Party may without such consent enter into any settlement of a claim that resolves the claim without liability to the Indemnified Party and without impairment to any of the Indemnified Party's rights or requiring the Indemnified Party to make any admission of liability. 
14. AI .  To the extent Partner develops and offers its AI technology (the “ AI Product ”) to Instructure Customers through the Instructure AI Marketplace, the Addendum for AI Partners (the “ AI Addendum ”) set forth in Exhibit A is incorporated into this Agreement.  The AI Addendum shall be deemed an integral part of this Agreement and subject to the same terms, conditions and obligations as set forth herein. In the event of any conflict or inconsistency between the provisions of this Agreement and the AI Addendum, the provisions of the AI Addendum shall prevail.   
15. COMPLIANCE . Each party will comply with all applicable laws, regulations and policies with respect to its activities under this Agreement, including the Partner Data Processing Addendum described in Exhibit B. Except for the Partner’s credentials used to access the services and contact data, you may not transfer, or cause to be transferred, or input personally identifiable information into the Services without notifying Instructure in writing.              

16. NOTICES. Any notice by a party under this Agreement shall be in writing and either personally delivered or sent via email or reputable overnight courier (such as Federal Express) or certified mail, postage prepaid and return receipt requested, addressed to the other party at the address specified below or such other address of which either party may from time to time notify the other in accordance with this Section 15. A copy of all notices to Instructure shall be sent to: Instructure, Inc., 6330 South 3000 East, Suite 700, Salt Lake City, UT 84121, Attention: General Counsel and, if by email, to Legal@instructure.com. For purposes of service messages and notices about the Services, Instructure may place a banner notice or send an email to an email address associated with an account. All notices shall be in English and shall be deemed effective upon receipt. 

17. NON-PERFORMANCE AND RELIEF . Either party may apply to a court of competent jurisdiction for injunctive or other appropriate equitable relief restraining any threatened or actual breach of this Agreement. Each party waives any requirement that the other party post any bond or other security in the event any injunctive or equitable relief is sought by or awarded to enforce any provision of this Agreement. Instructure will not be liable for failure or delay in  performance to the extent caused by circumstances beyond its reasonable control, including, but not limited to, acts of God, natural disasters, pandemics, actions or decrees of governmental bodies, changes in applicable laws, or communication or power failures. 

18. CHOICE OF LAW.   To the extent that the Instructure entity on the Order Form is Instructure, Inc., this Agreement shall be interpreted, governed, and construed by the laws of the State of Delaware, without regard to principles of conflict of laws. To the extent that the Instructure entity on the Order Form is Instructure Global Limited, this Agreement shall be interpreted, governed, and construed by the laws of England and Wales without regard to principles of conflict of laws and the parties hereby submit to the exclusive jurisdiction of the English courts.

19. CHANGES TO THIS AGREEMENT .  Instructure may amend, revise or update these Partner Program Terms and Conditions at any time by posting a revised version on the Program Website.  By continuing to use the Service after the effective date of any modifications, Customer consents to be bound by the modified terms. To the extent, in Instructure’s sole discretion, Instructure determines that such amendment, revision, or update results Instructure us engaging in more permissive data practices, or materially changes Partner’s rights or obligations, Instructure will notify Partner of the modifications in writing, such as by email.

20. GENERAL. Instructure is acting in performance of this Agreement as an independent contractor to Partner. If any term of this Agreement is invalid or unenforceable, the other terms remain in effect and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. This Agreement constitutes the entire agreement between the parties with respect to the subject matter of this Agreement, and any prior representations, statements, and agreements relating thereto are superseded by the terms of this Agreement. Instructure rejects additional or conflicting terms of any Partner form-purchasing document. Partner shall not assign this Agreement, in whole or in part, to any entity without Instructure’s prior written consent. Any attempt by Partner to assign this Agreement, in whole or part, in contravention of this Section 20, shall be void. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their successors and permitted assigns. Other than in respect of Instructure’s Affiliates, this Agreement does not create any third-party beneficiary rights in any individual or entity that is not a party to this Agreement. Any failure by either party to enforce the other party's strict performance of any provision of this Agreement will not constitute a waiver of its right to subsequently enforce such provision or any other provision of this Agreement. No one other than a party to this Agreement, their successors and permitted assignees, shall have any right to enforce any of its terms.      

By executing this Agreement below, each party indicates that it has read, understands and agrees to be legally bound by this Agreement.

Instructure, Inc. Partner:

Signature: ___________________________ Signature: ___________________________

By: ____________________________ By: ___________________________

Title: ____________________________ Title: ___________________________

Address: _____________________________ Address:

6330 S 3000 E, Suite 700

_____________________________ Salt Lake City, UT 84121

Exhibit A

Addendum for AI Partners      

Instructure and Partner are entering  into Partner Program Terms and Conditions (the “ Partner Terms and Conditions ”) to develop and offer Partner’s AI technology (the “ AI Product ”) to Instructure Customers through the Instructure AI Marketplace (the “ Partnership ”).

The parties agree to incorporate this AI Addendum as an integral part of the Partner Terms and Conditions. This AI Addendum shall be read in conjunction with the Partner Terms and Conditions, and both documents shall be collectively referred to as the " Agreement ."

In the event of any conflict between the provisions of the Partner Terms and Conditions and this AI Addendum, the provisions of this AI Addendum shall control and prevail. All capitalized terms not defined herein shall have the same meaning ascribed to them in the Partner Terms and Conditions.

