Skip to main content
Request a Demo

Privacy Notice

Last Updated: February 3, 2026 (view archived versions)

D2L Corporation and its family of companies

1. INTRODUCTION

1.1 About This Notice

D2L Corporation and its family of companies (“D2L”, “we”, “us”, or “our”) are committed to protecting your Personal Information and respecting your privacy rights. This Privacy Notice explains how we collect, use, disclose, and safeguard your Personal Information when you:

  • Visit our websites, including www.D2L.com and associated D2L websites
  • Use our Brightspace learning management system and related services
  • Use our Apps (for professionals and parents/ tutors)
  • Interact with our products, services, and applications
  • Contact us or engage with our sales, professional services, support, and customer success teams
  • Attend our conferences or events
  • Apply for employment opportunities

1.2 Data Controller and Contact Information

Data ControllerD2L Corporation Email: [email protected] 137 Glasgow Street, Suite 560 Kitchener, ON, Canada N2G 4X8
Data Protection Officer  Name: Taylor Burnie Email: [email protected] Address: As above
EU Representative (including UK and Switzerland)  D2L Europe Ltd. c/o Taylor Wessing LLP 5 New Street Square London EC4A 3TW United Kingdom Attn: Data Protection Representative

1.3 Scope and Application

This Privacy Notice applies to:

  • Enterprise Users: Individuals who access Brightspace or other D2L services through an agreement between D2L and their organization (educational institution, employer, or other entity). In this case, that organization acts as the “Controller” and D2L acts as a “Processor”, meaning D2L solely undertakes the Processing of Personal Information under the instructions of the Controller and for the Controller’s purposes.
  • Consumer Users: Individuals who access Brightspace or other D2L products and services through an agreement directly with D2L.
  • Data Subjects: Natural persons whose Personal Information is processed by D2L through its platforms and tools. This includes situations where D2L acts as a Processor on behalf of a Controller (usually educational institutions) using our Brightspace Platform, with the Data Subjects being students or their parents/guardians (in the case of minors). Where a sole trader registers with D2L Services to deliver teaching services to others, that natural person will be both a Data Subject and a Controller: as a sole trader, all data relating to their business is Personal Information, and as the party providing instructions to D2L regarding Processing Activities, they are the Controller.
  • Website Visitors: Natural Persons who visit D2L websites without creating an account.
Important Note for Enterprise Users: If you access our services through an Organization, it is the Organization that acts as the data controller for the Personal Information it collects and processes through our services. This Privacy Notice governs D2L’s Processing of your Personal Information under the instructions of the Controller. For information about what specifically those Personal Information Processing Activities consist of, please contact your Organization directly.

2. LEGAL BASIS FOR PROCESSING

We process your Personal Information only when we have a valid and documented Legal Basis under applicable Personal Information Protection Legislation, and that depends on the Purpose and Scope of the Processing Activities – that is, the reasons and methods for which we carry out such processing as outlined below:

2.1 Contractual Necessity

Processing is necessary to perform our contract with a Controller (you or your organization), including, but not limited to:

  • Creating and managing user accounts
  • Providing access to the Brightspace Platform and related services
  • Delivering professional services, support, and customer success services
  • Processing payments and managing subscriptions
  • Communicating about service delivery and account management

2.2 Legitimate Interests

Processing is necessary for our Legitimate Interests or those of a third party, provided your rights do not override these interests:

  • Improving and optimizing our products and services
  • Conducting analytics to understand service usage and performance
  • Preventing fraud, security threats, and unauthorized access
  • Marketing our services to existing customers
  • Managing business operations and corporate transactions
  • Protecting our legal rights and interests

Before relying on Legitimate Interests, we conduct balancing assessments to ensure your rights are protected.

2.3 Legal Obligations

Processing is necessary to comply with Legal Obligations, including but not limited to:

  • Responding to lawful requests from authorities
  • Complying with tax, accounting, and regulatory requirements
  • Meeting data protection and security obligations
  • Fulfilling obligations under the US Family Educational Rights and Privacy Act (FERPA) where applicable

2.4 Consent

Where required by law or chosen by us, we Process Personal Information based on your explicit consent, such as:

  • Marketing communications to prospects and non-customers
  • Non-essential cookies and tracking technologies
  • Processing of special categories of Personal Information (where applicable)
  • International transfers where no other safeguard is available

Your right to withdraw consent: You may withdraw your consent at any time by contacting us at [email protected].  Withdrawal does not affect the lawfulness of Processing before withdrawal.

