This Data Processing Addendum with its appendices (together, this “DPA“) is incorporated into the Flourish Terms and Conditions (or other mutually executed written agreement) between the entity identified as the Customer (“Customer”) and Canva UK Operations Limited (“Flourish“) governing Customer’s access to and use of the Service (the “Agreement”).
In the course of providing the Service to Customer pursuant to the Agreement, Flourish may process Customer Personal Data (as defined below) on behalf of Customer. This DPA reflects the parties’ agreement with respect to the Processing of Customer Personal Data that is subject to Applicable Privacy Laws (as defined below). This DPA applies where and to the extent that Flourish is acting as a Processor or Service Provider (as applicable) of Customer Personal Data on behalf of Customer under the Agreement. This DPA is effective as of the effective date of the Agreement.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict.
1. Definitions and interpretation
In this Addendum, the following terms shall have the following meanings:
(a) “Applicable Privacy Laws“ means all worldwide data protection and privacy laws and regulations directly applicable to the Processing of Customer Personal Data under the Agreement, including European Privacy Laws; the California Consumer Privacy Act of 2018 and its regulations (the ‘CCPA’); and the Australian Privacy Act 1988 (Cth); in each case as amended, superseded or replaced from time to time.
(b) “Customer Personal Data“ means Personal Data that has been provided by or for the Customer to the Service or collected and Processed by or for the Customer through the Service.
(c) “Data Subject“ means an identified or identifiable individual whose Personal Data is processed.
(d) “European Privacy Laws“ means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (the “Swiss DPA“); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded or replaced from time to time.
(e) “Personal Data“ means any information relating to an identified or identifiable individual or any other information defined as ‘personal data’ or ‘personal information’ under Applicable Privacy Laws.
(f) “Restricted Transfer“ means (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
(g) “SCCs“ means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR and annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj as may be amended, superseded or replaced from time to time.
(h) “Security Incident” means a breach of Flourish’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
(i) “UK Addendum“ means the International Data Transfer DPA (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded or replaced from time to time.
(j) The terms “Controller”, “Processor”, “Data Subject” and “Processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and “process”, “processes” and “processed” shall be interpreted accordingly) and the terms “Business” and “Service Provider” have the meanings given to them in the CCPA.
Any capitalised terms used but not defined in this DPA shall have the meanings given to them under the Agreement.
2. Processing of Personal Data
2.1. Description of the Processing
The type of Customer Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the Processing, and the categories of data subjects, are described in Annex 1.B.
2.2. Relationship of the parties
Customer is a Controller or Business (as applicable) of the Customer Personal Data and Flourish shall process the Customer Personal Data solely as a Processor or Service Provider (as applicable) on behalf of Customer. Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this DPA shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws.
2.3. Purpose limitation
Flourish will process Customer Personal Data in accordance with the requirements of Applicable Privacy Laws binding on it in the performance of this DPA. Flourish shall Process the Customer Personal Data as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (as set out in the Agreement, including this DPA, the Order(s) and the Customer’s configuration of any settings, or as otherwise agreed in writing between the parties) (the “Permitted Purpose”). Flourish shall not: (i) retain, use, disclose or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose (including for its own commercial purpose), except where otherwise required by any law applicable to Flourish or, (ii) “sell” the Customer Personal Data within the meaning of the CCPA or otherwise. Flourish shall immediately inform Customer if it becomes aware that Customer’s Processing instructions infringe Applicable Privacy Laws but without obligation to actively monitor Customer’s compliance with Applicable Privacy Laws. The parties acknowledge that Customer’s transfer of Customer Personal Data to Flourish is not a “sale” of Personal Data within the meaning of Applicable Privacy Laws and Flourish provides no monetary or other valuable consideration to Customer in exchange for the Customer Personal Data.
2.4. Customer’s responsibilities
Customer shall, in its use of the Service, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Laws. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws, including any applicable requirements to provide notice to Data Subjects of the use of Flourish as Data Processor. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer shall ensure that the Customer is entitled to transfer the relevant Customer Personal Data to Flourish so that Flourish and its Sub-processors may lawfully use, process and transfer the Customer Personal Data in accordance with this DPA and the Agreement on Customer’s and its Affiliates’ behalf.
2.5. Confidentiality of Processing
Flourish shall ensure that any person that it authorises to process the Personal Data (including Flourish’s staff, agents and subcontractors) (an “Authorised Person“) shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty).
2.6. Security
Flourish shall implement appropriate technical and organisational measures designed to protect the Customer Personal Data from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to Customer Personal Data. Such measures shall include the measures identified at Annex 2 (the “Security Measures“). Customer acknowledges that Flourish may update or modify the Security Measures from time to time provided it will not materially reduce the overall protections provided herein.
2.7. Subprocessing
2.7.a. Appointment of Subprocessors
Customer generally authorises Flourish to engage third party Processors (“Subprocessors“) in accordance with the terms of this Section 2.7 and approves Flourish’s use of the Subprocessors listed in the Subprocessor List to process the Customer Personal Data for the Permitted Purpose provided that (i) Flourish has entered into a written agreement with each Subprocessor containing substantially the same standard of protection of Personal Data provided under this DPA, to the extent applicable to the nature of the Service provided by such Subprocessor, and (ii) Flourish remains liable for any breach of this DPA that is caused by the acts or omissions of its Subprocessors to the same extent Flourish would be liable if it had caused the breach itself.