1.     Definitions

1.1. " AI Product ” means any AI system and/or technology provided by Partner to Instructure Customers including, but not limited to, data science models, generative artificial intelligence,  and algorithms and includes any AI Product integrated with, incorporated into, or part of the Services. 

1.2. “ AI Marketplace ” means a forum located at https://app.learnplatform.com/marketplace/ where Instructure Customers can buy and/or bundle AI Products for use with Canvas.

1.3. “ Instructure Customer ” means a third party that has purchased the AI Product through the AI Marketplace.

1.4. “ Instructure AI Data ” means (a) all data, content, information, Instructure Intellectual Property, inclusive of metadata, and all other materials provided by Instructure or an Instructure Customer, or made available to Partner, in connection with the Partnership, including but not limited to any inputs or other information provided to the AI Product; (b) the results or outputs of the AI Product, including any analysis, compilation, summary, interpretation, study, report or other document, record or material that is or has been prepared by Partner in connection with the Agreement; and (c) any AI Product trained upon, updated by, improved by, or that has otherwise processed any information of the type referred to in clauses (a) or (b), including any associated weights, parameters, or other attributes of any such AI Product.

2.   Partner Restrictions .   Partner shall not use Instructure AI Data for the development, creation, enhancement, operation or implementation of any AI Product or any machine learning or other artificial intelligence process, system, model, algorithm, service or product (including any artificial intelligence “training”) other than as expressly provided herein for exclusive use under the Partnership.

3.    Partner Obligations . In addition to Partner’s other obligations under the Partner Terms and Conditions, Partner agrees to provide Instructure with technical assistance, documentation, and information in response to Instructure’s and third-party’s questions about the operations and functions of the AI Product, including any audits of the AI Product, and training data of the AI Product as necessary in order to demonstrate, for example, safety, reliability, security, accountability, transparency, explainability, and fairness of the AI Product. Partner agrees to provide Instructure with access to any data originating from the Partnership. Partner is under no obligation to share data containing personally identifiable information or data otherwise prohibited by law from sharing.  Partner agrees to provide appropriate notices, labels, warnings, disclaimers, or other information on the AI Product and any output or results of the AI Product as required by law or Instructure.

4.   Indemnification Obligations .  In addition to Partner’s other indemnity obligations under the Partner Terms and Conditions, Partner will indemnify and defend Instructure from and against any and all losses, liabilities, and claims (including reasonable legal fees) arising from: (a) any claim by a third party concerning the results or outputs of the AI Product, including but not limited to claims that the results or outputs infringe or misappropriate the intellectual property rights of that third party; and (b) any claim by a third party that Partner’s use of training data to create the AI Product infringes or misappropriates the intellectual property rights of that third party.

5.   Revenue Share . Partner and Instructure agree that Instructure will be paid a commission equal to thirty percent (30%) (the " Revenue Share Percentage ") of the Net Revenues generated through the sale of AI Product. “ Net Revenues '' shall be calculated as the gross revenue received from Instructure Customers for the purchase of the AI Product through the AI Marketplace, less (i) any taxes, duties or similar government charges imposed on the sale of the AI Product, (ii) any credits issued to Instructure Customers in connection with the AI Product, and (iii) any reasonable expenses incurred by Instructure directly attributable to the offering and sale of the AI Product. The Revenue Share Percentage shall be payable to Instructure on a monthly basis and such payments shall be accompanied by a statement detailing the calculation of Net Revenues for such period. In the event that Partner fails to make any payment of the Revenue Share Percentage, Partner shall pay interest on such overdue amount at a rate of 1.5% per month, compounded monthly or the maximum rate permitted by applicable law, whichever is lower. Each party shall be responsible for any taxes imposed on its own income, except for taxes based on the other party's income. The provisions of this Section 5 shall survive the termination or expiration of the Agreement for any reason.
 

Exhibit B

Instructure Partner Data Processing Agreement

This Instructure Partner Data Processing Agreement (“ DPA ”) is entered into by and between Partner and Instructure. This DPA and the Schedules form part of the Partner Program Terms and Conditions (the “ Agreemen t”). References to the Agreement will be construed as including this DPA. Capitalized terms not defined herein shall have the meanings as set forth in the Agreement.

How this DPA Applies: This DPA consists of two parts: the main body of the DPA, and the Schedules. The Schedules only apply to the extent that Partner is providing the Services in the geographical regions described in each Schedule.

