Partner Program Terms and Conditions | Partners

1. SCOPE.       
   1. These Partner Program Terms and Conditions are between Instructure, Inc. and/or its Affiliates (“Instructure”) and the entity agreeing to these terms and conditions (“Partner”). An “Order Form” means any order for the provision of products or services signed by Partner. These terms and any applicable supplement or addendum related thereto (“Supplement”) are incorporated into the Order Form and together with the Order Form, form the “Agreement.” To the extent there is any conflict between the Order Form, these Partner Program Terms and Conditions, or any Supplement related thereto, such conflict shall be resolved pursuant to the following order of precedence: (i) the Order Form, (ii) any applicable Supplement, and (iii) these Partner Program Terms and Conditions. 
   2. By signing this Agreement or executing an Order Form wherein this Agreement governs, Partner agrees to participate in the Instructure partner program as either (a) a “Paid-Tier Partner” if Partner has executed an Order Form for one of the paid partnership tiers (via the Paid Partner Fee under Section 5), or otherwise (b) a “Free-Tier Parter”, in each case, in compliance with the Instructure Partner Requirements available at: https://view-su2.highspot.com/viewer/86eb8feaf1f24838d662fc5dfe7e09c7#1.      
   3. Instructure and the Partner may be referred to herein each as a “Party” and collectively, as the “Parties.” “Affiliate” with respect to Instructure means any entity that directly, or indirectly through one or more intermediaries’ controls, is controlled by or is under common control with such Party.
       
2. SERVICES AND RESTRICTIONS.
   1. “Services” means the proprietary software as a service offering(s) provided by Instructure, together with any other related products and services to be provided by Instructure. “Partner Applications” means the applications, integrations and related content created by Partner that interface with Instructure products and Services. 
   2. Prohibited uses of the Services shall include: (a) selling, sublicensing, or otherwise transferring or providing access to the Services, or any output from the Services, to any third party, except as expressly authorized under this Agreement; (b) use of or access to the Services for competitive purposes; (c) copying, modifying, adapting, or creating derivative works from or any feature, function, interface or graphic, in the Services; (d) removing or modifying Instructure’s policies, notices or proprietary markings displayed within the Services or output from the Services; (e) using, interfering with, overloading, probing, scanning, disrupting, altering, translating, or modifying the Services, or circumventing the integrity of the Services or any of Instructure’s data, systems, or network; (f) permitting direct or indirect access to or using the Services in a way that circumvents the contractual usage limit; (g) attempting to gain unauthorized access to the Services, their related systems or networks; (i) using the Services to store or transmit any malicious code or data, infringing, libelous, or otherwise unlawful or tortious material, or material which violates any third-party privacy rights; (j) modifying, reverse engineering, decompiling, disassembling, decrypting, extracting, or otherwise attempting to derive or determine the source code, underlying ideas, algorithms, structure, organization, or training data associated with the Services; (k) using the Services to distribute software or tools that gather information, distribute advertisements, or engage in conduct that may result in retaliation against Instructure or its data, systems, or networks; (l) connecting to, integrating with, or accessing the Services or the API (as defined below) or related documentation using model context protocol servers or other technologies not approved by Instructure; (m) using the Services or the API in violation of any applicable law, rule, or regulation; or (n) using the Services or the API in a manner that Partner knows or reasonably should know violates the policies, rules, or procedures of Instructure’s customers (e.g., the academic integrity policy of any applicable school, college, or university). 
   3. To the extent Partner is a Paid-Tier Partner, use and access to the Application Program Interface (“API”) will be subject to the Partner’s compliance with the Instructure API Policy available at https://www.instructure.com/policies/api-policy. Violations of any of the foregoing prohibitions or API policy by either Partner or its users will be a material breach of this Agreement. If Partner’s API usage, including API calls made by Partner or its users and affiliates, (“API Usage”) exceeds the permitted limits set forth in the Order Form, such exceeded usage shall be subject to additional fees (“API Overage Fees”) at rates determined by Instructure. Instructure may change the foregoing rates at its sole discretion within thirty (30) days’ prior written notice to Partner. Updated rates shall apply to any exceeded API Usage after the end of the foregoing thirty (30) day notice period. Partner shall pay Instructure the amounts specified in the applicable Order Form for such API Overage Fees within thirty (30) days of the invoice date or as otherwise specified in the applicable Order Form.
   4. Free-Tier Partners are not permitted to access or use the API and must become a Paid-Tier Partner in order to access or use such API. Partner’s breach of the foregoing restriction shall be a material breach of this Agreement.
       
3. PARTNER RESPONSIBILITIES. Partner shall have sole responsibility for use of the Services by users in compliance with this Agreement and the Acceptable Use Policy provided by Instructure (within the Services) and available at https://www.instructure.com/policies/acceptable-use (the “AUP”), and Partner agrees to enforce such terms and conditions against its users. Partner further agrees to: (a) maintain the confidentiality and security of passwords and abide by any access protocols or credential requirements set by Instructure; (b) obtain from users any consents necessary under this Agreement or to allow Instructure to provide the Services; (c) use commercially reasonable efforts to prevent unauthorized access to or use of the Services; (d) notify Instructure promptly of any such unauthorized access or use of which it learns; and (e) cooperate reasonably in all respects with respect to implementation and maintenance of the Services, including compliance with any terms and conditions, policies or obligations related to Partner Applications (including under Section 1.2). Violations of any of the foregoing responsibilities will be a material breach of this Agreement.
    
4. TERM AND TERMINATION.  The initial term of this Agreement is stated on the Order Form (the “Term”) and shall continue for its full duration unless earlier terminated by a Party in accordance with this Section 4. Either party may terminate this Agreement for the material breach of any provision of this Agreement by the other party if such material breach remains uncured for thirty (30) days after receipt of written notice of such breach from the non-breaching party. In the event the Agreement is terminated, all Order Forms are simultaneously terminated. Such termination right shall be in addition to any other rights and remedies that may be available to the non-breaching party. Any terms that by their nature survive termination or expiration of this Agreement, will survive (including Sections 4, 5, 6, 7, 9-19).
    
5. PAYMENT. There is no charge for participation in the Partner Program as a Free-Tier Partner. However, if Partner would like to upgrade its membership to become a Paid-Tier Partner, , Partner shall pay Instructure the amounts specified in the applicable Order Form within thirty (30) days of the invoice date (the “Paid Partner Fee”). All amounts shall be stated (and payment made) in the applicable currency identified in the Order Form. For each renewal term, Partner shall pay Instructure the applicable Paid Partner Fee, unless Partner notifies Instructure in writing thirty (30) days prior to renewal of its intent to cancel the membership. The Paid Partner Fee and any other fees (including any API Overage Fees) owed by Partner are exclusive of, and Partner shall pay, all sales, use, VAT, excise and other taxes that may be levied in connection with this Agreement. Except as expressly set forth in this Agreement, (a) payment obligations are non-cancelable and all fees are non-refundable; (b) fees are based on subscriptions purchased and not actual usage; and (c) quantities purchased cannot be decreased during the relevant subscription term.
    