2.7.b. Identification of Subprocessors
Flourish will maintain an up-to-date list of Subprocessors here (“Subprocessor List”). Flourish shall update the Subprocessor List with any new and replacement Subprocessor to be appointed at least fourteen (14) days prior to the date on which any new and replacement Subprocessor commences Processing Customer Personal Data. The Subprocessor List contains a mechanism for Customer to subscribe to notifications of new and replacement Subprocessor. The Customer may sign up to receive email notification of such changes on the Subprocessor List (a ‘Change Notice’).
2.7.c. Objections to Subprocessors
If Customer objects within 14 days of a Change Notice by sending an email to support@flourish.studio to any change regarding a Subprocessor, Flourish will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Flourish is unable to make available such change within a reasonable period of time, which shall not exceed fourteen (14) days, Flourish will have the right to terminate the applicable Order Form(s) with respect to those Service which cannot be provided by Flourish without the use of the objected Subprocessor by providing written notice to Customer and Flourish will refund to Customer any prepaid fees covering the remainder of the term of the Order Form(s) following the effective date of termination with respect to such terminated Service.
2.8. International transfers
Flourish will not transfer the Customer Personal Data (or permit the Customer Personal Data to be transferred) to a country other than the UK, unless it takes such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Such measures may include (without limitation) transferring the Customer Personal Data to a recipient that has executed Module 3 (processor-to-processor transfers) of the SCCs and UK Addendum with Flourish.
2.9. Cooperation and Data Subjects’ rights
Flourish shall, to the extent legally permitted, and taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with Flourish’s Processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Flourish, Flourish shall promptly inform Customer providing full details of the same.
2.10. Data Protection Impact Assessment
Taking into the nature of the Processing and the information available to Flourish, Flourish shall, to the extent legally required to do, provide Customer with reasonable cooperation and assistance as Customer may require in order to comply with its obligation under Applicable Privacy Laws to conduct data protection impact assessments and, if necessary, to consult with its relevant data protection authority related to the Customers’ use of the Service, to the extent Customer does not otherwise have access to that information.
2.11. Security Incidents
Upon becoming aware of a Security Incident, Flourish shall inform Customer without undue delay. Such notice will, as required under Applicable Privacy Laws and taking into account the nature of the Processing, provide the details of the Security Incident to the extent such information is reasonably available to Flourish. Flourish shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and keep Customer informed of all material developments in connection with the Security Incident. Customer will not communicate or publish any notice or admission of liability concerning any Security Incident which directly or indirectly identifies Flourish (including in any legal proceeding or in any notification to regulatory authorities or affected Data Subjects) without Flourish’s prior approval, unless Customer is compelled to do so under applicable law. In any event, Customer shall provide Flourish with reasonable prior written notice of any such communication or publication.
2.12. Deletion or return of Data
Upon termination or expiry of the Agreement, Flourish shall (at Customer’s election) destroy or return to Customer all Personal Data (including all copies of the Personal Data) in its possession or control. This requirement shall not apply to the extent that Flourish is required by any law to retain some or all of the Customer Personal Data, in which event Flourish shall isolate and protect the Processing Data from any further Processing except to the extent required by such law until deletion is possible.
2.13. Audit
Customer acknowledges that Flourish is regularly audited against ISO 27001 standards, or other alternative standards that are substantially equivalent, by independent third party auditors. No more than once a year during the Term of the Agreement, upon written request, Flourish shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement. Flourish shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year. Customer agrees that Customer shall exercise its rights under Clause 8.9 of the SCCs by instructing Flourish to comply with the audit measures described in this Section 2.13.
2.14. Liability
Customer acknowledges and agrees that any liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.
2.15. Duration
The terms of this DPA will remain in force upon expiration or termination of the Agreement.
ANNEXES
ANNEX I. A. LIST OF PARTIES
Data controller(s):
Name: As provided in the Agreement
Address: As provided in the Agreement
Contact person’s name, position and contact details: As provided in the Agreement
Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer and utilising the data importer’s Service on flourish.com to create charts, maps, infographics, interactive stories, visualisations and other visual content.
Data processor:
Name: Canva UK Operations Limited
Address: 33-35 Hoxton Square, London, United Kingdom, N1 GNN
Contact person’s name, position and contact details: As provided in the Agreement
Representative contact details: (EEA) European Data Protection Office (EDPO), Regus Block 1, Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, Dublin, D15 AKK1, Ireland;
Activities relevant to the data transferred under these Clauses: The data importer operates a data visualisation platform used to create charts, maps, infographics, interactive stories, visualisations and other visual content.