Schedule 1 – Description of the Processing/Transfer

Schedule 2 – Instructure Security Standards Addendum

Schedule 3 – Compliance Addendum

Schedule 4 – U.S. State Privacy Laws Addendum

Schedule 5 – EU & UK Addendum

1. DEFINITIONS. In this DPA, the following terms shall have the meanings set out below.
   1. “ Affiliates ” means any entity which is controlled by, controls, or is in common control with a Party. 
   2. “ Authorized Person ” means any person Partner authorizes to process Personal Data including Partner’s staff, agents, contractors, Subprocessors, and subcontractors.
   3. “ Controller ” means the entity which determines the purposes and means of the Processing of Personal Data. 
   4. “ Data Protection Laws ” means any and all laws and regulations protecting the fundamental rights and freedoms of natural persons and their right to privacy with regard to the processing of Personal Data and any applicable international, national, local or regional data protection, privacy or security laws each as may be amended, replaced, supplemented or superseded from time to time .  
   5. “ Data Subject ” means an identified or identifiable natural person (i.e. one who can be identified, directly or indirectly, in particular to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or society of that natural person) whose Personal Data is Processed by Data Processor, as may be more fully set forth in the Data Protection Laws, and shall be meant to include any different but similar term used in the Data Protection Laws.
   6. “ Data Subject Right(s) ” means a Data Subject’s rights as defined by Data Protection Laws.
   7. “ De-Identified Data ” and “ De-Identification ” means data and information where all personally identifiable information has been removed or obscured, such that the remaining information does not reasonably identify a specific individual, including, but not limited to, any information that, alone or in combination is linkable to a specific Data Subject. 
   8. “ Personal Data ” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under Data Protection Laws) provided received or accessed by Partner under the Agreement. 
   9. “ Processor ” means the entity which Processes Personal Data on behalf of the Controller. 
   10. “ Processing ” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“ Process ”, “ Processes ” and “ Processed ” shall have the same meaning).
   11. “ Partner Services ” shall mean, as applicable, the Partner Product, AI Product, the AI Marketplace, and co-marketing activities performed by the parties.
   12. “ Sell, ” “ Selling ,” “ Sale ,” and “ Sold ” shall have the meanings provided under Data Protection Laws. 
   13. “ Security Breach ” means the actual, or reasonably suspected unauthorized access, disclosure, loss, or alteration of Personal Data Processed by Partner (or its Subprocessors), or unauthorized access to Partner’s equipment or facilities resulting in loss, disclosure, or alteration of Personal Data. 
   14. “ Subprocessor ” means any entity engaged by a Partner to Process Personal Data for the Partner Services.
2. PROCESSING OF PERSONAL DATA.
   1. Role of the Parties. The Parties agree that regarding the Processing of Personal Data under the Agreement, Instructure is the Controller and Partner is a Processor. 
   2. Processing of Personal Data . Partner shall only Process Personal Data to the extent necessary to perform the Partner Services and as specified in the Agreement and only in accordance with the Controller’s written instructions. Instructure hereby instructs Partner to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA;  and (ii) Processing to comply with other reasonable written instructions by Instructure that are consistent with the terms of the Agreement.  The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1.
      1.  Partner agrees that it shall, in its capacity as Processor in Processing Personal Data (i) Provide at least the same level of protection to Personal Data as is required by this DPA and Data Protection Laws; (ii) Immediately notify Instructure if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Data Protection Laws and this DPA, and in such event, to work with Instructure to take prompt, reasonable and appropriate steps to stop and remediate any Processing until such time as the Processing meets the level of protection as is required by the Data Protection Laws and this DPA; (iii) Implement and maintain throughout the term of this DPA appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and accidental destruction or loss, so as to allow Instructure to comply with the requirement to implement appropriate technical and organizational security measures, in accordance with the Schedule 2 (Instructure Security Standards Addendum), and applicable Data Protection Laws; (iv) At Instructure’s sole election, to cease Processing Personal Data promptly if in the Instructure’s reasonable determination, Partner is not providing the same level of protection to Personal Data as is required by the Data Protection Laws or this DPA; (v) Keep or cause to be kept full and accurate records relating to all Processing of the Personal Data; (vi) Provide all assistance reasonably required by Instructure to respond to, comply with or otherwise resolve any request, question or complaint relating to Personal Data made to it that is received from any regulatory or data protection authority; (vii) Take all reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data; (viii) Appoint a Data Protection Officer if this is legally required by the Data Protection Laws. Partner shall promptly notify the Instructure of the appointment and the contact information of the Data Protection Officer. If not legally required, assign responsibility for compliance with this DPA to a designated person or group within the Partner. 
      2.  Partner agrees that is shall not, in its capacity as Processor:
         1. Disclose Personal Data to any third-party other than (a) for the purposes of complying with Data Subject access requests and Data Subject Rights (as described in Section 3 (Rights of Data Subjects)) or in accordance with the Data Protection Laws, and (b) in accordance with Section 6 (Subprocessors), as applicable, unless required by applicable law to which Partner is subject; in such a case, Partner shall notify Instructure of such requirement before disclosing the Data, unless that law prohibits such notification.
         2. Include Personal Data in any product or service offered by Partner to third parties nor Sell, transfer, or otherwise disclose any Data that has been anonymized to any third-party, nor aggregate Controller’s Personal Data, or any part of it, into a larger data set with other data whether anonymized or not, except only as necessary to provide the Partner Applications and/or AI Product.
         3. Except for those pre-approved Subprocessors that are engaged in the performance of the Partner Applications and/or AI Product, share or allow access to Personal Data to any third-party for further Processing by that third-party or its agents (except for the purposes of mere routing of Personal Data through a third-party telecommunications carrier).
         4. Shall not Sell, or share for targeted advertising purposes, Personal Data except as expressly instructed by Instructure.  
3. RIGHTS OF DATA SUBJECTS.  Partner shall provide Instructure with commercially reasonable cooperation and assistance in relation to the handling and resolution of a Data Subject rights request. Partner shall promptly notify Instructure, but in no less than 72 hours, if it receives a request from a Data Subject to exercise a Data Subject right. Partner shall not respond to any such Data Subject request without Instructure’s prior written consent except to confirm that the request relates to Instructure. 