6. PARTNER REPRESENTATIONS.  Partner represents that (a) it has the power and authority to validly enter into this Agreement and fulfill its obligations hereunder; (b) the execution and delivery of this Agreement does not violate or conflict with any other agreement, license, or obligation; (c) it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from or on behalf of any employees or agents of Instructure in connection with this Agreement; and (d) it is financially solvent and has the ability to perform its obligations hereunder.
7. TRADEMARK USAGE RIGHTS.  Partner shall not print or distribute any materials, including press releases or marketing materials, or make any other public statement or announcement, including via social media, relating to the terms and conditions of this Agreement or otherwise bearing Instructure’s tradename, trademarks, service marks, designs, or logos, without first obtaining Instructure’s written approval. When written approval is provided by Instructure, such use shall be in accordance with Instructure’s brand guidelines found at https://www.instructure.com/about/brand-guide or as provided by Instructure, which may be updated from time to time and solely in connection with this Agreement.  Partner agrees to allow Instructure to use its name, logo and non-competitive use details in both text and pictures in its various marketing communications and materials, in accordance with Partner’s brand guidelines and solely in connection with this Agreement.  Neither party may register any internet domain name using any tradename or trademark of the other party. The licenses granted in this Agreement set forth the full extent of each party’s rights to use, distribute, display, make available, and otherwise deal in the services, trademarks and Intellectual Property of the other party. Except for the rights and licenses expressly granted in this Agreement, nothing in this Agreement will be deemed to license or transfer to anyone any of either party’s Intellectual Property or proprietary rights.
8. INSTRUCTURE PROPRIETARY ASSETS AND RIGHTS. As between Partner and Instructure, Instructure owns, and shall retain all right, title and interest in (a) the Instructure Services and any and all other Instructure products; (b) all improvements, changes, enhancements and components, source code, object code, documentation, criteria, designs, report formats, know-how, underlying ideas, algorithms, or structure associated with the Services; (c) all other proprietary materials of Instructure and/or its licensors; and (d) all intellectual property related to the aforementioned, including but not limited to, all copyrights, patents, trademarks and trade names, and trade secrets (“Instructure Intellectual Property”). The Instructure Intellectual Property is and shall at all times remain the sole and exclusive property of Instructure.  Instructure shall have the right, in its sole discretion, to modify any Instructure Intellectual Property. Notwithstanding the foregoing, the Partner Applications and all intellectual property rights therein shall remain the sole and exclusive property of Partner.
9. MUTUAL CONFIDENTIALITY . 
   1. Definition of Confidential Information.  Each Party acknowledges that it, or any entity that directly, or indirectly through one or more intermediaries’ controls, is controlled by or is under common control with such party (an “Affiliate”), or Instructure’s licensors, may disclose (in such capacity the “Disclosing Party”) Confidential Information to the other Party or its Affiliates or Instructure’s licensors (in such capacity, the “Receiving Party”) in the performance of this Agreement. As used herein, “Confidential Information” means  includes, without limitation, any and all non-public, confidential and proprietary information, data, or know-how, including all Personal Information (as defined in Section 15 below) and information about the Disclosing Party’s businesses, operations, finances, properties, employees, relationships with third parties, plans, trademarks, trade secrets, and other intellectual property and all analyses, compilations, forecasts, studies, summaries, notes, reports, memoranda, interpretations, data, and other materials which contain or are generated from the Confidential Information, whether disclosed in writing, orally, electronically, or by other means, and whether or not identified as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. For the avoidance of doubt, any non-public aspect of the Services will be considered the Confidential Information of Instructure or Instructure’s licensors.
   2. Protection of Confidential Information.  Accordingly, the Receiving Party shall: (a) protect the Confidential Information using the same degree of care that it uses to protect the confidentiality of its own Confidential Information (but in no event less than reasonable care); (b) keep the Confidential Information disclosed by the other Party confidential; (c) use Confidential Information only for purposes of fulfilling its obligations and exercising its rights hereunder; and (d) disclose such Confidential Information only to the Receiving Party’s employees or Affiliates who have a need to know and only for the purposes of fulfilling this Agreement or to the extent required by law.

   3. Exclusions. Confidential Information shall not include information that: (a) is or becomes generally known to the public as a matter of public knowledge through no fault of the Receiving Party without breach of any obligation owed to the Disclosing Party; (b)  was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is rightfully received by the Receiving Party from a third party without a duty of confidentiality or knowledge of breach of any obligation owed to the Disclosing Party; (d) is was independently developed by the Receiving Party without the use of any Confidential Information of the Disclosing Party; or (e) is identified by the Disclosing Party in writing as no longer confidential and proprietary. 

   4. Compelled Disclosure. Notwithstanding the restrictions above, the Receiving Party may disclose the Confidential Information pursuant to law, regulation, subpoena or court orders, provided that the Receiving Party promptly notifies the Disclosing Party in writing prior to making any such disclosure to permit the Disclosing Party, at the Disclosing Party’s cost, an opportunity to prevent disclosure or seek an appropriate remedy from the proper authority. The Receiving Party agrees to cooperate with the Disclosing Party in seeking such order or other remedy. The Receiving Party further agrees that if the Disclosing Party is not successful in precluding the requesting legal body from requiring the disclosure of the Confidential Information, it will furnish only that portion of the Confidential Information which is legally required (based on the advice of counsel) and will exercise all reasonable efforts to obtain reliable assurances that confidential treatment will be afforded the Confidential Information. Further, any information obtained by monitoring, reviewing, or recording is subject to review by law enforcement organizations in connection with investigation or prosecution of possible criminal or unlawful activity on the Service as well as to disclosures required by or under applicable law or related government agency actions. Instructure will also comply with all court orders or subpoenas involving requests for such information.

10. CONDUCT OF BUSINESS AND NON-SOLICIT. Partner must conduct its business in a manner favorably representing Instructure and its technology. Partner agrees to maintain the quality of the Partner Applications such that they remain current such that the Partner Application will not materially degrade during the term and compliant with all applicable laws, rules and regulations. Partner is solely responsible for providing all support and assistance to end users of the Partner Applications. 
    
    In no event may either party make any representations, warranties, or guarantees on behalf of the other party.
    
    During the term of this Agreement and twelve (12) months after expiration or termination, Partner will not attempt to recruit or solicit for employment or hire any Instructure employee or contractor without the prior written approval of Instructure. The posting of any general recruitment advertisement by Partner in the normal course of business without specifically targeting or approaching the personnel of Instructure, and any employment of Instructure’s personnel that results from such general recruitment advertisement, shall not be deemed a violation of this Section 10.
     
11. LIMITATION OF LIABILITY. NOTHING IN THIS AGREEMENT SHALL LIMIT OR EXCLUDE EITHER PARTY’S LIABILITY FOR: (A) DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE; (B) FRAUD OR FRAUDULENT MISREPRESENTATION; OR (C) ANY OTHER LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW. SUBJECT TO THE PRECEDING SENTENCE, NEITHER PARTY HAS ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR CONSEQUENTIAL, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR OTHER INDIRECT DAMAGES (INCLUDING WITHOUT LIMITATION, LOST PROFITS OR LOSS OF REVENUE), OR THE USE OR INABILITY TO USE THE SERVICES (INCLUDING, WITHOUT LIMITATION, COSTS OF DELAY, LOSS OR INACCURACY OF DATA, RECORDS OR INFORMATION, COST(S) OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, AND ANY FAILURE OF DELIVERY OF THE SERVICES), EVEN IF EITHER PARTY IS AWARE OF THE LIKELIHOOD OF SUCH DAMAGE. EXCEPT FOR (i) PARTNER’S PAYMENT OBLIGATIONS IN SECTION 5, OR (ii) A PARTY’S INDEMNITY OBLIGATIONS IN SECTION 13, IN NO EVENT SHALL EITHER PARTY’S TOTAL AND CUMULATIVE LIABILITY TO THE OTHER PARTY ARISING UNDER OR RELATED TO THIS AGREEMENT EXCEED: (X) $50 IF PARTNER IS A FREE-TIER PARTNER; OR (Y) IF PARTNER IS A PAID-TIER PARTNER, THE AMOUNT PAID BY PARTNER FOR THE SERVICE(S) GIVING RISE TO THE LIABILITY (EXCLUDING ANY API OVERAGE FEES) UNDER THIS AGREEMENT WITHIN THE 12 MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY; PROVIDED THAT IF PARTNER SWITCHES BETWEEN STATUS AS FREE-TIER PARTNER AND PAID-TIER PARTNER DURING SUCH PRECEDING 12 MONTHS, THEN EITHER PARTY’S FOREGOING TOTAL AND CUMULATIVE LIABILITY TO THE OTHER PARTY ARISING UNDER OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE AMOUNT OF API PARTNER FEE PAID BY PARTNER AS PRO-RATED FOR THE PERIOD DURING SUCH 12 MONTHS THAT PARTNER IS A PAID-TIER PARTNER.
     
12. WARRANTY DISCLAIMER. INSTRUCTURE DISCLAIMS ALL WARRANTIES, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, TITLE, ACCURACY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. INSTRUCTURE DOES NOT WARRANT (A) THE FUNCTIONALITY OR FEATURES OF ANY THIRD-PARTY SERVICE USED IN CONNECTION WITH THE SERVICE; (B) THE RESULTS OR OUTCOMES FROM USE OF THE SERVICES WILL BE UNINTERRUPTED, SECURE OR ERROR-FREE; OR (C) THE VALIDITY, FAIRNESS OR QUALITY OF ANY CONTENT PROVIDED BY INSTRUCTURE.
     