2.5 Special Categories of Personal Information

We do not intentionally collect special categories of Personal Information (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation) through D2L services and tools.

Controller may however collect and submit for processing through Brightspace (e.g., health information for accessibility accommodations, etc.) hence the Controller must ensure it has appropriate Legal Basis under applicable Personal Information Protection Legislation (e.g. GDPR Article 9(2)) to undertake such processing, including having the Data Subjects informed.

3. PERSONAL INFORMATION WE COLLECT

We collect and process the following categories of Personal Information:

3.1 Identity and Contact Data

  • What we collect: Full name, username, email address, telephone number, postal address, job title, employer/organization name
  • Source: From the Controller or directly from you during registration, account creation, or communications
  • Purpose: Account management, service delivery, communication, support
  • Legal Basis: Contractual Necessity, Legitimate Interests

3.2 Account and Authentication Data

  • What we collect: Login credentials, user ID, passwords (encrypted), security questions and answers, authentication tokens
  • Source: From the Controller or directly from you during registration or generated by our systems
  • Purpose: Account access, security, authentication
  • Legal Basis: Contractual Necessity

3.3 Financial and Transaction Data

  • What we collect: Credit card information (last 4 digits only), billing address, payment history, purchase records, subscription details
  • Source: From the Controller or directly from you during purchase or processed by third-party payment Processors
  • Purpose: Processing payments, billing, financial record-keeping
  • Legal Basis: Contractual Necessity, Legal Obligations

3.4 Technical and Usage Data

  • What we collect:
    • Device information (device type, operating system, browser type and version)
    • IP address and location data
    • Log files and access records
    • Cookies and similar tracking identifiers
    • Page views, clicks, navigation paths, and feature usage
    • Session duration and timestamps
    • Referral sources and exit pages
  • Source: Automatically collected through our services and websites
  • Purpose: Service provision, security, analytics, improvement of services, troubleshooting
  • Legal Basis: Legitimate Interests, Contractual Necessity, Consent (for non-essential cookies)

3.5 Content and Communication Data

  • What we collect:
    • Course content, assignments, submissions, and grades (for enterprise users through organizations)
    • Messages, comments, forum posts, and chat communications
    • Support tickets and correspondence
    • Webinar registrations and attendance
    • Survey responses and feedback
  • Source: Created by you through use of services or communications with us
  • Purpose: Service delivery, support, improvement of services
  • Legal Basis: Contractual Necessity, Legitimate Interests, Consent (where applicable)

3.6 Professional and Demographic Data

  • What we collect: Industry, organization type and size, role/position, professional interests, age range, location (country/region), language preferences
  • Source: Provided by you during registration or voluntarily
  • Purpose: Service customization, analytics, marketing (with appropriate Legal Basis)
  • Legal Basis: Contractual Necessity, Legitimate Interests, Consent (for marketing)

3.7 Marketing and Preference Data

  • What we collect: Marketing preferences, communication preferences, event attendance, webinar participation, content downloads, newsletter subscriptions
  • Source: Provided by you or derived from your interactions
  • Purpose: Marketing communications, event management, preference management
  • Legal Basis: Consent, Legitimate Interests (for existing customers)

3.8 Education Records (Enterprise Users Only)

  • What we collect: Student education records as defined under FERPA (for US-based educational institutions)
  • Source: Collected by your organization through Brightspace
  • Purpose: Providing educational services as directed by your organization
  • Legal Basis: Contractual Necessity (with your organization)
  • Note: D2L acts as a “school official” under FERPA and processes this data solely on behalf of educational institutions

3.9 Recruitment Data (Job Applicants)

  • What we collect: CV/resume, cover letter, application forms, references, interview notes
  • Source: Provided by you through our careers portal
  • Purpose: Recruitment and hiring processes
  • Legal Basis: Contractual Necessity (pre-contract), Legitimate Interests

3.10 Data We Do NOT Collect

We do not knowingly collect directly:

  • Personal Information from children under 13 years of age through consumer offerings or public websites (without verifiable parental Consent)
  • Government-issued identification numbers (e.g., social security numbers, passport numbers) unless legally required for employment purposes
  • Precise geolocation data beyond IP-based location
  • Special Categories of Personal Information through D2L websites or consumer offerings (as Controller)

NOTE: We undertake the Processing of Personal Information pertaining to children where those are students of our Controllers under the instructions of those Controllers.