4. PROCESSOR PERSONNEL.  Partner shall ensure that all Authorized Persons are subject to a strict duty of confidentiality (whether a contractual or statutory duty). Partner shall not permit any person to Process Personal Data who is not under a duty of confidentiality. Partner shall ensure that all Authorized Persons Process the Personal Data only as necessary for the provision of the Services. Partner shall ensure that Authorized Persons access to Personal Data is limited to those individuals who require such access to perform the Services. Partner shall require all Authorized Persons who have access to Personal Data to comply with all applicable provisions of this DPA and Data Protection Laws. 
5. ADVERTISING LIMITATIONS. Partner is prohibited from using, disclosing, or selling Personal Data to (i) inform, influence, or enable targeted advertising; or (ii) develop a profile of any Data Subject except as permitted under the Agreement. 
6. SUBPROCESSORS.
   1. Appointment of Subprocessors: Instructure acknowledges and agrees that: (a) Partner Affiliates may be retained as Subprocessors; and (b) Partner may engage the Subprocessors listed in Schedule 1 – Annex I in connection with the provision of the Partner Services. Any such Subprocessors will be permitted to Process Data only to deliver the services Partner has retained them to provide and are prohibited from using Data for any other purpose. 
   2. Liability. Where a Subprocessor fails to fulfill its data protection obligations, Partner shall remain fully liable to Instructure for the performance of that Subprocessor's obligations. Partner shall be fully liable for the acts and omissions of its Subprocessors as if the Partner performed those acts and omissions themselves.
   3. Due Diligence. Before a Subprocessor first Processes Personal Data, Partner shall carry out adequate due diligence to ensure that the Subprocessor can provide the level of protection for Personal Data required by this DPA and Data Protection Laws.
   4. Obligations to be imposed on Subprocessors. Where Partner engages a Subprocessor, substantially the same data protection obligations as set out in this DPA shall be imposed on that Subprocessor by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures, including measures substantially similar to the obligations described in Schedule 2 (Instructure Security Standards), in such a manner that the Processing will meet the Data Protection Laws and the requirements of this DPA.
   5. Right to Information. Instructure has the right to obtain information from the Partner, upon written request, on the substance of the contract and the implementation of the data protection requirements as between Partner and Subprocessor, where necessary by inspecting the relevant contract documents.
   6. Notification of Subprocessor Changes/Appointment . Partner shall inform Instructure of any intended changes to Subprocessors concerning the addition or replacement of a Subprocessor giving Instructure and/or the Controller the opportunity to object to such changes. Partner shall provide the full details of the Processing to be undertaken by the Subprocessor. If, within 30 days of receipt of that notice, Instructure notifies Partner in writing of any objections (on reasonable grounds) to the proposed appointment, Partner shall not appoint that proposed Subprocessor.
7. INTERNATIONAL TRANSFERS. Partner shall not transfer Data (nor permit the onward transfer of Personal Data) out of approved regions (which shall be approved in advance in writing by the parties) unless it has first obtained Instructure’s prior written consent.
8. GOVERNMENT ACCESS REQUESTS.
   1. If Partner receives a legally binding request to access Personal Data from a governmental authority, Partner shall, unless otherwise legally prohibited, promptly notify Instructure without undue delay, but in no more than 72 hours. Such notice shall include a summary of the nature of the request. To the extent Partner is prohibited by law from providing such notification, Partner shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Partner to communicate as much information as possible, as soon as possible. 
   2. Partner shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Partner shall pursue possibilities of appeal. When challenging a request, the Partner shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. Partner shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. Partner agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. 
9. AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS.
   1. No more than once per year, or (a) following a Security Breach, or (b) as required by regulatory bodies or supervisory authorities, Partner will allow Instructure to audit (i) Partner’s compliance with this DPA, (ii) Partner’s compliance with applicable Data Protection Laws, and (iii) Partner’s security and privacy measures that are in place to ensure protection of Personal Data or any portion thereof as it pertains to the delivery of the Partner Services or the Processing of Personal Data.
   2. Partner will cooperate with any regulatory body with oversight authority or jurisdiction in connection with audit of investigation of Instructure, or the delivery of the Services or Partner Services and shall provide reasonable access to Partner’s facilities, staff, agents, Personal Data, and all records pertaining to the Partner and delivery of the Services. Failure to reasonably cooperate with this Section 9 shall be deemed a material breach of this DPA.
   3. Partner will cooperate with Instructure where Instructure is conducting a privacy impact assessment or data privacy impact assessment.
10. RETURN AND DELETION OF PERSONAL DATA.  Partner shall return and/or securely delete all Personal Data, at Instructure’s sole discretion, within 90 days after termination of the Agreement, or within 30 days upon receipt of written request by Instructure. Until the Personal Data is deleted or returned, the Partner shall continue to ensure compliance with the provisions of this DPA. Upon written request from Instructure, Partner shall promptly certify in writing that it has returned or destroyed (as the case may be) the Personal Data and has not retained copies of any Personal Data. In any event, during the term of the Agreement, Instructure shall notify Partner of all Personal Data that is no longer in use and obtain from Partner written confirmation of the Personal Data being deleted and purged from the Partner services and systems, including backup and recovery systems, and all archival storage media.
11. INDEMNIFICATION.  In addition to any indemnification obligations set forth in the Agreement, Partner shall indemnify, defend, and hold harmless Instructure its Affiliates and their respective shareholders, officers, directors, contractors, representatives, and employees (“ Indemnified Parties ”), from, against and in respect of any losses, liabilities, damages, judgements, claims, causes of action, penalties, assessments, fines, charges, liens, costs and expenses (including, without limitation, reasonable attorneys’ fees and paraprofessionals’ fees, notification and mitigation costs, and court costs) arising out of or related to a Security Breach or Partner’s violation of Data Privacy Laws, including, but not limited to, the misuse, unauthorized access, mishandling, theft by or theft from the Partner or its employees, independent vendors and/or agents (or any person conspiring with the any of the foregoing) of any Personal Data. Partner agrees that any Security Breach, including, but not limited to, unauthorized use or disclosure of Personal Data may cause immediate and irreparable harm to the Indemnified Parties for which money damages may not constitute an adequate remedy. In that event, Partner agrees that injunctive relief may be warranted in addition to any other remedies Indemnified Parties may have. In addition, Partner agrees to take all steps at its own expense reasonably requested by the Indemnified Parties to limit, stop, or otherwise remedy a Security Breach.