13. INDEMNIFICATION. Instructure will indemnify and defend Partner from and against any and all losses, liabilities, and claims (including reasonable legal fees) arising out of any claim by a third party alleging that the Services infringe or misappropriate the intellectual property rights of that third party. Notwithstanding the foregoing, Instructure shall not be obligated to indemnify Partner if any Fees remain unpaid after they become due or where  such infringement or misappropriation claim arises from: (a) the Partner’s content or Partner Application; (b) Partner's misuse of the Services, including any use of the Services by unauthorized users or after the termination of the Agreement; or (c) Partner's use of the Services in combination with any products, services, or technology provided by a party other than Instructure. If such a claim of infringement or misappropriation is made or threatened, Instructure may, in its sole discretion: (i) modify the Services so that they become non-infringing; (ii) obtain a license for Partner to continue its use of the Services; or (iii) notwithstanding Instructure's obligation to indemnify hereunder, terminate the Agreement with no liability to Partner. The aforesaid remedies are Partner’s sole and exclusive remedies for any third-party claims of infringement or misappropriation of intellectual property rights relating to the Services. To the extent permitted under applicable law, Partner will indemnify and defend Instructure from and against any and all losses, liabilities, and claims (including reasonable legal fees) arising from: (a) the Partner’s acts or omissions; (b) any claim by a third party regarding the Partner Application or use of the Services by Partner (or any of its customers or users) in violation of this Agreement; or (c) a breach of Partner’s data protections set forth in the Agreement. The party seeking indemnification (the “Indemnified Party”) shall provide the other party (the “Indemnifying Party”) with prompt written notice upon becoming aware of any claim subject to indemnification hereunder and shall provide reasonable cooperation to the Indemnifying Party in the defense of or investigation of any claim, suit or proceeding. The Indemnifying Party, at its option, will have sole control of such defense, provided that the Indemnified Party is entitled to participate in its own defense at its sole expense. The Indemnifying Party shall not enter into any settlement or compromise of any such claim, suit or proceeding without the Indemnified Party's prior written consent, except that the Indemnifying Party may without such consent enter into any settlement of a claim that resolves the claim without liability to the Indemnified Party and without impairment to any of the Indemnified Party's rights or requiring the Indemnified Party to make any admission of liability.
14. AI.  To the extent Partner develops and offers any AI Product through the Instructure Marketplace that interacts with, is integrated with, or is distributed through Instructure’s products or services, the Addendum for AI Partners (the “AI Addendum”) set forth in Exhibit A is incorporated into this Agreement. “AI Product” and “Instructure Marketplace” shall mean the definitions given in the AI Addendum. The AI Addendum shall be deemed an integral part of this Agreement and subject to the same terms, conditions and obligations as set forth herein. In the event of any conflict or inconsistency between the provisions of this Agreement and the AI Addendum, the provisions of the AI Addendum shall prevail.
15. COMPLIANCE. Each party will comply with all applicable laws, regulations and policies with respect to its activities under this Agreement, including the Partner Data Processing Addendum described in Exhibit B. Except for the Partner’s credentials used to access the services and contact data, you may not transfer, or cause to be transferred, or input personally identifiable information into the Services without notifying Instructure in writing.  
16. NOTICES. Any notice by a party under this Agreement shall be in writing and either personally delivered or sent via email or reputable overnight courier (such as Federal Express) or certified mail, postage prepaid and return receipt requested, addressed to the other party at the address specified below or such other address of which either party may from time to time notify the other in accordance with this Section 15. A copy of all notices to Instructure shall be sent to: Instructure, Inc., 6330 South 3000 East, Suite 700, Salt Lake City, UT 84121, Attention: General Counsel and, if by email, to Legal@instructure.com. For purposes of service messages and notices about the Services, Instructure may place a banner notice or send an email to an email address associated with an account. All notices shall be in English and shall be deemed effective upon receipt.
17. NON-PERFORMANCE AND RELIEF. Either party may apply to a court of competent jurisdiction for injunctive or other appropriate equitable relief restraining any threatened or actual breach of this Agreement. Each party waives any requirement that the other party post any bond or other security in the event any injunctive or equitable relief is sought by or awarded to enforce any provision of this Agreement. Instructure will not be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control, including, but not limited to, acts of God, natural disasters, pandemics, actions or decrees of governmental bodies, changes in applicable laws, or communication or power failures.
18. CHOICE OF LAW.  To the extent that the Instructure entity on the Order Form is Instructure, Inc., this Agreement shall be interpreted, governed, and construed by the laws of the State of Delaware, without regard to principles of conflict of laws. To the extent that the Instructure entity on the Order Form is Instructure Global Limited, this Agreement shall be interpreted, governed, and construed by the laws of England and Wales without regard to principles of conflict of laws and the parties hereby submit to the exclusive jurisdiction of the English courts.
19. CHANGES TO THIS AGREEMENT.  Instructure may amend, revise or update these Partner Program Terms and Conditions at any time by posting a revised version on https://partners.instructure.com.  By continuing to use the Service after the effective date of any modifications, Customer consents to be bound by the modified terms. To the extent, in Instructure’s sole discretion, Instructure determines that such amendment, revision, or update results Instructure us engaging in more permissive data practices, or materially changes Partner’s rights or obligations, Instructure will notify Partner of the modifications in writing, such as by email.
20. GENERAL. Instructure is acting in performance of this Agreement as an independent contractor to Partner. If any term of this Agreement is invalid or unenforceable, the other terms remain in effect and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. This Agreement constitutes the entire agreement between the parties with respect to the subject matter of this Agreement, and any prior representations, statements, and agreements relating thereto are superseded by the terms of this Agreement. Instructure rejects additional or conflicting terms of any Partner form-purchasing document. Partner shall not assign this Agreement, in whole or in part, to any entity without Instructure’s prior written consent. Any attempt by Partner to assign this Agreement, in whole or part, in contravention of this Section 20, shall be void. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their successors and permitted assigns. Other than in respect of Instructure’s Affiliates, this Agreement does not create any third-party beneficiary rights in any individual or entity that is not a party to this Agreement. Any failure by either party to enforce the other party's strict performance of any provision of this Agreement will not constitute a waiver of its right to subsequently enforce such provision or any other provision of this Agreement. No one other than a party to this Agreement, their successors and permitted assignees, shall have any right to enforce any of its terms.     

Exhibit A

Addendum for AI Partners      

Instructure and Partner are entering into Partner Program Terms and Conditions (the “Partner Terms and Conditions”) to develop and offer AI Product to Instructure Customers through the Instructure Marketplace (the “Partnership”).

The parties agree to incorporate this AI Addendum as an integral part of the Partner Terms and Conditions. This AI Addendum shall be read in conjunction with the Partner Terms and Conditions, and both documents shall be collectively referred to as the "Agreement."

In the event of any conflict between the provisions of the Partner Terms and Conditions and this AI Addendum, the provisions of this AI Addendum shall control and prevail. All capitalized terms not defined herein shall have the same meaning ascribed to them in the Partner Terms and Conditions

1.  Definitions

   1. "AI Product” any artificial intelligence or machine learning system, model, technology, or service provided by Partner, including data science models, generative AI systems, large language models, agentic systems, and algorithms, in each case that is offered to Instructure Customers under the Partnership or that is integrated with, incorporated into, or part of the Services. 

   2. “Instructure AI Data” means (a) all data, content, information, Instructure Intellectual Property, inclusive of metadata (including log data, telemetry, usage data, and diagnostic data), and all other materials provided by Instructure or an Instructure Customer, or made available to Partner, in connection with the Partnership, including but not limited to Personal Data, education records protected by FERPA, and any inputs or other information provided to the AI Product; (b) the results or outputs of the AI Product, including any analysis, compilation, summary, interpretation, study, report or other document, record or material that is or has been prepared by Partner in connection with the Agreement. 

   3. “Instructure Customer” means a third party that has purchased, obtained, licensed, accessed, or received on a trial, free or evaluation basis the AI Product through the Instructure Marketplace.

   4. “Instructure Marketplace” the online marketplace operated by Instructure (currently located at https://app.learnplatform.com/marketplace/, or any successor URL) through which Instructure Customers may discover, evaluate, purchase, or bundle AI Products for use with Canvas or other Instructure products and services.

