Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Agreement between you and D2L. It is entered into between you, as the Controller, and D2L, as the Processor, and forms an integral part of the Agreement governing your use of the Services. Unless expressly defined in Section 13, all capitalized terms have the meanings assigned to them in the Agreement.

This DPA sets out the additional terms under which the Processor will process Personal Data on behalf of the Controller in connection with the Services. It is intended to apply globally, and its safeguards are designed to meet or exceed the requirements of comprehensive Data Protection Laws worldwide. These obligations apply to all Personal Data processed under the Agreement, regardless of where the data originates or is processed.

If the Agreement already contains a data processing addendum or similar data protection terms, those terms will prevail in the event of a conflict.

1Interpretation

1.1

This DPA is incorporated into, and subject to, the terms of the Agreement. Defined terms in the Agreement apply to this DPA unless otherwise specified.

1.2

The Exhibits and any referenced URLs form part of this DPA and have the same effect as if they were included in full in the body of this DPA.

1.3

In the event of any conflict or ambiguity:

1.3.1

Between the body of this DPA and any Exhibit or referenced URL, the terms of the DPA prevail;

1.3.2

Between this DPA and the Agreement, this DPA prevails; and

1.3.3

Between this DPA and any executed SCCs, the SCCs prevail.

2Processing of Data

2.1

The Controller and the Processor agree and acknowledge that for the purpose of the Data Protection Laws: (i) the Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Laws, and (ii) the Agreement describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which the Processor may Process the Personal Data to fulfil the Business Purposes.

2.2

The duration of Processing shall be the term of the Agreement (and with respect to specific orders, as such term is defined in the Agreement, the duration of Processing shall be the term of such order).

3Processor’s Obligations

3.1

The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary to provide the Services in accordance with Exhibit A (Details of Processing), the Controller’s written instructions and the terms of the Agreement. The Processor will not Process the Personal Data for any other purpose or in a way that does not comply with this DPA, the Agreement or the Data Protection Laws. The Processor must promptly notify the Controller if, in its opinion, the Controller’s instructions do not comply with the Data Protection Laws.

3.2

The Processor must comply promptly with any Controller written instructions requiring the Processor to amend, transfer, delete or otherwise Process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.

3.3

The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Controller or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator. If a domestic law, court or regulator requires the Processor to Process or disclose the Personal Data to a third party, the Processor must first inform the Controller of such legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

3.4

The Processor will reasonably assist the Controller, at no additional cost to the Controller, with meeting the Controller’s compliance obligations under the Data Protection Laws, taking into account the nature of the Processor’s Processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the relevant regulator under the Data Protection Laws.

3.5

The Processor must notify the Controller promptly of any changes to the Data Protection Laws that may reasonably be interpreted as adversely affecting the Processor’s performance of this DPA.

4Authorised Employees

4.1

The Processor will ensure that all of its employees: (i) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions that prevent them from disclosing or otherwise Processing Personal Data for unauthorized purposes, both during and after their engagement with Processor; (ii) have undertaken training on the Data Protection Laws and how it relates to their handling of the Personal Data and how it applies to their particular duties; and (iii) are aware both of the Processor’s duties and their personal duties and obligations under the Data Protection Laws and this DPA.

4.2

The Processor will take reasonable steps to ensure the reliability, integrity and trustworthiness of all the Processor’s employees with access to the Personal Data and will limit access to Personal Data to only those employees who need to have the Personal Data to perform the Services.

4.3

Processor has appointed a data protection officer where such appointment is required by Data Protection Laws and shall provide the Controller with such officer’s contact information upon request.

5Sub-Processors

5.1

Authorized Sub-Processors. Controller authorizes the use of the Sub-Processors as set out at https://www.d2l.com/legal/d2ls-third-party-subprocessors/ (“Sub-Processors List”). The Sub-Processors List will include the Sub-Processor’s name, and processing locations.

5.2

The Processor shall maintain the Sub-Processors List and may add or remove Sub-Processors from time to time. Controller is responsible for reviewing this list on a regular basis.

5.3

The Processor will provide a mechanism to obtain notice of updates to the Sub-Processors List. Unless the Controller submits a written objection within ten (10) days of receiving such notice, the Processor may engage the new Sub‑Processor.

5.4

If the Controller objects in accordance with this section, the Processor will work with the Controller in good faith to find a commercially reasonable alternative. If no such alternative is available, the Processor may either (i) continue to provide the Services without the affected component, if feasible, (ii) if possible, find a mutually agreed alternative; or (iii) allow the Controller to terminate the Agreement, pursuant to its terms.