Schedule 1 - Description of the Processing/Transfer

1. LIST OF PARTIES

Data exporter(s).  

Name: Instructure Global Limited

Address: Birchin Court 5 th Floor, 19-25 Birchin Lane, London EC3V 9DU UK

Contact person’s name, position and contact details: DPO, privacy@instructure.com

Activities relevant to the data transferred under these Clauses: The provision of Services as described in the Agreement.

Signature and date: As described in the Agreement. 

Role (controller/processor): Processor

Data importer(s).  

Name : As described in the Agreement  

Address : As described in the Agreement

Contact person’s name, position, and contact details: As described in the Agreement.

Activities relevant to the data transferred under these Clauses : As described in the DPA

Signature and date: As described in the Agreement.

Role (controller/processor): As described in Section 2 the DPA.  

Categories Of Data Subjects Whose Personal Data Is Processed and/or Transferred . 

Instructure employees, prospective customers, users that participate in the AI Marketplace or users of the Partner Service.

2. Categories of Personal Data that are Processed and/or Transferred. Demographic data (such as name, email address, phone number, institutional affiliation, address), technical and metadata (such as IP address, cookie data, log data), or any other Personal Data Processed by the Partner Services.
3. Sensitive Data Processed and/or Transferred (if Applicable). Not Applicable.
4. The frequency of the Transfer. Continuous for the term of the Agreement.
5. Nature of the Processing. Performance of the Partner Services.
6. Purpose(s) of the Data Transfer and Further Processing. Performance of the Partner Services described in the Agreement.
7. Duration of the Processing. Continuous for the term of the Agreement.
8. Subprocessor Transfers. As described in Section 6 of the DPA and Annex I of this Schedule.
9. Competent Supervisory Authority. The Information Commissioner’s Office of the UK.
10. Technical and Organizational Measures Including Technical And Organizational Measures to Ensure The Security of the Data. The applicable technical and organizational measures are described in Schedule 2 – Instructure Security Standards Addendum.

ANNEX I – LIST OF SUBPROCESSORS

Instructure provides specific authorization for Partner to use Subprocessors in use as of the effective date of Agreement. Partner agrees to provide Instructure with a list of such Subprocessors within 3 days of written request.

Schedule 2 – Instructure Security Standards Addendum

This Instructure Security Standards Addendum is incorporated into and made a part of the DPA to which it is attached for the Services as more particularly described in the Agreement. Capitalized terms not otherwise defined herein shall have the meaning set forth in the DPA or the Agreement. 