4. HOW WE USE YOUR PERSONAL INFORMATION

4.1 Service Delivery and Performance

For Enterprise Users:

  • Providing access to Brightspace learning management system
  • Enabling course creation, content management, and learning activities
  • Facilitating communication and collaboration features
  • Supporting assessments, grading, and progress tracking
  • Providing analytics and reporting to your organization
  • Delivering professional services, training, and implementation support
  • Providing technical support and troubleshooting

For Consumer Users:

  • Creating and managing your account
  • Providing access to subscribed services
  • Processing your transactions and managing billing
  • Delivering customer support
  • Sending service-related communications (account notifications, security alerts, system updates)

4.2 Service Improvement and Development

  • Analysing usage patterns and service performance
  • Conducting research to improve our products and services
  • Developing new features and functionalities
  • Testing and quality assurance
  • Troubleshooting technical issues

4.3 Communication and Marketing

  • Sending newsletters and promotional communications (with Consent or Legitimate Interest)
  • Informing you about new features, products, and services
  • Conducting surveys and requesting feedback
  • Managing event registrations (webinars, conferences, training sessions)
  • Providing relevant content and resources

You can exercise your Right to Object to the Processing of your Personal Information for marketing communications purposes at any time using the unsubscribe link in emails or by contacting [email protected].

4.4 Security and Fraud Prevention

  • Protecting against unauthorized access and security threats
  • Detecting and preventing fraud and abuse
  • Investigating security incidents
  • Enforcing our terms of service and policies
  • Maintaining system integrity and availability

4.5 Legal Compliance and Protection

  • Complying with legal obligations and regulatory requirements
  • Responding to lawful requests from authorities
  • Establishing, exercising, or defending legal claims
  • Protecting our rights, property, and safety
  • Meeting audit and compliance requirements

4.6 Business Operations

  • Managing corporate transactions (mergers, acquisitions, asset sales)
  • Maintaining business records
  • Conducting financial management and reporting
  • Managing vendor and partner relationships

5. DISCLOSURE AND SHARING OF PERSONAL INFORMATION

5.1 When We Share Your Personal Information

We may disclose your Personal Information to the following categories of recipients:

5.1.1 Internal Service Providers and Processors

We engage third-party service providers to perform functions on our behalf. These Processors only access and process your Personal Information according to our instructions:

  • Cloud hosting and infrastructure providers: Amazon Web Services (AWS), Microsoft Azure (data centres in Canada, the European Union, United States, India, Ireland, Australia, Singapore)
  • Payment Processors: payment service providers
  • Customer support platforms: Salesforce, customer relationship management (CRM) systems
  • Email and communication services: email platforms, communication platforms
  • Analytics providers: Google Analytics, product analytics platforms
  • Security and monitoring services: Security incident and event management (SIEM) tools
  • Professional services providers: Implementation consultants, training providers

All Processors are bound by data Processing agreements that ensure compliance with applicable Personal Information Protection Legislation, including appropriate technical and organizational measures.

5.1.2 Your Organization (Enterprise Users)

If you are an Enterprise User, we share data with your organization as necessary to provide services and support. Your organization determines what data is collected and how it is used within Brightspace.

5.1.3 With Our Sub-Processors (Enterprise Users)

If you are an Enterprise User, we use certain Sub-Processors while providing services to your organization. All Sub-Processors are bound by data processing agreement that ensure compliance with all applicable Personal Information Protection Legislation, including appropriate technical and organizational measures.  A full list of our Sub-Processors is available here.

5.1.4 Other Users (With Your Permission)

When you use collaboration features (forums, chat, shared content), you must realize that you choose to share information with other users and, once shared, those other users may further share this information at their discretion.

5.1.5 Legal and Regulatory Authorities

We may disclose Personal Information when required by law or when we have a good faith belief that disclosure is necessary to:

  • Comply with Legal Obligations, court orders, or lawful government requests
  • Enforce our terms of service or policies
  • Protect the rights, property, or safety of D2L, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

5.1.6 Corporate Transactions

In the event of a merger, acquisition, reorganization, or sale of assets, your Personal Information may be transferred to the successor entity. You will be notified via email and/or prominent notice on our website of any such change, and you will be informed of choices you may have regarding your Personal Information.