3. ANNEX 1.B. DESCRIPTION OF PROCESSING
| Information | Description |
|---|---|
| Categories of data subjects: | The Customer may submit Personal Data to the Service to the extent determined and controlled by the Customer, which shall be limited to Personal Data relating to the following categories of Data Subjects: (i) Business Users of the Service pursuant to the Agreement between Flourish and Customer, which may include Customer’s employees, contractors or agents; and (ii) Third party individuals whose information is included in charts, maps, infographics, interactive stories, visualisations and other visual content (“Projects”) created in the Service by Customer or Business Users. |
| Categories of personal data: | The Customer may submit Personal Data to the Service to the extent determined and controlled by the Customer, which shall be limited to:
|
| Sensitive data transferred (if applicable) and applied restrictions or safeguards: | Any sensitive data included by Customer or Users in Projects created in the Service, the extent of which is determined and controlled by Customer in its sole discretion. See Annex 2 for applied restrictions and safeguards. |
| Frequency of the transfer: | Continuous for the duration of the Agreement, depending on the use of the Service by the Customer. |
| Nature of the processing: | Flourish will Process Personal Data in the course of providing the Service pursuant to the terms of the Agreement. |
| Purpose(s) of the data transfer and further processing: | Provision of the Service pursuant to the Agreement. |
| Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | The personal data will be retained until termination or expiry of the Agreement, in accordance with Section 2.13 of the Addendum. |
ANNEX 1.C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority of the EEA Member State in which Customer is established or, if Customer is not established in the EEA, the EEA Member State in which Customer’s representative is established or in which Customer’s End Users are predominantly located.
ANNEX 2 - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
This describes the minimum security standards that Flourish applies to Customer Personal Data received under the Service.
1. Measures of pseudonymisation and encryption of personal data
Flourish encrypts Data transmitted between customers and the Flourish application over public networks using TLS 1.2, as a minimum. Customer Personal Data stored on Flourish’s servers is encrypted using AES 256, as a minimum
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Flourish has personnel responsible for oversight of security and privacy. It has appointed Heads of Security, Privacy and Data, together with an Information Security Committee that meets regularly to discuss risks.
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
In order to support availability of the service, Flourish utilises Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24x7 application support rosters.
Flourish maintains backups of the data stores, including Customer Personal Data, that support the core functionalities of the Flourish application.
Flourish maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Flourish personnel and a requirement for post-incident reviews.
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Flourish engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Flourish also employs a third-party application vulnerability scanning service and runs a public bug bounty program.
5. Measures for user identification and authorisation
Where a Customer’s account contains a password for authentication, Flourish stores the password salted and hashed using an industry-standard password hashing function. When purchased by an Enterprise Customer, Flourish supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
6. Measures for the protection of data during transmission
As per item 1, Flourish encrypts Data transmitted over public networks between customers and the Flourish application using TLS 1.2, as a minimum.
7. Measures for the protection of data during storage
As per item 1, Customer Personal Data stored on Flourish’s servers is encrypted using AES 256, as a minimum.
8. Measures for ensuring physical security of locations at which personal data are processed
The service is hosted and Data is stored within data centres provided by Amazon Web Services (AWS). As such, Flourish relies on the physical, environmental and infrastructure controls of AWS. Flourish periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data centre controls.
9. Measures for ensuring events logging
Flourish maintains application and infrastructure security audit logs. Audit logs are analysed to detect anomalous activity.
10. Measures for ensuring system configuration, including default configuration
Flourish hardens its server infrastructure using a hardening standard based on a common industry standard. Flourish applies security patches to its servers in accordance with a standard vulnerability management process.
11. Measures for internal IT and IT security governance and management
Flourish staff access to Customer Personal Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Personal Data to be able to discharge their responsibilities effectively. Remote network access to Flourish systems requires encrypted communication via secured protocols and use of multi-factor authentication. Flourish has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- cryptographically protecting passwords when stored in computer systems or in transit over the network;
- altering default passwords from vendors; and
- education on good password practices.
Staff access to production infrastructure requires multi-factor authentication (MFA).
Flourish staff are subject to confidentiality obligations and a Personal Data Handling Policy. Flourish requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Flourish also requires its staff to undergo privacy law training annually (including to comply with COPPA and FERPA in respect of student data).
12. Measures for certification/assurance of processes and products
Flourish will maintain an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard.
Flourish will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses Flourish’s ISMS and information security controls, and a management committee that is responsible for oversight of Flourish’s Information Security Management System (ISMS).
13. Measures for ensuring data minimisation
Flourish minimises the Data it requires from Customers to only what is necessary to provide the service requested. When using the Service, the Customer may submit personal data onto the Service. The Customer determines and controls the personal data that is being inputted onto the Service.
14. Measures for ensuring data quality
Flourish ensures the quality of its data through verification of emails that sign up to the Flourish platform. Flourish also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Success Team.
15. Measures for ensuring limited data retention
Flourish maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Flourish and the purposes of collection.
16. Measures for ensuring accountability
Flourish has a designated local representative in the European Economic Area: the European Data Protection Office (EDPO) with registered address at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
Data Protection Impact Assessments are carried out for high risk processing activities and Flourish maintains records of its processing activities.
17. Measures for allowing data portability and ensuring erasure
Flourish has a standard process for deleting Customer Personal Data and enables the download of Customer Personal Data, where necessary