Authority Request Policy
Canva strongly believes its users should be in control of their personal information. Canva will only disclose user data in response to valid legal processes, unless we think the information could prevent serious harm. Canva will not voluntarily give its user’s data to governments for surveillance purposes. Trust is important to us, so we’ll always be as transparent as laws will allow in relation to requests we receive for user data.
1.1 This Authority Request Policy sets out Canva’s procedures for responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose User Data that is processed by Canva ( “Authority Request“).
1.3 Where Canva receives an Authority Request,we will handle that Authority Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for User Data than is required by this policy, Canva will comply with the relevant requirements of those applicable data protection law(s).
2. Which Authority Requests will be approved?
2.1 Canva does not disclose User Data in response to an Authority Request unless either:
2.1.1 it is under a compelling legal obligation to make such disclosure; or
2.1.2 there is an emergency due to an imminent risk of serious harm that the information Canva holds could help prevent and therefore merits compliance with the Authority Request (especially harm to children), taking into account the nature, context, purposes, scope and urgency of the Authority Request and the privacy rights and freedoms of any affected individuals.
3. What must a valid Authority Request include?
3.1 In order to respond to an Authority Request, Canva will require evidence of a valid and enforceable legal process issued by a court of competent jurisdiction such as:
3.1.1 a search warrant;
3.1.2 a court order;
3.1.3 a subpoena;
3.1.4 a preservation order; or
3.1.5 the equivalent legal process to any of the above in the applicable jurisdiction.
3.2 All Authority Requests under clause 2.1.1 (compelling legal obligation) must include:
3.2.1 the Requesting Authority details, together with the name, contact information and badge/identification number of the Requesting Authority’s agent or representative who is authorised to serve the request;
3.2.2 evidence of the Requesting Authority’s right to compel Canva to produce the Authority Request (as set out in clause 3.1);
3.2.3 a description of the specific personal information and data being requested, including the relevant user’s name and email address to enable identification of the account;
3.2.4 the categories and type of personal information sought;
3.2.5 the time period for the personal information sought; and
3.2.6 the timeframe for provision of the User Data.
3.3 Canva does not guarantee the existence or retention of particular user information. However, Canva will honor valid requests made due to a compelling legal obligation to preserve information for up to 90 days, and will extend the preservation for one additional 90-day period with an additional valid request for extension.
3.4. All Authority Requests made under clause 2.1.2 (emergency circumstances) must in addition to clause 3.2 also include:
3.4.1 the circumstances of the request and the nature of the claimed emergency;
3.4.2 explain why there is insufficient time to obtain and serve a valid and binding legal demand; and
3.4.3 explain how the information requested will assist in averting the claimed emergency.
3.5 The Authority Request must be sent by a law enforcement agency or official government entity via a registered email domain that aligns with the agency or by post on official letterhead.
3.6 Canva requires that any individual or entity making an Authority Request ensure that the process or request is properly domesticated. Foreign law enforcement agencies making an Authority Request for data stored in another country should proceed through a mutual legal assistance treaty, letters rogatory processes or other diplomatic or legal process.
3.7 Canva does not accept requests for testimony from individual employees or contractors. These must be served personally.
3.8. Canva will access service of law enforcement requests by email to firstname.lastname@example.org or mail to
Canva Pty Ltd
Attn: Legal Team
110 Kippax St,
Surrey Hills, New South Wales, Australia 2019
4. Escalation of Authority Requests
4.1 If Canva receives an Authority Request, the recipient of the request must pass it to Canva’s Legal Team immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Legal Team to respond to the request.
4.2 All Authority Requests must be notified to the Legal Team for review regardless of the form that it is submitted.
4.3 Canva’s Legal Team will carefully review each Authority Request on a case-by-case basis to ensure that it is legitimate and valid. The Legal team will liaise with outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Authority Request, and its validity under applicable laws, to identify whether action may be needed to challenge the Authority Request and/or to notify the user and/or competent data protection authorities in accordance with clauses 5 and 6 respectively. When challenging an Authority Request, Canva may seek interim measures to suspend the effects of the order until the court has decided on the merits that the Authority Request should be fulfilled.
5. Notice of a Authority Request
5.1 Notice to the user
5.1.1 Canva will ordinarily ask the Requesting Authority to make the Authority Request directly to the relevant user. If the Requesting Authority agrees, Canva will support the user in accordance with the terms of its contract to respond to the Authority Request.
5.1.2 If this is not possible (for example, because the Requesting Authority declines to make the Authority Request directly to the user, does not know the user’s identity, or if Canva is not permitted by law to disclose the Authority Request), Canva will notify and provide the user with the details of the Authority Request prior to disclosing any User Data, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification. Requesting Authorities who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically prohibits customer notification.
5.1.3 If Canva is legally prohibited from notifying the user prior to disclosure, Canva will take reasonable steps to notify the user of the demand after the non-disclosure requirement expires.
5.1.4 If Canva receives legal process subject to an indefinite non-disclosure requirement (including a US National Security Letter), Canva may challenge that non-disclosure requirement in court.
5.1.5 Canva may seek reimbursement for costs associated with responding to Authority Requests, particularly if the costs incurred are the result of responding to burdensome or unique requests.
5.2 Notice to the competent data protection authorities
5.2.1 If the Requesting Authority is in a country that is not regarded as providing an adequate level of protection for the User Data of people located in the data subject’s country under applicable data protection laws, then Canva may also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
5.2.2 Where Canva is prohibited from notifying the competent data protection authorities and suspending the request, Canva will use commercially reasonable efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold, so that Canva can consult with the competent data protection authorities, or to allow disclosure to specified personnel at Canva’s user, and may also, in appropriate circumstances, include seeking a court order to this effect. Canva will use commercially reasonable efforts to maintain a written record of the efforts it takes.
6. Data Minimisation
6.1 All requests will be interpreted narrowly by Canva. Unnecessarily broad requests are subject to challenge.
6.2 In no event will Canva transfer User Data to a Requesting Authority in a bulk manner for multiple users or in a disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.
7. Transparency reports
7.1 Canva will prepare a semi-annual report (a “Transparency Report”), which reflects the number and type of Authority Requests it has received for the preceding six months, as may be limited by applicable law or court order. Canva will publish the Transparency Report on its website, and make the report available upon request to competent data protection authorities.
7.2 The Transparency Reports will be made available below going forward.
Updated 17 November 2021