2. Partner Restrictions.  Partner shall not, and shall not permit any Subprocessor or third party to use Instructure AI Data for any purpose other than providing the AI Product to the applicable Instructure Customer under the Partnership. Without limiting the foregoing, Partner shall not: (a) use Instructure AI Data to develop, train, fine-tune, retrain, evaluate, benchmark, or improve any AI Product, foundation model, or machine-learning system, whether Partner's own or any third party's; (b) combine or commingle Instructure AI Data with data from other customers or sources, except to the minimum extent required to deliver the AI Product to the applicable Instructure Customer; (c) use Instructure AI Data to create synthetic or de-identified datasets for any purpose other than internal debugging and testing of the AI Product; (d) share, sell, rent, license, or otherwise disclose Instructure AI Data to any third party, including any model provider, hosting provider, or inference provider, except to pre-approved Subprocessors under the DPA; (e) retain Instructure AI Data longer than reasonably necessary to provide the AI Product, and in no event longer than the retention periods set forth in the DPA; or (f) use Instructure AI Data to develop, train, or improve any product or service that competes with Instructure's products or services.
3. Partner Obligations. In addition to Partner's other obligations under the Partner Terms and Conditions, Partner agrees to the following:
   1. ​​​​​​Transparency and documentation. Partner shall provide Instructure with technical assistance, documentation, and information in response to Instructure's or any Instructure Customer's questions about the operations and functions of the AI Product, including any audits of the AI Product and training data, as reasonably necessary to demonstrate safety, reliability, security, accountability, transparency, explainability, and fairness. On request, Partner shall provide a current model card or system card, a description of training data categories and sources, a description of known limitations and failure modes, and a description of material changes to the AI Product since the last disclosure.
       
   2. Data access. Partner agrees to provide Instructure with access to any data originating from the Partnership. Where Partner reasonably determines that applicable law prohibits the sharing of specific records containing Personal Data, Partner shall (i) promptly notify Instructure in writing of the prohibition and its legal basis, (ii) share redacted, pseudonymized, or aggregate versions of such data, and (iii) work with Instructure in good faith to provide access through a data clean room or equivalent privacy-preserving mechanism. Partner may not use this provision to refuse a compliance audit or regulator inquiry.
       
   3. Notices and disclosures. Partner agrees to provide appropriate notices, labels, warnings, disclaimers, or other information on the AI Product and any output or results of the AI Product as required by law or Instructure, including clear disclosure that outputs are AI-generated when presented to end users.
   4. Material changes. Partner shall notify Instructure in writing at least 30 days before deploying to Instructure Customers any material change to the AI Product, including but not limited to changes to the underlying foundation model, data residency, or subprocessors used in model serving. "Material change" includes any change that Partner knows or reasonably should know could affect accuracy, safety, bias, or regulatory compliance.
       
   5. AI incident notification. Partner shall notify Instructure within 72 hours of becoming aware of any (i) confirmed material harmful output, harmful behavior, or safety incident arising from the AI Product, including outputs that are defamatory, discriminatory, sexually explicit involving minors, or that disclose Personal Data; (ii) regulatory inquiry or enforcement action relating to the AI Product; or (iii) loss or material change of any third-party certification, audit, or assessment relevant to the AI Product (such as SOC 2, ISO 27001, or NIST AI RMF attestation). Notice under this subsection is in addition to any Security Breach notice required under the DPA.
       
   6. Education-sector compliance. Partner acknowledges that Instructure Customers include K-12 and higher-education institutions and that Instructure AI Data may include education records protected by the U.S. Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g), personal information of children under the U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501 et seq.), and student data protected under U.S. state student data privacy laws (including SOPIPA and comparable laws). Partner agrees to act as a "school official" under FERPA where applicable, to comply with the operator obligations under applicable state student data privacy laws, and not to use Instructure AI Data for behavioral advertising, profiling of students, or any purpose outside the direct delivery of the AI Product. 
       
   7. AI-specific law compliance. Partner shall comply, at its sole cost, with all laws, regulations, and binding guidance specifically governing artificial intelligence as they apply to Partner's AI Product, including the EU Artificial Intelligence Act, the Colorado AI Act, and any successor or comparable U.S. state or federal AI laws. Partner shall maintain records sufficient to demonstrate compliance and provide such records to Instructure on reasonable request.
        
   8. Human oversight and prohibited uses. Partner shall design the AI Product to support meaningful human oversight of consequential decisions affecting students, educators, or staff. Partner shall not use the AI Product, and shall use commercially reasonable efforts to prevent Instructure Customers from using the AI Product, to make fully automated decisions regarding student discipline, academic integrity violations, grading of summative assessments, admissions outcomes, or employment actions, in each case without a human-in-the-loop review step.
4. Indemnification Obligations.  In addition to Partner’s other indemnity obligations under the Partner Terms and Conditions, Partner will indemnify and defend Instructure from and against any and all losses, liabilities, and claims (including reasonable legal fees) arising from: (a) any claim by a third party concerning the results or outputs of the AI Product, including claims that the results or outputs (i) infringe or misappropriate the intellectual property rights of that third party, (ii) are defamatory, (iii) violate privacy, publicity, or personality rights, (iv) disclose Personal Data or confidential information without authorization, or (v) discriminate on the basis of a protected characteristic under applicable law; (b) any claim by a third party that Partner’s use of training data to create the AI Product infringes or misappropriates the intellectual property rights of that third party; (c) any claim arising from Partner's violation of laws or regulations specifically governing artificial intelligence, including the EU AI Act and the Colorado AI Act; (d) any claim arising from Partner's violation of Section 3(f) (Education-sector compliance), including FERPA, COPPA, and applicable state student data privacy laws; and (e) any regulatory investigation, enforcement action, or fine arising out of (a) through (d).
    
5. Model Removal and Suspension. Instructure may, in its reasonable discretion and with notice where practicable, suspend availability of the AI Product in the Instructure Marketplace or require Partner to suspend delivery to one or more Instructure Customers if: (a) Instructure reasonably believes the AI Product poses a material safety, security, privacy, or legal risk to Instructure, its Customers, or end users; (b) Partner is in material breach of this AI Addendum and has not cured within 10 business days of notice; (c) Partner has failed to notify Instructure of a material change under Section 3(d); or (d) a regulator has issued binding guidance or an order affecting the lawful use of the AI Product. Suspension under this Section is without prejudice to any other remedy and does not entitle Partner to refund of any fees paid.
    
6. Survival; Order of Precedence. Sections 2 (Partner Restrictions), 3(a), 3(e), 3(f), and 4 (Indemnification), survive termination or expiration of the Agreement. For clarity, the order of precedence in Section 1 of the Partner Terms and Conditions applies, and in the event of a conflict between this AI Addendum and the DPA with respect to AI-specific obligations, this AI Addendum controls.

Exhibit B

Instructure Partner Data Processing Agreement

This Instructure Partner Data Processing Agreement (“DPA”) is entered into by and between Partner and Instructure. This DPA and the Schedules form part of the Partner Program Terms and Conditions (the “Agreement”). References to the Agreement will be construed as including this DPA. Capitalized terms not defined herein shall have the meanings as set forth in the Agreement.

How this DPA Applies: This DPA consists of two parts: the main body of the DPA, and the Schedules. The Schedules only apply to the extent that Partner is providing the Services in the geographical regions described in each Schedule.

Schedule 1 – Description of the Processing/Transfer

Schedule 2 – Instructure Security Standards Addendum

Schedule 3 – Compliance Addendum

Schedule 4 – U.S. State Privacy Laws Addendum

Schedule 5 – EU & UK Addendum

1. DEFINITIONS. In this DPA, the following terms shall have the meanings set out below.
   1. “Affiliates” means any entity which is controlled by, controls, or is in common control with a Party. 
   2. “Authorized Person” means any person Partner authorizes to process Personal Data including Partner’s staff, agents, contractors, Subprocessors, and subcontractors.
   3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 
   4. “Data Protection Laws” means any and all laws and regulations protecting the fundamental rights and freedoms of natural persons and their right to privacy with regard to the processing of Personal Data and any applicable international, national, local or regional data protection, privacy or security laws each as may be amended, replaced, supplemented or superseded from time to time. 
   5. “Data Subject” means an identified or identifiable natural person (i.e. one who can be identified, directly or indirectly, in particular to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or society of that natural person) whose Personal Data is Processed by Data Processor, as may be more fully set forth in the Data Protection Laws, and shall be meant to include any different but similar term used in the Data Protection Laws.
   6. “Data Subject Right(s)” means a Data Subject’s rights as defined by Data Protection Laws.
   7. “De-Identified Data” and “De-Identification” means data and information where all personally identifiable information has been removed or obscured, such that the remaining information does not reasonably identify a specific individual, including, but not limited to, any information that, alone or in combination is linkable to a specific Data Subject. 
   8. “Personal Data” means any information relating to an identified or identifiable natural person provided, received or accessed by Partner under the Agreement. 
   9. “Processor” means the entity which Processes Personal Data on behalf of the Controller. 
   10. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
   11. “Partner Services” shall mean, as applicable, the Partner Product, AI Product, and co-marketing, co-selling and similar activities performed by the parties (including through the AI Marketplace) in connection with the Agreement.
   12. “Sell,” “Selling,” “Sale,” and “Sold” shall have the meanings provided under Data Protection Laws. 
   13. “Security Breach” means the actual, or reasonably suspected unauthorized access, disclosure, loss, or alteration of Personal Data Processed by Partner (or its Subprocessors), or unauthorized access to Partner’s equipment or facilities resulting in loss, disclosure, or alteration of Personal Data. 
   14. “Subprocessor” means any entity engaged by a Partner to Process Personal Data for the Partner Services.
        