1. SECURITY REQUIREMENTS.
   1. Security Standards. Partner represents and warrants that it has an industry standard security program and shall maintain appropriate technical and organizational measures (“ Security Standards ”) to ensure the security, confidentiality, and integrity of Instructure Data against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to Personal Data. The Security Standards shall include, but are not limited to: (a) physical access controls, (b) logical access controls, (c) annual penetration testing of Partner’s networks, (d) intrusion detection and prevention systems, (e) business continuity and disaster recovery program, (f) encryption of Instructure or Customer Personal Data while in transit and at rest in Partner’s networks or computing systems, (g) two-factor authentication for access Partner’s networks or computing systems, (h) email security controls, (i) security, error and access logging that is retained for at least 180 days, (j) malware protection on Partner’s network and computing systems, (k) appropriate security policies including, but not limited to, information security, risk management, security incident response, vulnerability management, policy management and maintenance, data access request, change management, and system access, (l) annual security and privacy training for all employees, staff, contractors, Subprocessors, agents, and subcontractors, and (m) incident response policy that is tested regularly.
   2. Network Security.  
      1.   If access to Instructure’s Services or system is required in order to fulfill the Partner Services, Partner is responsible for all use of and access such networks and systems by its Authorized Persons and permitted Subprocessors, and Instructure maintains the right to monitor all user activity and revoke access due to noncompliance to its security policies. 
      2.   Partner agrees that its network security policy will only allow authorized users access and will deny all unauthorized access. 
      3.   Partner represents and warrants that in accessing Instructure systems, Partner, its Authorized Persons will not run any process, audit, or the like, that collects, retrieves, extracts, or otherwise provides access to data, system information, or the like without Instructure’s prior written consent except solely to the extent required to provide the Partner Services. Partner further represents and warrants that in accessing Instructure systems or the Services, no computer instructions, circuitry or other technological means will be introduced those systems the purpose of which or effect is to disrupt, damage, extract information from or interfere with Instructure computers, communications facilities or equipment and their use (" Harmful Code "), and Partner shall prevent the introduction of such Harmful Code in accessing Instructure systems or the Services prior to delivery of such Services. Harmful Code includes, without limitation, any code containing viruses, Trojan horses, worms or like destructive code or code that self-replicates, or cryptocurrency mining tools.
      4.   Partner certifies that Partner (a) has not purposefully created back doors or similar programming for the purpose of allowing access to the Partner Services and/or Personal Data by any governmental authority; (b) has not purposefully created or changed its business processes in a manner that facilitates access to the Partner Services and/or Personal Data by any governmental authority; and (c) is not currently aware of any national law or government policy requiring Partner to create or maintain back doors, or to facilitate access to the Partner Services and/or Personal Data, to keep in its possession any encryption keys or to handover the encryption key to any third-party.
   3. Third-Party Certifications and Audits. Partner must meet the following assessment standards throughout the term of the Agreement, (a) valid ISO/IEC 27001 Certification, or (b) current AICPA SOC 2 Type II with no major findings, or (c) completed third-party security assessment with Instructure with no high-risk findings (if Partner has any risk findings, Partner will provide a remediation plan with mutually agreed to target completion dates). 
2. SECURITY BREACH MANAGEMENT AND NOTIFICATION. 
   1. Security Breach Notification . If Partner becomes aware of Security Breach, Partner will notify Instructure of the Security Breach without undue delay, and in any event within 24 hours. Partner shall report any Security Breach by emailing security@instructure.com with a copy to privacy@instructure.com. Such notification shall at a minimum and to the extent known by Partner at the time, but with regular timely updates that (a) describe the nature of Security Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; (b) identify the name of the Partner’s data protection officer or other relevant contact person(s) from whom more information about the Security Breach may be obtained; (c) describe the likely consequences of the Security Breach; and (d) describe the measures taken or proposed to be taken to address the Security Breach.
   2. Security Breach Response. In the event of a Security Breach Partner shall: (a) fully cooperate with Instructure and/or the Controller or anyone acting on its behalf (and with any law enforcement or regulatory official) to investigate and resolve the Security Breach; (b) make reasonable efforts to identify and remediate the cause of such Security Breach; and (c) keep Instructure and the Controller up-to-date about developments in connection with the Security Breach.  Partner agrees to adhere to all applicable Data Protection Laws with respect to a Security Breach related to the Personal Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such Security Breach.
   3. Option to Terminate the Agreement . Instructure may terminate the Agreement immediately and without recourse to the courts, and without further liability or obligation on its part under the Agreement, if any Personal Data subject to a Security Breach arising out of any action or inaction of Partner or its Authorized Persons.

Schedule 3 – Compliance Addendum

1. E-VERIFY. By entering into the Agreement, Partner certifies and ensures that it utilizes and will continue to utilize, for the term of the Agreement, the U.S. Department of Homeland Security’s  E-Verify  system, in accordance with the U.S. Department of Homeland Security’s rules, to determine the eligibility of (a) all persons employed to perform duties within the United States of America; and (b) all persons (including subcontractors and Subprocessors) assigned by Partner to perform work pursuant to the Agreement, within the United States of America. Partner shall provide, upon request of Instructure and if available, an electronic or hardcopy screenshot of the confirmation or tentative non-confirmation screen containing the E-Verify case verification number for attachment to the Form I-9 for the three (3) most recent hires that match the criteria above, by Partner as proof that this provision is being followed. If this certification is falsely made, the Agreement may be immediately terminated, at the discretion of Instructure, and at no fault to Instructure, with no prior notification. Partner shall also be responsible for the costs of any re-solicitation that Instructure must undertake to replace the terminated Agreement. For persons not eligible for E-Verify screening, Partner (including its Sub-processors) shall provide, upon request by Partner, another form of documentation of proof of eligibility to work in the United States of America.
2. MODERN SLAVERY. For the purposes of this Section, “Modern Slavery” shall have the same meaning as under relevant legislation, including the UK Modern Slavery Act 2015 and the Australia Modern Slavery Act 2018, as applicable to Partner. Partner agrees to take reasonable steps to identify, assess and address risks of Modern Slavery practices in the operations and supply chains used in the provision of the Services. If at any time during the term of the Agreement, Partner becomes aware of Modern Slavery practices in the operations and supply chains used in the performance thereof, Partner must as soon as reasonably practicable take all reasonable action to address or remove these practices, including where relevant by addressing any practices of other entities in its supply chains. 
3. DRUG FREE WORKPLACE . For the purposes of this section, “drug-free workplace” means a site for the performance of work done in connection with the Agreement. During the performance of the Agreement Partner agrees to (a) provide a drug-free workplace for Partner’s employees; (b) post in conspicuous places, available to employees and applicants for employment, a statement notifying employees that the unlawful manufacture, sale distribution, dispensation, possession, or use of a controlled substance or marijuana is prohibited in Partner’s workplace and specifying the actions that will be taken against employees for violations of such prohibition; (c) state in all solicitations or advertisements for employees placed by or on behalf of Partner that Partner maintains a drug-free workplace; and (iv) include the provisions of the foregoing clauses in every subcontract or purchase order of over $10,000, so that the provisions will be binding upon each subcontractor or Partner. 
4. ANTI-CORRUPTION AND BRIBERY . Partner acknowledges that it is familiar with and understands the provisions of the U.S. Foreign Corrupt Practices Act and the UK Bribery Act (" the Acts ") and agrees to comply with their terms as well as any provisions of local law. Partner further understands the provisions relating to the Acts’ prohibitions regarding the payment or giving of anything of value, either directly or indirectly, to any party, any official of a government or political party for the purpose of influencing an act or decision in his or her official capacity or inducing the official to use his or her party's influence with that government, to obtain or retain business. Partner agrees to not violate or knowingly let anyone violate the Acts with respect to the sale, licensing, and use of the Services and Partner Services. Upon Instructure’s request, Partner agrees to provide Instructure with written certifications of Partner’s compliance with the Acts. Partner shall indemnify and defend Instructure and hold Instructure harmless from and against any and all claims, losses, liabilities, suits, actions, demands, damages, costs and other expenses caused by Partner’s failure to comply with the Acts or any such similar laws, regulations or rules.

