By continuing to browse or by clicking "accept all cookies," you agree to the storing of first- and third-party cookies on your device to enhance site navigation, alalyze site usage, and assist in our marketing efforts.

Privacy Policy

THE GENERAL DATA PROTECTION REGULATION (GDPR)

GDPR stands for the General Data Protection Regulation. The GDPR is the new European Union (“EU”) law that regulates the personal data of individuals in the EU. It replaces the EU Data Protection Directive, the EU’s current privacy law, which was been in place since 1995. The GDPR harmonises data protection law across Europe and introduces sweeping changes that require companies to make significant updates to their privacy and security policies and practices.

Instructure is committed to helping our customers comply with GDPR.

WHEN DID THE GDPR BECOME ENFORCEABLE?

The GDPR became enforceable on May 25, 2018. From that time, companies are legally required to comply with the GDPR.

WHAT DOES THE GDPR APPLY TO?

GDPR applies to the personal data of individuals in the EU. Personal data is defined as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e., name, address, phone number), this definition can also include information such as an IP address or device identifier. The GDPR requires entities to handle personal data in specific ways and gives individuals new rights related to the processing of their personal data, among other obligations.

WHAT ACTIONS DID INSTRUCTURE TAKE TO COMPLY WITH GDPR?

Instructure put implementation actions into place to comply with the European Commission’s replacement law for the Data Protection Directive 95/46/EC, the General Data Protection Regulation (“GDPR”), before the enforcement date (25 May 2018).

To ensure GDPR readiness, Instructure completed the following:

SAFEGUARDS FOR CROSS-BORDER DATA TRANSFER

One of the GDPR’s requirements is that any personal data transferred “cross-border”, i.e., outside of the EU, can only be moved pursuant to a legal mechanism. The Privacy Shield Framework is one legal mechanism to make these cross-border data transfers to the United States legitimate. Instructure self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield in November 2017 and our certification remains in good standing, which helps us comply with this requirement of the GDPR.

Instructure also uses the European Commission’s Standard Contractual Clauses (model clauses) as an alternative, lawful method to transfer personal data outside the EU. By incorporating these model clauses into Instructure’s Data Processing Addendum (“DPA”), both data controllers (Instructure’s EU-based customers) and data processors (Instructure) are contractually obligated to certain technical and organisational safeguards relating to individuals’ (Instructure’s EU-based customers’ end users) privacy rights.

DID INSTRUCTURE CONDUCT ANY MAJOR CHANGES TO ITS PRACTICES AS PART OF COMPLIANCE WITH GDPR?

Instructure has always taken privacy seriously. We have a longstanding practice of undertaking internal privacy assessments of our products and of adopting a “privacy by design” approach to product development. We built our GDPR compliance efforts on this foundation, including the definition of procedures to cover all rights individuals have under GDPR. In addition, Instructure appointed a Data Protection Officer to oversee our internal “privacy by design” efforts.

OTHER QUESTIONS?

Please contact us at privacy@instructure.com for more information.

Forms validated with reCAPTCHA and subject to Google Privacy & Terms

Canvas Regions × United States and Canada Latin America Brazil United Kingdom European Union Austria, Germany and Switzerland Hong Kong Australia and New Zealand