2. PROCESSING OF PERSONAL DATA.
   1. Role of the Parties. The Parties agree that regarding the Processing of Personal Data under the Agreement, Instructure’s Customer is the Controller, Instructure is a Processor and Partner is a Processor. Where Personal Data originates from Instructure itself (including Instructure's own employees, contractors, or marketing contacts), Instructure is the Controller and Partner is the Processor. In each case, Partner shall follow Instructure's instructions and the instructions Instructure passes through from the applicable Instructure Customer.
       
   2. Processing of Personal Data. Partner shall only Process Personal Data to the extent necessary to perform the Partner Services and as specified in the Agreement and only in accordance with the Controller’s written instructions. Instructure hereby instructs Partner to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA;  and (ii) Processing to comply with other reasonable written instructions by Instructure that are consistent with the terms of the Agreement.  The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1.
       
      1. Partner agrees that it shall, in its capacity as Processor in Processing Personal Data (i) Provide at least the same level of protection to Personal Data as is required by this DPA and Data Protection Laws; (ii) Immediately notify Instructure if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Data Protection Laws and this DPA, and in such event, to work with Instructure to take prompt, reasonable and appropriate steps to stop and remediate any Processing until such time as the Processing meets the level of protection as is required by the Data Protection Laws and this DPA; (iii) Implement and maintain throughout the term of this DPA appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and accidental destruction or loss, so as to allow Instructure to comply with the requirement to implement appropriate technical and organizational security measures, in accordance with the Schedule 2 (Instructure Security Standards Addendum), and applicable Data Protection Laws; (iv) At Instructure’s sole election, to cease Processing Personal Data promptly if in the Instructure’s reasonable determination, Partner is not providing the same level of protection to Personal Data as is required by the Data Protection Laws or this DPA; (v) Keep or cause to be kept full and accurate records relating to all Processing of the Personal Data; (vi) Provide all assistance reasonably required by Instructure to respond to, comply with or otherwise resolve any request, question or complaint relating to Personal Data made to it that is received from any regulatory or data protection authority; (vii) Take all reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data; (viii) Appoint a Data Protection Officer if this is legally required by the Data Protection Laws. Partner shall promptly notify the Instructure of the appointment and the contact information of the Data Protection Officer. If not legally required, assign responsibility for compliance with this DPA to a designated person or group within the Partner.
      2. Partner agrees that is shall not, in its capacity as Processor:
         1. Disclose Personal Data to any third-party other than (a) for the purposes of complying with Data Subject access requests and Data Subject Rights (as described in Section 3 (Rights of Data Subjects)) or in accordance with the Data Protection Laws, and (b) in accordance with Section 6 (Subprocessors), as applicable, unless required by applicable law to which Partner is subject; in such a case, Partner shall notify Instructure of such requirement before disclosing the Data, unless that law prohibits such notification.
         2. nclude Personal Data in any product or service offered by Partner to third parties nor Sell, transfer, or otherwise disclose any Data that has been anonymized to any third-party, nor aggregate Controller’s Personal Data, or any part of it, into a larger data set with other data whether anonymized or not, except only as necessary to provide the Partner Applications and/or AI Product.
         3. Except for those pre-approved Subprocessors that are engaged in the performance of the Partner Applications and/or AI Product, share or allow access to Personal Data to any third-party for further Processing by that third-party or its agents (except for the purposes of mere routing of Personal Data through a third-party telecommunications carrier).
         4. Shall not Sell, or share for targeted advertising purposes, Personal Data except as expressly instructed by Instructure.
             
3. RIGHTS OF DATA SUBJECTS.  Partner shall provide Instructure with commercially reasonable cooperation and assistance in relation to the handling and resolution of a Data Subject rights request. Partner shall promptly notify Instructure, but in no less than 72 hours, if it receives a request from a Data Subject to exercise a Data Subject right. Partner shall not respond to any such Data Subject request without Instructure’s prior written consent except to confirm that the request relates to Instructure.
    
4. PROCESSOR PERSONNEL.  Partner shall ensure that all Authorized Persons are subject to a strict duty of confidentiality (whether a contractual or statutory duty). Partner shall not permit any person to Process Personal Data who is not under a duty of confidentiality. Partner shall ensure that all Authorized Persons Process the Personal Data only as necessary for the provision of the Services. Partner shall ensure that Authorized Persons access to Personal Data is limited to those individuals who require such access to perform the Services. Partner shall require all Authorized Persons who have access to Personal Data to comply with all applicable provisions of this DPA and Data Protection Laws.
    
5. ADVERTISING LIMITATIONS. Partner is prohibited from using, disclosing, or selling Personal Data to (i) inform, influence, or enable targeted advertising; (ii) develop a profile of any Data Subject except as permitted under the Agreement; (iii) serve behavioral advertising of any kind to Data Subjects known or reasonably believed to be students or minors; or (iv) enrich, append to, or combine Personal Data with third-party advertising, marketing, or demographic datasets.
    
6. SUBPROCESSORS.
   1. Appointment of Subprocessors: Instructure acknowledges and agrees that: (a) Partner Affiliates may be retained as Subprocessors; and (b) Partner may engage the Subprocessors listed in Schedule 1 – Annex I in connection with the provision of the Partner Services. Any such Subprocessors will be permitted to Process Data only to deliver the services Partner has retained them to provide and are prohibited from using Data for any other purpose. 
   2. Liability. Where a Subprocessor fails to fulfill its data protection obligations, Partner shall remain fully liable to Instructure for the performance of that Subprocessor's obligations. Partner shall be fully liable for the acts and omissions of its Subprocessors as if the Partner performed those acts and omissions themselves.
   3. Due Diligence. Before a Subprocessor first Processes Personal Data, Partner shall carry out adequate due diligence to ensure that the Subprocessor can provide the level of protection for Personal Data required by this DPA and Data Protection Laws.
   4. Obligations to be imposed on Subprocessors. Where Partner engages a Subprocessor, substantially the same data protection obligations as set out in this DPA shall be imposed on that Subprocessor by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures, including measures substantially similar to the obligations described in Schedule 2 (Instructure Security Standards), in such a manner that the Processing will meet the Data Protection Laws and the requirements of this DPA.
   5. Right to Information. Instructure has the right to obtain information from the Partner, upon written request, on the substance of the contract and the implementation of the data protection requirements as between Partner and Subprocessor, where necessary by inspecting the relevant contract documents.
   6. Notification of Subprocessor Changes/Appointment. Partner shall inform Instructure of any intended changes to Subprocessors concerning the addition or replacement of a Subprocessor at least 30 days before the change takes effect, giving Instructure and/or the Controller the opportunity to object to such changes. Partner shall provide the full details of the Processing to be undertaken by the Subprocessor. If, within 30 days of receipt of that notice, Instructure notifies Partner in writing of any objections (on reasonable grounds) to the proposed appointment, Partner shall not appoint that proposed Subprocessor. If Partner cannot deliver the Partner Services without the objected-to Subprocessor, Instructure may terminate the affected Partner Services on written notice, without penalty, and Partner shall refund any prepaid, unearned fees on a pro-rata basis.
       
7. INTERNATIONAL TRANSFERS. Partner shall not transfer Data (nor permit the onward transfer of Personal Data) out of approved regions (which shall be approved in advance in writing by the parties) unless it has first obtained Instructure’s prior written consent and, where the transfer is a Restricted Transfer subject to GDPR or UK GDPR, complied with Schedule 5 (EU & UK Addendum), including entry into the applicable Standard Contractual Clauses and UK Addendum.
    
8. GOVERNMENT ACCESS REQUESTS.
   1. If Partner receives a legally binding request to access Personal Data from a governmental authority, Partner shall, unless otherwise legally prohibited, promptly notify Instructure without undue delay, but in no more than 72 hours. Such notice shall include a summary of the nature of the request. To the extent Partner is prohibited by law from providing such notification, Partner shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Partner to communicate as much information as possible, as soon as possible. 
       