Schedule 4  – U.S. State Privacy Laws Addendum

This Schedule 4 only applies to solely the extent that Partner processes Data subject to Applicable State Privacy law. This U.S. State Privacy Laws Addendum (" Schedule 4 ") supplements the DPA and is incorporated into the Agreement. Capitalized terms used but not defined in this US Addendum have the meanings given to them in the DPA or Agreement. 

1. DEFINITIONS . In this Schedule 5, the following terms shall have the meanings set out below.
   1. " Applicable State Privacy Law(s) " means (a) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (the " CCPA "); (b) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (c) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; and (e) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
   2. The terms " business ", " business purpose ", " consumer ", " controller ", " personal data ", " personal information ", " processing ", " processor ", " sale ", " sell ", " service provider ", and " share " as used in this US Addendum (including the DPA to the extent it is incorporated by reference into this US Addendum) have the meanings given in Applicable State Privacy Laws.
   3. References in this US Addendum (including the DPA to the extent it is incorporated by reference into this US Addendum) to " controller ", " data subject ", and " processor " include " business ", " consumer ", and " service provider ", respectively, as defined by Applicable State Data Privacy Laws.
2. DURATION . Regardless of whether the applicable Agreement has terminated or expired, this Schedule 5 will remain in effect until, and automatically expire when, the DPA expires.
3. ROLES AND COMPLIANCE; AUTHORIZATION .
   1. Processor and Controller Responsibilities . If Applicable State Privacy Laws apply to the processing of Personal Data: (a) Schedule 1 of the DPA describes the subject matter and details of the processing of Personal Data; (b) Instructure is a Controller of Personal Data under Applicable State Privacy Laws; and (c) Each Party will comply with the obligations applicable to it under Applicable State Privacy Laws with respect to the processing of Personal Data.
4. CCPA Requirements . With respect to Partner’s processing of Personal Data in accordance with the CCPA, Partner will not, unless otherwise permitted under the CCPA: (a) sell or share Personal Information; (b) retain, use or disclose Personal Data (i) other than for a business purpose under the CCPA on behalf of Instructure and the specific purpose of performing the Services, or (ii) outside of the direct business relationship between Partner and Instructure; or (c) combine Personal Information with other information that Partner (i) receives from or on behalf of a third-party or (ii) collects from its own interactions with a consumer.
   1. Third Party Notifications . Instructure will promptly notify Partner and provide all necessary information to Partner after receiving and verifying a Consumer request, and Partner shall promptly take such actions and provide such information as Instructure may reasonably request pertaining to a Instructure’s Personal Information in order to help Instructure fulfill requests of individuals to exercise their rights under the CCPA, including, without limitation, requests to access, correct, delete, opt out of the Sale or Sharing of, or receive information about Personal Information pertaining to them. If Partner receives any request directly from Instructure’s Customer, then Partner may either (a) advise the Customer to contact Instructure directly with such request or (b) contact Instructure to respond directly to the Customer.  
   2. Acknowledgments and Obligations.  Partner (a) acknowledges that Personal Information is disclosed by Instructure only for the limited and specified purposes of providing the Services described the Agreement; (b) shall comply with obligations applicable to service providers under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA, including the same privacy protection required to be provided by businesses; (c) agrees that Instructure may take reasonable and appropriate steps consistent with this Section to help to ensure that Partner’s use of Personal Information is consistent with Instructure’s or the relevant Customer’s obligations under the CCPA; (d) shall notify Instructure promptly of any determination made by Partner that it can no longer meet its obligations under the CCPA; and (e) agrees that Instructure may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, consistent with and in accordance with Applicable State Privacy Laws , by requesting reasonable documentation from Partner that verifies Partner no longer retains or uses Personal Information that is subject to a valid Data Subject deletion request.
   3. Data Subject Request Assistance . Partner will, taking into account the nature of the processing of Personal Information, assist Instructure in fulfilling its (or, where Instructure is a Processor, the relevant Controller’s) obligations under the CCPA to respond to requests for exercising the Data Subject’s rights by: (a) providing security controls in accordance with Schedule 2 (Information Security Standards); (b) complying with Section 3 of the DPA (Rights of Data Subject); and (c) providing the functionality of the Services. 