5.2 When We Do NOT Share Your Personal Information

We do not:

  • Sell your Personal Information to third parties under any circumstances.
  • Share your Personal Information for third-party marketing purposes without your explicit Consent.
  • Transfer Personal Information to third parties unless appropriate safeguards are in place (see Section 6)

6. INTERNATIONAL DATA TRANSFERS

6.1 Overview of Transfers

D2L is headquartered in Canada, with offices and service providers located globally, including in the United States, Ireland, Australia, Singapore, Brazil, and India. When we process your Personal Information, it may be transferred to, stored in, and accessed from countries outside the European Economic Area (EEA), United Kingdom, and Switzerland, or other countries where the Data Subjects we undertake the Processing of Personal Information reside and may have Personal Information Protection laws with some “localization” requirements.

Not all countries outside the EEA provide the same level of data protection as EEA countries. When we transfer your Personal Information internationally, we implement appropriate safeguards to protect your data.

6.2 Safeguards for International Transfers

6.2.1 Adequacy Decisions

We transfer data to countries that the European Commission has determined provide adequate protection:

  • Canada: D2L’s headquarters and primary data processing location (European Commission adequacy decision for commercial organizations under PIPEDA)

6.2.2 Standard Contractual Clauses (SCCs)

For transfers to service providers and affiliates in countries without adequacy decisions, we use the European Commission’s Standard Contractual Clauses (SCCs). These are legally binding commitments between D2L and the data recipient to protect your Personal Information.

You may request a copy of the SCCs we use by contacting [email protected].

6.2.3 Transfers to the United States

D2L complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  D2L has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Information received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  D2L has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

D2L is accountable for the processing of Personal Information it receives, and we are subject to the investigatory and enforcement powers of the Federal Trade Commission. To the extent allowed by law, D2L may be required to disclose Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Any such disclosure will be the minimum required by law.  

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, D2L commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact D2L at[email protected] or write to us at:

D2L Corporation

Attn: DPO

137 Glasgow St Suite 560

Kitchener, ON N2G 4X8

cc: Legal Department

We will respond within 45 days of receiving the inquiry or compliant. If you have unresolved privacy or data concerns, please contact our third party alternative dispute resolution provider located in the United States (free of cost) at https://www.jamsadr.com/DPF-Dispute-Resolution.  For any complaints that are unable to be resolved by us or our third-party alternative dispute resolution provider, D2L commits to binding arbitration at your request. If any personal information is transferred to a third party acting as an agent on D2Ls behalf, D2L shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless it is shown that D2L is not responsible for the event giving rise to the damage.

6.3 Your Rights Regarding International Transfers

You have the right to:

  • Obtain information about the safeguards we use for international transfers
  • Object to specific transfers if you believe adequate safeguards are not in place
  • Request copies of relevant safeguard documents (with confidential information redacted)

To exercise these rights, contact [email protected].

7. DATA RETENTION

7.1 General Retention Principles

We retain your Personal Information only for as long as necessary to fulfil the purposes for which it was collected, comply with Legal Obligations, resolve disputes, and enforce our agreements.

7.2 Enterprise User Data Retention

For enterprise users, retention is governed by:

  • The agreement between D2L and your organization
  • Your organization’s retention policies and instructions
  • Applicable legal requirements (e.g. FERPA for educational institutions)

Your organization controls when and how data is deleted. To request deletion of your data, contact your organization.

7.3 Deletion Methods

At the end of the retention period, we:

  • Delete: Permanently remove data from our active systems
  • Anonymize: Remove identifying elements so data can no longer be attributed to you
  • Archive: Move data to secure, segregated storage (only when required by law)

Data in backup systems is deleted according to our backup rotation schedule (maximum 90 days).

7.4 Exceptions

We may retain Personal Information beyond the standard retention period when:

  • Required by law or regulation
  • Necessary for legal claims or disputes
  • Required for audit or compliance purposes
  • You have requested extended retention (e.g., for reference purposes)

8. YOUR RIGHTS UNDER PERSONAL INFORMATION PROTECTION LEGISLATION, PRIMARILY THE GDPR

As a data subject in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR. These rights are subject to certain conditions and limitations under Personal Data Protection Legislation.