   2. Partner shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Partner shall pursue possibilities of appeal. When challenging a request, the Partner shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. Partner shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. Partner agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
9. AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS.
   1. No more than once per year, or (a) following a Security Breach, or (b) as required by regulatory bodies or supervisory authorities, Partner will allow Instructure to audit (i) Partner’s compliance with this DPA, (ii) Partner’s compliance with applicable Data Protection Laws, and (iii) Partner’s security and privacy measures that are in place to ensure protection of Personal Data or any portion thereof as it pertains to the delivery of the Partner Services or the Processing of Personal Data. Audits under the annual entitlement shall be conducted on at least 30 days' written notice, during Partner's normal business hours, and in a manner that does not unreasonably interfere with Partner's operations. Instructure shall bear the costs of routine annual audits; Partner shall bear the costs of audits conducted following a Security Breach, a regulator demand, or a finding of material non-compliance. Instructure may satisfy its audit right by accepting a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party assessment that materially covers the audit scope, except where a regulator requires a direct audit.
   2. Partner will cooperate with any regulatory body with oversight authority or jurisdiction in connection with audit of investigation of Instructure, or the delivery of the Services or Partner Services and shall provide reasonable access to Partner’s facilities, staff, agents, Personal Data, and all records pertaining to the Partner and delivery of the Services. Failure to reasonably cooperate with this Section 9 shall be deemed a material breach of this DPA.
   3. Partner will cooperate with Instructure where Instructure is conducting a privacy impact assessment or data privacy impact assessment.
       
10. RETURN AND DELETION OF PERSONAL DATA.  Partner shall return and/or securely delete all Personal Data, at Instructure’s sole discretion, within 90 days after termination of the Agreement, or within 30 days upon receipt of written request by Instructure. Until the Personal Data is deleted or returned, the Partner shall continue to ensure compliance with the provisions of this DPA. Upon written request from Instructure, Partner shall promptly certify in writing that it has returned or destroyed (as the case may be) the Personal Data and has not retained copies of any Personal Data. In any event, during the term of the Agreement, Instructure shall notify Partner of all Personal Data that is no longer in use and obtain from Partner written confirmation of the Personal Data being deleted and purged from the Partner services and systems, including backup and recovery systems, and all archival storage media.
     
11. INDEMNIFICATION.  In addition to any indemnification obligations set forth in the Agreement, Partner shall indemnify, defend, and hold harmless Instructure its Affiliates and their respective shareholders, officers, directors, contractors, representatives, and employees (“Indemnified Parties”), from, against and in respect of any losses, liabilities, damages, judgements, claims, causes of action, penalties, assessments, fines, charges, liens, costs and expenses (including, without limitation, reasonable attorneys’ fees and paraprofessionals’ fees, notification and mitigation costs, and court costs) arising out of or related to a Security Breach or Partner’s violation of Data Privacy Laws, including, but not limited to, the misuse, unauthorized access, mishandling, theft by or theft from the Partner or its employees, independent vendors and/or agents (or any person conspiring with the any of the foregoing) of any Personal Data. Partner agrees that any Security Breach, including, but not limited to, unauthorized use or disclosure of Personal Data may cause immediate and irreparable harm to the Indemnified Parties for which money damages may not constitute an adequate remedy. In that event, Partner agrees that injunctive relief may be warranted in addition to any other remedies Indemnified Parties may have. In addition, Partner agrees to take all steps at its own expense reasonably requested by the Indemnified Parties to limit, stop, or otherwise remedy a Security Breach.

Schedule 1 - Description of the Processing/Transfer

1. LIST OF PARTIES
   
   Data exporter(s). 
   
   Name: Instructure Global Limited
   
   Address: Birchin Court 5th Floor, 19-25 Birchin Lane, London EC3V 9DU UK
   
   Contact person’s name, position and contact details: DPO, privacy@instructure.com
   
   Activities relevant to the data transferred under these Clauses: The provision of Services as described in the Agreement.
   
   Signature and date: As described in the Agreement. 
   
   Role (controller/processor): Processor
   
   Data importer(s). 
   
   Name: As described in the Agreement 
   
   Address: As described in the Agreement
   
   Contact person’s name, position, and contact details: As described in the Agreement.
   
   Activities relevant to the data transferred under these Clauses: As described in the DPA
   
   Signature and date: As described in the Agreement.
   
   Role (controller/processor): As described in Section 2 the DPA. 
   
   Categories Of Data Subjects Whose Personal Data Is Processed and/or Transferred. 
   
   (a) Instructure employees, contractors, and prospective customers; (b) personnel of Instructure Customers (including administrators, instructors, faculty, and staff); (c) students enrolled at Instructure Customers, including K-12 students (some of whom are children under 13) and higher-education students; (d) parents and legal guardians where applicable; and (e) other end users interacting with the Partner Services.
    
2. Categories of Personal Data that are Processed and/or Transferred. Demographic data (such as name, email address, phone number, institutional affiliation, address), technical and metadata (such as IP address, cookie data, log data), or any other Personal Data Processed by the Partner Services.
    
3. Sensitive Data Processed and/or Transferred (if Applicable). Not Applicable.
4. The frequency of the Transfer. Continuous for the term of the Agreement.
5. Nature of the Processing. Performance of the Partner Services.
6. Purpose(s) of the Data Transfer and Further Processing. Performance of the Partner Services described in the Agreement.
7. Duration of the Processing. Continuous for the term of the Agreement.
8. Subprocessor Transfers. As described in Section 6 of the DPA and Annex I of this Schedule.
9. Competent Supervisory Authority. The Information Commissioner’s Office of the UK.
10. Technical and Organizational Measures Including Technical And Organizational Measures to Ensure The Security of the Data. The applicable technical and organizational measures are described in Schedule 2 – Instructure Security Standards Addendum.

ANNEX I – LIST OF SUBPROCESSORS

Instructure provides specific authorization for Partner to use Subprocessors in use as of the effective date of Agreement. Partner agrees to provide Instructure with a list of such Subprocessors within 3 days of written request.

Schedule 2 – Instructure Security Standards Addendum

This Instructure Security Standards Addendum is incorporated into and made a part of the DPA to which it is attached for the Services as more particularly described in the Agreement. Capitalized terms not otherwise defined herein shall have the meaning set forth in the DPA or the Agreement. 

1. SECURITY REQUIREMENTS.
   1. Security Standards. Partner represents and warrants that it has an industry standard security program and shall maintain appropriate technical and organizational measures (“Security Standards”) to ensure the security, confidentiality, and integrity of Instructure Data against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to Personal Data. The Security Standards shall include, but are not limited to: (a) physical access controls, (b) logical access controls, (c) annual penetration testing of Partner’s networks by a qualified, independent third-party firm, with an executive summary of findings provided to Instructure on request, (d) intrusion detection and prevention systems, (e) business continuity and disaster recovery program, (f) encryption of Instructure or Customer Personal Data while in transit and at rest in Partner’s networks or computing systems, (g) two-factor authentication for access Partner’s networks or computing systems, (h) email security controls, (i) security, error and access logging that is retained for at least 12 months (or longer where required by law or regulator guidance), (j) malware protection on Partner’s network and computing systems, (k) appropriate security policies including, but not limited to, information security, risk management, security incident response, vulnerability management, policy management and maintenance, data access request, change management, and system access, (l) annual security and privacy training for all employees, staff, contractors, Subprocessors, agents, and subcontractors, (m) incident response policy that is tested regularly, (n) documented vulnerability management program with risk-based remediation targets (critical within 7 days, high within 30 days, medium within 90 days of confirmed identification), and (o) background checks for personnel with access to Instructure Data, to the extent permitted by applicable law..
   2. Network Security.   
      1.  If access to Instructure’s Services or system is required in order to fulfill the Partner Services, Partner is responsible for all use of and access such networks and systems by its Authorized Persons and permitted Subprocessors, and Instructure maintains the right to monitor all user activity and revoke access due to noncompliance to its security policies. 
      2.   Partner agrees that its network security policy will only allow authorized users access and will deny all unauthorized access. 
      3.   Partner represents and warrants that in accessing Instructure systems, Partner, its Authorized Persons will not run any process, audit, or the like, that collects, retrieves, extracts, or otherwise provides access to data, system information, or the like without Instructure’s prior written consent except solely to the extent required to provide the Partner Services. Partner further represents and warrants that in accessing Instructure systems or the Services, no computer instructions, circuitry or other technological means will be introduced those systems the purpose of which or effect is to disrupt, damage, extract information from or interfere with Instructure computers, communications facilities or equipment and their use ("Harmful Code"), and Partner shall prevent the introduction of such Harmful Code in accessing Instructure systems or the Services prior to delivery of such Services. Harmful Code includes, without limitation, any code containing viruses, Trojan horses, worms or like destructive code or code that self-replicates, or cryptocurrency mining tools.
      4.   Partner certifies that Partner (a) has not purposefully created back doors or similar programming for the purpose of allowing access to the Partner Services and/or Personal Data by any governmental authority; (b) has not purposefully created or changed its business processes in a manner that facilitates access to the Partner Services and/or Personal Data by any governmental authority; and (c) is not currently aware of any national law or government policy requiring Partner to create or maintain back doors, or to facilitate access to the Partner Services and/or Personal Data, to keep in its possession any encryption keys or to handover the encryption key to any third-party.
   3. Third-Party Certifications and Audits. Partner must meet the following assessment standards throughout the term of the Agreement, (a) valid ISO/IEC 27001 Certification, or (b) current AICPA SOC 2 Type II with no major findings, or (c) completed third-party security assessment with Instructure with no high-risk findings (if Partner has any risk findings, Partner will provide a remediation plan with mutually agreed to target completion dates).
       