5.5

Where Processor authorizes a Sub-processor as described in Section 5.1:

5.5.1

The Processor will restrict the Sub‑processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and the Processor will prohibit the Sub‑processor from accessing Customer Data for any other purpose;

5.5.2

The Processor will enter into a written agreement with the Sub‑processor and, to the extent that the Sub‑processor performs the same data processing services provided by the Processor under this DPA, the Processor will impose on the Sub‑processor the same contractual obligations that the Processor has under this DPA; and

5.5.3

The Processor will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub‑processor that cause the Processor to breach any of the Processor’s obligations under this DPA.

5.6

On the Controller’s written request, the Processor will audit a Sub-Processor’s compliance with its obligations regarding the Personal Data and provide the Controller with the audit results. Where the Controller concludes reasonably that the Sub-Processor is in material default of its obligations regarding the Personal Data, the Controller may, in writing, instruct the Processor to instruct the Sub-Processor to remedy such deficiencies within fifteen (15) days.

6Security of Personal Data

6.1

The Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data, including but not limited to, the security measures set out in Exhibit B.

6.2

The Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

6.2.1

The pseudonymization and encryption of Personal Data;

6.2.2

The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

6.2.3

The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

6.2.4

A process for regularly testing, assessing and evaluating the effectiveness of the security measures.

7Security Incident Notification

7.1

Security Incident. D2L will (a) notify the Controller of a Security Incident without undue delay after becoming aware of it, and (b) take appropriate measures to address the Security Incident, including steps to mitigate any adverse effects resulting from it.

7.2

D2L Assistance. To enable the Controller to notify a Security Incident to supervisory authorities or to Data Subjects (as applicable), D2L will cooperate with and assist the Controller by including in its notice under Section 7.1 such information about the Security Incident as D2L is able to disclose, taking into account the nature of the Processing, the information available to D2L, and any restrictions on disclosure, including confidentiality obligations. The Controller acknowledges that it is best positioned to determine the likely consequences of a Security Incident.

7.3

Unsuccessful Security Incidents. The Controller agrees that:

7.3.1

An unsuccessful Security Incident is not subject to this Section 7. An unsuccessful Security Incident is one that does not result in unauthorized access to Personal Data or to any D2L systems or facilities storing Personal Data. Such incidents may include, without limitation, pings or other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log‑on attempts, denial‑of‑service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar events; and

7.3.2

D2L’s obligation to notify or respond to a Security Incident under this Section 7 is not, and will not be construed as, an acknowledgement of fault or liability by D2L with respect to the Security Incident.

7.4

Communication. Any notification of a Security Incident will be delivered to the Controller’s designated Approved Support Contacts (“ASC”) by any reasonable method chosen by D2L, including email. The Controller is solely responsible for ensuring that its ASC information is accurate and kept up to date.

7.5

Notification Obligations. If D2L notifies the Controller of a Security Incident, or if the Controller otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, the Controller is responsible for (a) determining whether any notification or other obligation arises under applicable Data Protection Laws, and (b) taking all necessary steps to comply with those obligations.

8Transfers of Personal Data

8.1

Mechanism. Processor may only process, or permit the processing, of the Personal Data outside the Data Subject’s territory under one of the following conditions:

8.1.1

The transfer is into a territory which is subject to a valid and current adequacy decision under the applicable Data Protection Laws; or

8.1.2

The Processor participates in a valid cross-border transfer mechanism under the Data Protection Laws, and any applicable appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals.

8.2

SCCs. If any Personal Data transfers between the Controller and the Processor requires execution of SCCs in order to comply with the Data Protection Laws, the parties will complete all relevant details in, and execute the SCCs and take all other actions required to legitimize the transfer, including but not limited to conducting transfer impact assessments and implementing appropriate safeguards where required by applicable Data Protection Laws.

8.3

Sub-Processors. If the Controller consents to appointment by the Processor of a Sub-Processor, in compliance with the provisions of clause 5, then the Controller authorises the Processor to enter into SCCs with the Sub-Processor. Processor shall ensure that the SCCs executed with each Sub‑Processor provide a level of protection for Personal Data that is at least equivalent to the protections required of Processor under this DPA.

9Rights of Data Subjects

9.1

Processor shall, to the extent permitted by law, notify Controller in writing and without undue delay, upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Processor receives a Data Subject Request in relation to Controller’s data, Processor shall advise the Data Subject to submit their request to the Controller and the Controller will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Controller’s requests for assistance with Data Subject Requests shall be submitted to the Processor via [email protected].