Schedule 5 – EU & UK Addendum

This Schedule 5 shall only apply to the extent that Partner Processes Personal Data from Data Subjects located in the EEA, UK, or is subject to the jurisdiction of Data Protection Laws of the EEA or UK. In case of any discrepancy between the DPA and this Schedule 5, this Schedule 6 shall prevail. Capitalized terms used but not defined in this US Addendum have the meanings given to them in the DPA or Agreement. 

1. Definitions. In this Schedule 5, the following terms shall have the meanings set out below.
   1. “ EEA ” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein, and Norway.
   2. “ Data Privacy Framework ” means the EU-US and/or Swiss-US Data Privacy Framework self-certification program operated by the U.S. Department of Commerce.
   3. “ Data Privacy Principles ” mean the Data Privacy Framework Principles (as supplemented by the Supplemental Principles).
   4. “ GDPR ” means the means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
   5. “ Standard Contractual Clauses ” means the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and the UK International Data Transfer Addendum (“ UK Addendum ”), and any similar measures promulgated pursuant to the GDPR to address the transfer of Personal Data to a Third-country and any amendments and replacements thereto as may be promulgated from time to time.
   6. “ Supplementary Measures ” means technical, organizational, and contractual measures as described in EDPB Guideline adopted on 18th June 2021 the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
   7. “ Third-country ” means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission according to the mechanism lined out in Article 45 GDPR.
   8. “ UK ” means the United Kingdom, Wales, and Northern Ireland. 
2. Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects about whom Personal Data is Processed under this DPA are further specified in Schedule 1. 
3. Cross Border Data Transfers. Instructure acknowledges and agrees that Partner may be established in a Third-country and that providing the Services may require transfer to, and Processing of Personal Data within a Third-country. All transfers to a Third-country are subject to the following conditions: (a) Instructure has given prior authorization for the transfer by signing the DPA; (b) Personal Data are Processed under the terms of the Agreement and the DPA; (c) there is a valid transfer mechanism in place in accordance with applicable Data Protection Laws; and (d) Partner shall implement the Supplementary Measures, where necessary.
4. Order of Precedence. In the event the Services are covered by more than one transfer mechanism under the GDPR, the transfer of Personal Data will be subject to a single transfer mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Framework as set forth in Section 4.1; (b) the Standard Contractual Clauses as set forth in Section 4.2; (c) the Jurisdiction Specific Terms as set forth in Schedule 7; and, if neither (a), (b), nor (c) is applicable, then (d) other applicable data transfer mechanisms permitted under applicable Data Protection Laws.
   1. Data Privacy Framework. To the extent that Partner Processes any Personal Data via the Services originating in the EU, UK, or Switzerland, Instructure represents that it is self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such Personal Data. To the extent that Partner is (a) located in the U.S. and is self-certified under the Data Privacy Framework, or (b) located in the EEA or Switzerland, Partner agrees (i) to provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles; (ii) to notify Instructure in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, the Standard Contractual Clauses will apply in accordance with Section 4.2 ; and (iii) upon written notice, to work with Instructure to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.
   2. Standard Contractual Clauses: A valid transfer mechanism referred in Section 4 is: 
      1. where Partner acts as a Processor and Instructure acts as a Controller, the Standard Contractual Clauses, Module TWO: Transfer Controller to Processor; 
      2. where Instructure acts as a Processor and Partner acts as a Processor, the Standard Contractual Clauses, Module THREE: Transfer Processor to Processor; 
      3. and in both cases, the UK Addendum thereto attached as Annex IV, and all of the foregoing are deemed to be incorporated herein by reference as set forth below. In respect of the Standard Contractual Clauses, the Parties agree on the following: (i) In clause 7, the Parties choose to include the “docking clause”; (ii) where Module Two or Three applies, in clause 9, the Parties choose Option 2: “general written authorization”; (iii) where Module Two or Three applies, in clause 9, the Parties choose 20 days as the specific time period; (iv) in clause 11, the Parties do not choose the optional complaint mechanism; (v) in clause 17, the governing law is the law of the EU Member State w here the Customer is established in an EU Member State, the law in that EU Member State; or where the Customer is not established in an EU member state but has appointed a representative pursuant to Article 27(1) of the GDPR, the law in the EU Member State in which the Customer’s representative is located; or where the data exporter is not established in an EU member state and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of the UK, or as defined in the Agreement; and in clause 18, the country of the applicable court in respect of any disputes arising from Standard Contractual Clauses is the courts of the EU member state in which in which the Parties have denoted choice of law above.
5. To the extent that Partner uses a Subprocessor in a Third-country for the Processing of Personal Data, the following shall apply in addition to Section 4 above: (a) Instructure has given prior authorization for the transfer by signing the Agreement; (b) there is a valid transfer mechanism in place in accordance with Data Protection Laws; and (c) Partner makes information on the transfer mechanism, and where applicable, the Standard Contractual Clauses, available without undue delay to Instructure.

ANNEX I

A.   LIST OF PARTIES: As described in Schedule 1.

B.   DESCRIPTION OF TRANSFER. As described in Schedule 1

C.   COMPETENT SUPERVISORY AUTHORITY - As described in Schedule 1

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

As described in Schedule 2.

ANNEX III - LIST OF SUBPROCESSORS

The controller has authorized the use of the following Subprocessors described in Annex I to Schedule 1.

ANNEX IV - Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018 - International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“ Appendix Information ” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses