Last Updated Date: June 19th, 2018
This Data Processing Addendum (“ADDENDUM”) forms part of the “Instructure Standard Terms and Conditions” or other written or electronic agreement (“AGREEMENT”) between Customer and Instructure for the use of Instructure services (“SERVICES”) and reflects the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of the applicable Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
HOW THIS ADDENDUM APPLIES
This Addendum does not replace any rights relating to Processing of Data previously negotiated by Customer in the Agreement. In the event of a conflict between the data processing terms in this Addendum and any existing data processing terms within the Agreement, the data processing terms in this Addendum shall control.
DATA PROCESSING TERMS
In the course of providing the Services to Customer pursuant to the Agreement, Instructure only Processes Personal Data on behalf of Customer. Instructure agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and Processed by or for Customer using the Services.
- 1.1. “CUSTOMER” means the relevant entity that has entered into an agreement with Instructure to receive Instructure Services.
- 1.2. “CUSTOMER CONTENT” has the same meaning as in the Agreement
- 1.3. “DATA CONTROLLER” means the entity which determines the purposes and means of the Processing of Personal Data.
- 1.4. “DATA PROCESSOR” means the entity which Processes Personal Data on behalf of the Data Controller.
- 1.5. “DATA PROTECTION LAWS AND REGULATIONS” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement.
- 1.6. “DATA SUBJECT” means the individual to whom Personal Data relates.
- 1.7. “INSTRUCTURE” means Instructure Global Ltd. and its affiliates engaged in the Processing of Personal Data.
- 1.8. “PERSONAL DATA” means any information relating to (i) an identified or identifiable person and, (ii) an identified or identifiable legal entity (where protected under applicable Data Protection Laws and Regulations), where such data is submitted to the Services as Customer Content.
- 1.9. “PROCESS”, “PROCESSES” or“PROCESSING” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, transfer, dissemination by means of transmission, distribution or otherwise making available, merging, linking as well as blocking, erasure or destruction.
- 1.10. “SUBPROCESSOR” means any Data Processor engaged by Instructure for processing or having authorized access to Personal Data.
2. DATA PROCESSING
- 2.1. ROLES OF THE PARTIES. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer acts as the Data Controller, Instructure acts as the Data Processor, and that Instructure will engage Subprocessors pursuant to the requirements set forth in section 5 “SUBPROCESSORS” below.
- 2.2. COMPLIANCE WITH LAWS. Each party will comply with all laws, regulations and rules applicable to it in the performance of this Addendum, including Data Protection Laws and Regulations.
- 2.3. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Personal Data in accordance with Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
- 2.4. INSTRUCTURE’S PROCESSING OF PERSONAL DATA. Instructure shall only Process Personal Data on behalf of and in accordance with Customer’s instructions and shall treat Personal Data as Confidential Information. Customer instructs Instructure to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
- 2.5. PURPOSE, OBJECT AND DURATION OF THE PROCESSING. The purpose and object of the Processing is to enable Instructure to access the Personal Data required for the provision of the Services, as specified in the Agreement and this Addendum, on behalf of and for the benefit of the Customer. The Processing shall commence on the Effective Date and continue for the duration of the Agreement.
3. RIGHTS OF DATA SUBJECTS
- 3.1. CORRECTION, DELETION AND BLOCKING. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data as required by Data Protection Laws and Regulations, Instructure shall comply with any commercially reasonable written request by Customer to facilitate such actions to the extent Instructure is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any costs arising from Instructure’s provision of such assistance.
- 3.2. DATA SUBJECT REQUESTS. Instructure shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Instructure shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Instructure shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Services. If legally permitted, Customer shall be responsible for any costs arising from Instructure’s provision of such assistance.
4. INSTRUCTURE PERSONNEL. Instructure shall take reasonable steps to ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- 5.1. APPOINTMENT OF SUBPROCESSORS AND CUSTOMER CONSENT. Customer acknowledges and agrees that Instructure may engage third-party Subprocessors in connection with the provision of the Services.
- 5.2. PROCESSING RESTRICTIONS. Instructure will ensure that Subprocessors only access and use Personal Data in accordance with the terms of the Agreement and that they are bound by written obligations that require them to provide at least the level of data protection required by Data Protection Laws and Regulations.
- 5.3. LIABILITY. Instructure shall be liable for the acts and omissions of its Subprocessors to the same extent Instructure would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum, except as otherwise set forth in the Agreement.
- 5.4. LIST OF CURRENT SUBPROCESSORS AND NOTIFICATION OF NEW SUBPROCESSORS. A current list of Subprocessors as may be used for Processing Data is available to Customer. For the avoidance of doubt, Instructure may continue to use those Subprocessors already engaged by Instructure as at the Effective Date. Instructure shall give Customer prior written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. If, within five days of receipt of that notice, Customer notifies Instructure in writing of any objections (on reasonable grounds) to the proposed appointment, Instructure shall not appoint that proposed Subprocessor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. If Instructure is unable to address the reasonable objections of Customer, Instructure shall terminate the portion of the Service that cannot be provided by Instructure without the objected- to Subprocessor by providing written notice to Customer.
6. SECURITY CONTROLS. Instructure will take and implement appropriate administrative, organizational and technical safeguards designed to maintain the confidentiality, integrity and availability of Customer Content, including Personal Data. Instructure may update or modify the stated security safeguards from time to time provided that Instructure will not materially decrease the overall security of the Services during the term of the Agreement.
7. AUDIT RIGHTS. Upon Customer’s written request, subject to the confidentiality obligations set forth in the Agreement, and no more than once per year, Instructure shall make available to Customer information regarding Instructure’s compliance with the obligations set forth in this Addendum in the form of the third-party certifications and audits conducted by Instructure to the extent Instructure makes them generally available to its customers.
8. DATA PROTECTION IMPACT ASSESSMENTS.Instructure shall provide reasonable assistance to Customer with any data protection impact assessments which Customer reasonably considers to be required under Data Protection Laws and Regulations, solely in relation to Processing of Personal Data by Instructure.
9. NOTIFICATION OBLIGATIONS. Instructure maintains security incident management policies and procedures and shall promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Customer Content, including Personal Data, by Instructure or its Subprocessors of which Instructure becomes aware (a “SECURITY BREACH”). To the extent such Security Breach is caused by a violation of the requirements of this Addendum by Instructure, Instructure shall make reasonable efforts to identify and remediate the cause of such Security Breach.
10. RETURN AND DELETION OF CUSTOMER CONTENT. Instructure shall return Customer Content to Customer or delete Customer Content in accordance with the terms of the Agreement.
11. LEGAL EFFECT. This Addendum shall only become legally binding between Customer and Instructure when the parties execute an Order Form for the Services.
12. NONDISCLOSURE. The terms of this Addendum are not publicly known and constitute Confidential Information under the Agreement. Customer may only disclose the terms of this Addendum to a data protection regulatory authority to the extent required by law or regulatory authority. Customer shall take reasonable steps to ensure that data protection regulatory authorities do not make the terms of this Addendum public, including by marking any copies as “Confidential,” requesting return of any copies, and requesting prior notice and consultation before any public disclosure.
13. LIMITATION OF LIABILITY. Customer’s remedies with respect to any breach by Instructure of the terms of this Addendum will be subject to any aggregate limitation of liability that applies to Customer under the Agreement.