Data subjects in other countries may have similar rights under their applicable Personal Information Protection laws. D2L will process all valid and legal data subject rights requests in accordance with applicable law, subject to any applicable exemptions or exceptions provided by law. D2L will respond to such requests within the timeframes required by applicable law.

Note for Enterprise Users: If you access services through an organization, your organization is the Controller of your Personal Information. The details provided below may not apply to your situation.  Submit requests to your organization.

8.1 Right of Access

You have the right to obtain confirmation of whether we process your Personal Information and, if so, to access that data and receive information about:

  • The categories of Personal Information Processed
  • The purposes of processing
  • The recipients or categories of recipients
  • The retention period or criteria for determining it
  • Your other GDPR rights
  • The source of the data (if not collected from you)
  • The existence of automated decision-making, including profiling

How to Exercise: Submit a request to [email protected]

Response time: We will respond within one month. In complex cases, we may extend this by two additional months with explanation.

Format: We will provide a copy of your Personal Information in a commonly used electronic format, free of charge. Additional copies may incur reasonable administrative fees.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete Personal Information.

How to exercise:

  • For account information: Log into your account and update your profile
  • For other data: Contact [email protected] with details of the corrections needed

Response time: We will correct or update data within one month and notify any third parties to whom we disclosed the data (unless impossible or involves disproportionate effort).

8.3 Right to Erasure / “Right to be Forgotten”

You have the right to request deletion of your Personal Information in the following circumstances:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data was processed unlawfully
  • Deletion is required to comply with a Legal Obligation
  • The data was collected from a child in relation to information society services

Limitations: We may refuse deletion if processing is necessary for:

  • Exercising the right of freedom of expression and information
  • Compliance with Legal Obligations
  • Public interest in public health
  • Archiving purposes in the public interest, scientific or historical research, or statistical purposes
  • Establishment, exercise, or defence of legal claims

How to exercise: Submit a request to [email protected]

8.4 Right to Restriction of Processing

You have the right to request that we restrict Processing of your Personal Information in the following circumstances:

  • You contest the accuracy of the data (restriction during verification period)
  • Processing is unlawful but you oppose deletion and request restriction instead
  • We no longer need the data, but you need it for legal claims
  • You have objected to processing (restriction pending verification of overriding legitimate grounds)

Effect of restriction: We will store the data but not further process it (except with your consent, for legal claims, to protect another person’s rights, or for important public interests).

How to exercise: Submit a request to [email protected]

8.5 Right to Data Portability

You have the right to receive your Personal Information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

Data covered: Personal Information you provided to us (does not include derived or inferred data).

How to exercise: Submit a request to [email protected] specifying the data you want to receive and the format (if any preference).

Response time: Within one month

Format options: JSON, CSV, XML, or other commonly used formats

8.6 Right to Object

8.6.1 Object to Processing Based on Legitimate Interests

You have the right to object at any time to processing based on Legitimate Interests (including profiling).

Effect: We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.

8.6.2 Object to Direct Marketing

You have an absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing.

Effect: We will immediately stop processing your data for marketing purposes.

How to exercise:

  • Click “unsubscribe” in marketing emails
  • Contact [email protected]
  • Update your preferences in your account settings

8.6.3 Object to Processing for Research or Statistical Purposes

You have the right to object to processing for scientific or historical research or statistical purposes, unless the processing is necessary for a public interest task.

How to exercise: Submit a request to [email protected]

8.7 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

D2L’s practices: We do not engage in automated decision-making that produces legal effects or significantly affects Natural Persons, except:

  • With your explicit consent
  • When necessary for contract performance
  • When authorized by law with suitable safeguards

If we implement such automated decision-making in the future, we will:

  • Inform you of the logic involved
  • Explain the significance and consequences
  • Provide information about your right to human intervention
  • Allow you to contest the decision

8.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise:

  • For marketing: Use unsubscribe links or contact [email protected]
  • For cookies: Adjust cookie settings in our Cookie Preference Centre
  • For other consent: Contact [email protected]

8.9 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority in:

  • Your country of habitual residence
  • Your place of work
  • The place of the alleged infringement

How to exercise:

EU users: Contact your local data protection authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

UK users: Information Commissioner’s Office (ICO) – https://ico.org.uk

Canadian users: The Office of the Privacy Commissioner of Canada oversees PIPEDA compliance – Office of the Privacy Commissioner of Canada – Office of the Privacy Commissioner of Canada and provincial privacy commissioners oversee compliance with substantially similar provincial laws.