9.2

Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organisational measures to assist Controller in complying with Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Controller is itself unable to respond without Processor’s assistance and (ii) Processor is able to do so in accordance with all applicable laws, rules, and regulations. Processor shall not charge the Controller any fees for assistance with standard Data Subject Requests unless permitted under applicable law.

10Actions and Access Requests

10.1

Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance, where necessary for Controller to comply with its obligations under the Data Protection Laws, conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information.

10.2

Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any regulator, where necessary and where required by applicable data protection laws.

10.3

Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA.

10.4

Processor shall make available for Controller’s review (i) copies of Processor’s certifications; and/or (ii) upon Controller’s request no more than once per calendar year, reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of the Personal Data. Should Controller have serious cause to believe that Processor is in material breach of its obligations hereunder, Processor shall allow Controller or its authorised representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under this DPA, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. However, if the requested audit scope is addressed in an ISO, SOC, or similar audit report performed by a qualified third-party auditor within twelve (12) months of Controller’s request and Processor confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

11Term and Termination

11.1

This DPA shall remain in full force and effect so long as the Agreement remains in effect (“Term”).

11.2

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement to protect the Personal Data shall remain in full force and effect.

11.3

The Processor’s failure to comply with the terms of this DPA is a material breach of the Agreement. In such event, the Controller may terminate the Agreement effective immediately on written notice to the Processor without further liability or obligation of the Controller.

12Data Destruction

12.1

On termination of the Agreement for any reason or expiry of its term, the Processor shall in accordance with applicable terms in the Agreement, securely delete or destroy and not retain, all or any of the Personal Data related to this DPA in its possession or control.

12.2

If any law, regulation, or government or regulatory body requires the Processor to retain any documents, materials or Personal Data that the Processor would otherwise be required to destroy, it will notify the Controller in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

12.3

The Processor shall, within 15 business days of receiving a written request from the Controller, confirm in writing to the Controller that it has deleted or destroyed the Personal Data.

13Definitions

“Agreement”

means the terms and conditions entered into by D2L and you for the provision of services, which includes any schedules, exhibits, or annexes.

“Authorised Employee”

means an employee of Processor who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this DPA or the Agreement.

“Business Purposes”

means the business requirements for which Processor was engaged to process Controller’s Personal Data.

“D2L”

means the D2L corporate entity identified in your Agreement.

“DPA”

means this Data Processing Agreement.

“Data Protection Laws”

means any applicable law, treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance or industry self-regulatory rules or guidelines regarding the same, whether of or by any legislative, administrative, judicial, or other Governmental Entity, that governs or relates to the confidentiality, security, privacy, or Processing of Personal Data or otherwise regulates marketing communication, data protection, or Security Incident management and/or notification including without limitation: the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); the United Kingdom General Data Protection Regulation (“UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”); the Australian Privacy Act of 1988; the Singapore Personal Data Protection Act (“PDPA”); the California Consumer Privacy Act of 2018, Cal. Civil Code Section 1798.100 et seq., as amended (“CCPA”); the Children’s Online Privacy Protection Act of 1998 (“COPPA”); the Family Educational Rights and Privacy Act (“FERPA”); and the Brazilian General Data Protection Law, Law n. 13.709 of 2018 (“LGPD”).

All references to specific Data Protection Laws in this DPA shall include any amendments, modifications, re-enactments, or successor legislation to such laws, and any regulations, guidance, codes of practice, or other instruments issued pursuant to such laws, as updated from time to time. The Processor shall remain compliant with all such amendments, updates, and successor legislation throughout the term of this DPA.

“Data Subject”

means as applicable:

an identified or identifiable person to whom Personal Data relates;
the meaning as set forth in Data Protection Laws; and
such similar terms as defined in any Data Protection Laws, including the term “Consumer” or “Individual”.

“Instructions”

means the directions, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Controller and directing Processor to Process Personal Data.

“Personal Data”

means any information relating to an identified or identifiable individual that is processed by the Processor on behalf of the Controller as a result of, or in connection with, the provision of the Services under the Agreement; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

“Personal Data Breach”

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

“Process” or “Processing”

means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. Processing also includes transferring the Personal Data to third parties.

“Services”

shall have the meaning set forth in the Agreement entered into between Controller and Processor for the provision of services.

“Supervisory Authority”

means any independent public authority, regulatory body, or governmental agency responsible for overseeing and enforcing compliance with Data Protection Laws, including but not limited to those established by member states of the European Union, Iceland, Liechtenstein, Norway, the United Kingdom, Switzerland, Brazil, the United States (federal and state level), Canada (federal and provincial level), and any other jurisdiction where the Controller or Processor operates or where Personal Data is processed.