2. SECURITY BREACH MANAGEMENT AND NOTIFICATION. 
   1. Security Breach Notification. If Partner becomes aware of Security Breach, Partner will notify Instructure of the Security Breach without undue delay, and in any event within 48 hours. Partner shall report any Security Breach by emailing security@instructure.com with a copy to privacy@instructure.com. Such notification shall at a minimum and to the extent known by Partner at the time, but with regular timely updates that (a) describe the nature of Security Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; (b) identify the name of the Partner’s data protection officer or other relevant contact person(s) from whom more information about the Security Breach may be obtained; (c) describe the likely consequences of the Security Breach; and (d) describe the measures taken or proposed to be taken to address the Security Breach.
   2. Security Breach Response. In the event of a Security Breach Partner shall: (a) fully cooperate with Instructure and/or the Controller or anyone acting on its behalf (and with any law enforcement or regulatory official) to investigate and resolve the Security Breach; (b) make reasonable efforts to identify and remediate the cause of such Security Breach; and (c) keep Instructure and the Controller up-to-date about developments in connection with the Security Breach.  Partner agrees to adhere to all applicable Data Protection Laws with respect to a Security Breach related to the Personal Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such Security Breach.
   3. Option to Terminate the Agreement. Instructure may terminate the Agreement immediately and without recourse to the courts, and without further liability or obligation on its part under the Agreement, if any Personal Data subject to a Security Breach arising out of any action or inaction of Partner or its Authorized Persons.

Schedule 3 – Compliance Addendum

1. E-VERIFY. By entering into the Agreement, Partner certifies and ensures that it utilizes and will continue to utilize, for the term of the Agreement, the U.S. Department of Homeland Security’s E-Verify system, in accordance with the U.S. Department of Homeland Security’s rules, to determine the eligibility of (a) all persons employed to perform duties within the United States of America; and (b) all persons (including subcontractors and Subprocessors) assigned by Partner to perform work pursuant to the Agreement, within the United States of America. Partner shall provide, upon request of Instructure and if available, an electronic or hardcopy screenshot of the confirmation or tentative non-confirmation screen containing the E-Verify case verification number for attachment to the Form I-9 for the three (3) most recent hires that match the criteria above, by Partner as proof that this provision is being followed. If this certification is falsely made, the Agreement may be immediately terminated, at the discretion of Instructure, and at no fault to Instructure, with no prior notification. Partner shall also be responsible for the costs of any re-solicitation that Instructure must undertake to replace the terminated Agreement. For persons not eligible for E-Verify screening, Partner (including its Sub-processors) shall provide, upon request by Instructure, another form of documentation of proof of eligibility to work in the United States of America.
2. MODERN SLAVERY. For the purposes of this Section, “Modern Slavery” shall have the same meaning as under relevant legislation, including the UK Modern Slavery Act 2015 and the Australia Modern Slavery Act 2018, as applicable to Partner. Partner agrees to take reasonable steps to identify, assess and address risks of Modern Slavery practices in the operations and supply chains used in the provision of the Services. If at any time during the term of the Agreement, Partner becomes aware of Modern Slavery practices in the operations and supply chains used in the performance thereof, Partner must as soon as reasonably practicable take all reasonable action to address or remove these practices, including where relevant by addressing any practices of other entities in its supply chains. 
3. DRUG FREE WORKPLACE. For the purposes of this section, “drug-free workplace” means a site for the performance of work done in connection with the Agreement. During the performance of the Agreement Partner agrees to (a) provide a drug-free workplace for Partner’s employees; (b) post in conspicuous places, available to employees and applicants for employment, a statement notifying employees that the unlawful manufacture, sale distribution, dispensation, possession, or use of a controlled substance or marijuana is prohibited in Partner’s workplace and specifying the actions that will be taken against employees for violations of such prohibition; (c) state in all solicitations or advertisements for employees placed by or on behalf of Partner that Partner maintains a drug-free workplace; and (d) include the provisions of the foregoing clauses in every subcontract or purchase order of over $10,000, so that the provisions will be binding upon each subcontractor or Partner. 
4. ANTI-CORRUPTION AND BRIBERY. Partner acknowledges that it is familiar with and understands the provisions of the U.S. Foreign Corrupt Practices Act and the UK Bribery Act ("the Acts") and agrees to comply with their terms as well as any provisions of local law. Partner further understands the provisions relating to the Acts’ prohibitions regarding the payment or giving of anything of value, either directly or indirectly, to any party, any official of a government or political party for the purpose of influencing an act or decision in his or her official capacity or inducing the official to use his or her party's influence with that government, to obtain or retain business. Partner agrees to not violate or knowingly let anyone violate the Acts with respect to the sale, licensing, and use of the Services and Partner Services. Upon Instructure’s request, Partner agrees to provide Instructure with written certifications of Partner’s compliance with the Acts. Partner shall indemnify and defend Instructure and hold Instructure harmless from and against any and all claims, losses, liabilities, suits, actions, demands, damages, costs and other expenses caused by Partner’s failure to comply with the Acts or any such similar laws, regulations or rules.

Schedule 4  – U.S. State Privacy Laws Addendum

This Schedule 4 only applies to solely the extent that Partner processes Data subject to Applicable State Privacy law. This U.S. State Privacy Laws Addendum (" Schedule 4 ") supplements the DPA and is incorporated into the Agreement. Capitalized terms used but not defined in this US Addendum have the meanings given to them in the DPA or Agreement. 