We encourage you to contact us first at [email protected] so we can attempt to resolve your concerns directly.

8.10 How to Exercise Your Rights

Verification: To protect your privacy, we will verify your identity before responding to rights requests. We may request additional information to confirm your identity.

No fee: Exercising your rights is generally free of charge. However, we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Response timeframe: We will respond to requests within one month. In complex cases, we may extend this by two additional months, and we will inform you of the extension and reasons within the first month.

Enterprise Users: If your organization is the data controller, submit requests to your organization. We will cooperate with your organization to facilitate your rights.

Contact:

  • Email: [email protected]
  • Mail: D2L Corporation, Attn: Privacy Department, 137 Glasgow St Suite 560, Kitchener, ON N2G 4X8, Canada

9. DATA SECURITY

9.1 Our Commitment to Security

We implement appropriate technical and organizational measures to protect your Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

9.2 Security Measures

Our security program includes:

9.2.1 Technical Measures

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls: Role-based access control (RBAC), multi-factor authentication (MFA)
  • Network security: Firewalls, intrusion detection and prevention systems (IDS/IPS)
  • Vulnerability management: Regular security scanning, penetration testing
  • Secure development: Security by design, secure coding practices
  • Data segregation: Logical separation of customer data

9.2.2 Organizational Measures

  • Security policies and procedures: Comprehensive information security policies
  • Employee training: Regular security awareness training for all employees
  • Background checks: Screening of employees with access to Personal Information
  • Confidentiality agreements: All personnel bound by confidentiality obligations
  • Incident response plan: Procedures for detecting, responding to, and recovering from security incidents
  • Third-party management: Due diligence and contractual security requirements for service providers
  • Business continuity and disaster recovery: Backup systems and recovery procedures

9.3 Security Certifications and Compliance

We maintain industry-recognized security certifications and comply with security standards. For current information on our security certifications, please visit: https://www.d2l.com/security/compliance/

9.4 Data Breach Notification

In the event of a Personal Information breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority:

  • Within 72 hours of becoming aware of the breach (where feasible)
  • Provide details of the breach, its likely consequences, and measures taken

Notify affected Natural Persons:

  • Without undue delay if the breach is likely to result in a high risk to rights and freedoms
  • Provide clear and plain language information about the breach and recommended actions

Enterprise Users: If your organization is the data controller, we will notify your organization, who will determine whether to notify you directly.

9.5 Your Security Responsibilities

You are responsible for:

  • Keeping your passwords and authentication credentials secure and confidential
  • Not sharing your account with others
  • Logging out after using shared or public devices
  • Notifying us immediately if you suspect unauthorized access to your account
  • Using secure internet connections when accessing our services

9.6 Limitations

Despite our security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored on our systems. You provide Personal Information at your own risk.

10. CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you rights in relation to your Personal Information. Please visit our  California Privacy Notice for more information on the CCPA and on how to exercise these rights.

DEFINITIONS AND INTERPRETATION

Personal Information: Any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

Processing: Any operation performed on Personal Information, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.

Personal Information Protection Legislation: Depending on your location, applicable privacy laws may include Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws, the United States’ Children’s Online Privacy Protection Act, as well as state laws like California Consumer Privacy Act, the European Union’s General Data Protection Regulation (GDPR), the United Kingdom’s UK General Data Protection Regulation and Data Protection Act 2018, Australia’s Privacy Act 1988, Brazil’s Lei Geral de Proteção de Dados, and Singapore’s Personal Data Protection Act.

Data Controller: The entity that determines the purposes and means of Processing Personal Data.

Data Processor: An entity that Processes Personal Data on behalf of a Data Controller.

Data Subject: An identified or identifiable natural person whose Personal Information is Processed.

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to Processing of their Personal Information.

Special Categories of Personal Information: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.

FERPA: US Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g, et seq.

Supervisory Authority: In the EU, an independent public authority established by an EU Member State to monitor application of GDPR. For other regions, your local authority responsible for monitoring or enforcement of Personal Information Protection Legislation in your jurisdiction.

Third Party: Any person or entity other than the data subject, controller, Processor, and persons authorized to Process data under direct authority of the controller or Processor.