“Sub-Processor”

means an approved Sub-Processor to process Personal Data on behalf of Processor.

“Standard Contractual Clauses (SCCs)”

means the ICO’s International Data Transfer Agreement for the transfer of Personal Data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries, as set out in the Annex to Commission Decision 2010/87/EU.

Exhibit A

Details of Processing

Categories of Data Subjects Whose Personal Data is Transferred

Prospects, customers, business partners and/or vendors of data exporter (who are natural persons)
Employees or contact persons of data exporters’ prospects, customers, business partners and/or vendors
Data exporter’s users authorized by data exporter to use the Services, including employees, administrators and other representatives of such users
Complainants or enquirers

Categories of Personal Data Transferred

First name
Last name
Contact information (e.g., email address, phone number, physical address, etc.)
Log-on/log-off information, including username and passwords
User records and related information (e.g., courses, programs, grades, etc.)
Title / position
Employer / institution
Connection data, including IP address
Localization data
Personal details (e.g., family, lifestyle, social circumstances, financial details, etc.)

Frequency of Transfer

Continuous (depending on when the data exporter and/or its users upload its or their respective data).

Nature of the Processing

To provide the Services to data exporter and its authorized users for use and access in accordance with the terms and subject to the conditions set forth in the Agreement.

Purpose(s) of the Data Transfer and Further Processing

Processing in accordance with the terms and subject to the conditions set forth in the Agreement
Processing initiated by data exporter’s users in the course of their use and access of the Services
Processing in compliance with other reasonable and lawful documented instructions provided by data exporter in accordance with the terms hereof, provided that such instructions do not conflict with applicable laws

Retention Period

During the term and any renewal term(s) of the Agreement, and for such additional period as required by applicable law or as necessary to fulfil the purposes described herein, after which personal data shall be deleted or returned in accordance with the Agreement.

Transfers to Sub-Processors

Sub-processors are used for data hosting, report formatting, incident reporting and other functions that are related or ancillary to or otherwise form a part of the purposes described above.

Exhibit B

Appropriate Technical & Organizational Measures

Security Standards & Certifications

D2L has implemented security and privacy policies, processes and procedures that align with the following industry acceptable standard-setting organizations: International Organization of Standards (ISO), U.S. National Institute of Standards and Technology (NIST) and Open Web Application Security Project (OWASP) Foundation. Security and privacy controls implemented have been certified through annual external third-party audits to ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC I Type 2 and SOC II Type 2.

Data Minimization & Encryption

D2L only collects and stores minimum information required to deliver and maintain its services. All data stored for this purpose is encrypted using the latest Advanced Encryption Standard (AES) established by NIST. All data transmitted for this purpose is encrypted using the latest Transport Layer Security (TLS) configuration supported by Amazon Web Services (AWS).

Availability & Access Controls

D2L uses multiple AWS services to ensure ongoing confidentiality, integrity and availability of the processing system and services. Services are accessed and managed using the AWS management console. Access to this console is configured to follow the best practices principles of least privilege and need-to-know. In particular, employee access to this console is controlled via two-factor authentication.

Disaster Recovery & Backups

D2L has a disaster recovery plan in place that is tested annually. D2L takes full monthly and incremental daily backups of all client data residing on the system.

Testing & Evaluation

The testing, assessment and evaluation of the effectiveness of D2L’s technical and organizational security and privacy measures are covered under the following:

Annual internal audits
Annual external audits
Annual external third-party penetration tests
Regular internal vulnerability scans

Physical Security

AWS data centers are secured by AWS, and access is restricted to AWS staff. For more information about the physical security of AWS data centers, please visit aws.amazon.com/compliance/data-center/data-centers/.

HECVAT Compliance

With respect to D2L’s higher education institutional clients that utilize the Higher Education Community Vendor Assessment Toolkit (HECVAT), D2L meets the requirements for HLAA-05 (e.g., events logging). Logging is enabled to track actions completed.

Data Lifecycle Management

Developers are trained on security and privacy fundamentals, including only storing data with a clear purpose and deletion of data after its useful life. The lifecycle of customer data is controlled by the customer using a data purge utility built into the Learning Management System. In addition, D2L has a data purge process that allows for erasure requests to be actioned appropriately according to required regional laws and standards.

For more information about D2L’s technical and organizational security measures, please visit www.d2l.com/security.