1. DEFINITIONS . In this Schedule 5, the following terms shall have the meanings set out below.
   1. "Applicable State Privacy Law(s)" means any state law in the United States that regulates the processing of personal information or personal data and that is in effect and applicable to the Processing under this Agreement, including (as of the Effective Date) the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and its implementing regulations (the "CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act and its implementing regulations, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, the Iowa Consumer Data Protection Act, the Delaware Personal Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Data Privacy Act, the Tennessee Information Protection Act, the Minnesota Consumer Data Privacy Act, the Maryland Online Data Privacy Act, and any other comparable state law in effect and applicable to the Processing from time to time.
   2. The terms "business", "business purpose", "consumer", "controller", "personal data", "personal information", "processing", "processor", "sale", "sell", "service provider", and "share" as used in this US Addendum (including the DPA to the extent it is incorporated by reference into this US Addendum) have the meanings given in Applicable State Privacy Laws.
   3. References in this US Addendum (including the DPA to the extent it is incorporated by reference into this US Addendum) to "controller", "data subject", and "processor" include "business", "consumer", and "service provider", respectively, as defined by Applicable State Data Privacy Laws.
2. DURATION. Regardless of whether the applicable Agreement has terminated or expired, this Schedule 4 will remain in effect until, and automatically expire when, the DPA expires.
3. ROLES AND COMPLIANCE; AUTHORIZATION.
   1. Processor and Controller Responsibilities. If Applicable State Privacy Laws apply to the processing of Personal Data: (a) Schedule 1 of the DPA describes the subject matter and details of the processing of Personal Data; (b) Instructure is a Controller of Personal Data under Applicable State Privacy Laws; and (c) Each Party will comply with the obligations applicable to it under Applicable State Privacy Laws with respect to the processing of Personal Data.
4. CCPA Requirements. With respect to Partner’s processing of Personal Data in accordance with the CCPA, Partner will not, unless otherwise permitted under the CCPA: (a) sell or share Personal Information; (b) retain, use or disclose Personal Data (i) other than for a business purpose under the CCPA on behalf of Instructure and the specific purpose of performing the Services, or (ii) outside of the direct business relationship between Partner and Instructure; or (c) combine Personal Information with other information that Partner (i) receives from or on behalf of a third-party or (ii) collects from its own interactions with a consumer.
   1. Third Party Notifications. Instructure will promptly notify Partner and provide all necessary information to Partner after receiving and verifying a Consumer request, and Partner shall promptly take such actions and provide such information as Instructure may reasonably request pertaining to a Instructure’s Personal Information in order to help Instructure fulfill requests of individuals to exercise their rights under the CCPA, including, without limitation, requests to access, correct, delete, opt out of the Sale or Sharing of, or receive information about Personal Information pertaining to them. If Partner receives any request directly from Instructure’s Customer, then Partner may either (a) advise the Customer to contact Instructure directly with such request or (b) contact Instructure to respond directly to the Customer. 
   2. Acknowledgments and Obligations. Partner (a) acknowledges that Personal Information is disclosed by Instructure only for the limited and specified purposes of providing the Services described the Agreement; (b) shall comply with obligations applicable to service providers under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA, including the same privacy protection required to be provided by businesses; (c) agrees that Instructure may take reasonable and appropriate steps consistent with this Section to help to ensure that Partner’s use of Personal Information is consistent with Instructure’s or the relevant Customer’s obligations under the CCPA; (d) shall notify Instructure promptly of any determination made by Partner that it can no longer meet its obligations under the CCPA; and (e) agrees that Instructure may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, consistent with and in accordance with Applicable State Privacy Laws, by requesting reasonable documentation from Partner that verifies Partner no longer retains or uses Personal Information that is subject to a valid Data Subject deletion request.
   3. Data Subject Request Assistance. Partner will, taking into account the nature of the processing of Personal Information, assist Instructure in fulfilling its (or, where Instructure is a Processor, the relevant Controller’s) obligations under the CCPA to respond to requests for exercising the Data Subject’s rights by: (a) providing security controls in accordance with Schedule 2 (Information Security Standards); (b) complying with Section 3 of the DPA (Rights of Data Subject); and (c) providing the functionality of the Services. 
5. State Privacy Law — General Obligations. For all Applicable State Privacy Laws other than the CCPA, Partner agrees to comply with the obligations applicable to a "processor," "service provider," or equivalent role under each such law, including: (a) processing Personal Data only on Instructure's documented instructions; (b) imposing equivalent duties on Subprocessors; (c) assisting Instructure with Data Subject rights requests, data protection assessments, and regulator inquiries; (d) not combining Personal Data from Instructure with personal data from other sources except as permitted; (e) not selling or sharing Personal Data for targeted advertising; and (f) deleting or returning Personal Data at the end of the processing relationship as required by the applicable law.

Schedule 5 – EU & UK Addendum

This Schedule 5 shall only apply to the extent that Partner Processes Personal Data from Data Subjects located in the EEA, UK, or is subject to the jurisdiction of Data Protection Laws of the EEA or UK. In case of any discrepancy between the DPA and this Schedule 5, this Schedule 6 shall prevail. Capitalized terms used but not defined in this US Addendum have the meanings given to them in the DPA or Agreement. 

1. Definitions. In this Schedule 5, the following terms shall have the meanings set out below.
   1. “EEA” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein, and Norway.
   2. “Data Privacy Framework” means the EU-US and/or Swiss-US Data Privacy Framework self-certification program operated by the U.S. Department of Commerce.
   3. “Data Privacy Principles” mean the Data Privacy Framework Principles (as supplemented by the Supplemental Principles).
   4. “GDPR” means the means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
   5. “Standard Contractual Clauses” means the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and the UK International Data Transfer Addendum (“UK Addendum”), and any similar measures promulgated pursuant to the GDPR to address the transfer of Personal Data to a Third-country and any amendments and replacements thereto as may be promulgated from time to time.
   6. “Supplementary Measures” means technical, organizational, and contractual measures as described in EDPB Guideline adopted on 18th June 2021 the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
   7. “Third-country” means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission according to the mechanism lined out in Article 45 GDPR.
   8. “UK” means the United Kingdom, Wales, and Northern Ireland. 
2. Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects about whom Personal Data is Processed under this DPA are further specified in Schedule 1.
3. Cross Border Data Transfers. Instructure acknowledges and agrees that Partner may be established in a Third-country and that providing the Services may require transfer to, and Processing of Personal Data within a Third-country. All transfers to a Third-country are subject to the following conditions: (a) Instructure has given prior authorization for the transfer by signing the DPA; (b) Personal Data are Processed under the terms of the Agreement and the DPA; (c) there is a valid transfer mechanism in place in accordance with applicable Data Protection Laws; and (d) Partner shall implement the Supplementary Measures, where necessary to ensure the level of protection required by Data Protection Laws, informed by a documented Transfer Impact Assessment (TIA) conducted by Partner and made available to Instructure on reasonable request.
4. Order of Precedence. In the event the Services are covered by more than one transfer mechanism under the GDPR, the transfer of Personal Data will be subject to a single transfer mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Framework as set forth in Section 4.1; (b) the Standard Contractual Clauses as set forth in Section 4.2 and, if neither (a) nor (b) is applicable, then (c) other applicable data transfer mechanisms permitted under applicable Data Protection Laws.
   1. Data Privacy Framework. To the extent that Partner Processes any Personal Data via the Services originating in the EU, UK, or Switzerland, Instructure represents that it is self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such Personal Data. To the extent that Partner is (a) located in the U.S. and is self-certified under the Data Privacy Framework, or (b) located in the EEA or Switzerland, Partner agrees (i) to provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles; (ii) to notify Instructure in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, the Standard Contractual Clauses will apply in accordance with Section 4.2 ; and (iii) upon written notice, to work with Instructure to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data. If the Data Privacy Framework (or the applicable component thereof) is invalidated, suspended, or otherwise ceases to provide a lawful basis for the transfer of Personal Data, the Parties shall, without further action, be deemed to have entered into the Standard Contractual Clauses under Section 4.2 as the transfer mechanism, effective as of the date of such invalidation or suspension.
   2. Standard Contractual Clauses: A valid transfer mechanism referred in Section 4 is: 
      1. where Partner acts as a Processor and Instructure acts as a Controller, the Standard Contractual Clauses, Module TWO: Transfer Controller to Processor; 
      2. where Instructure acts as a Processor and Partner acts as a Processor, the Standard Contractual Clauses, Module THREE: Transfer Processor to Processor; 
      3. and in both cases, the UK Addendum thereto attached as Annex IV, and all of the foregoing are deemed to be incorporated herein by reference as set forth below. In respect of the Standard Contractual Clauses, the Parties agree on the following: (i) In clause 7, the Parties choose to include the “docking clause”; (ii) where Module Two or Three applies, in clause 9, the Parties choose Option 2: “general written authorization”; (iii) where Module Two or Three applies, in clause 9, the Parties choose 20 days as the specific time period; (iv) in clause 11, the Parties do not choose the optional complaint mechanism; (v) in clause 17, the governing law is the law of the EU Member State w here the Customer is established in an EU Member State, the law in that EU Member State; or where the Customer is not established in an EU member state but has appointed a representative pursuant to Article 27(1) of the GDPR, the law in the EU Member State in which the Customer’s representative is located; or where the data exporter is not established in an EU member state and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of the UK, or as defined in the Agreement; and in clause 18, the country of the applicable court in respect of any disputes arising from Standard Contractual Clauses is the courts of the EU member state in which in which the Parties have denoted choice of law above
5. To the extent that Partner uses a Subprocessor in a Third-country for the Processing of Personal Data, the following shall apply in addition to Section 4 above: (a) Instructure has given prior authorization for the transfer by signing the Agreement; (b) there is a valid transfer mechanism in place in accordance with Data Protection Laws; and (c) Partner makes information on the transfer mechanism, and where applicable, the Standard Contractual Clauses, available without undue delay to Instructure.

ANNEX I

A.   LIST OF PARTIES: As described in Schedule 1.

B.   DESCRIPTION OF TRANSFER. As described in Schedule 1

C.   COMPETENT SUPERVISORY AUTHORITY - As described in Schedule 1

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

As described in Schedule 2.

ANNEX III - LIST OF SUBPROCESSORS

The controller has authorized the use of the following Subprocessors described in Annex I to Schedule 1.

ANNEX IV - Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018 - International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses