1. Data Processing Addendum

Data Processing Addendum

See previous versions of this and other policies in our Policy Archives(opens in a new tab or window).

This Data Processing Addendum ("Addendum") is supplementary to, and forms part of, the terms of use available at https://www.canva.com/policies/terms-of-use/(opens in a new tab or window), the Canva Subscription Service Agreement(opens in a new tab or window) or the Canva Enterprise Subscription Agreement(opens in a new tab or window) (as applicable, and as may be updated from time to time) (the "Agreement") between Canva Pty Ltd (ABN 80 158 929 938) of Level 1, 110 Kippax St, Surry Hills, New South Wales, Australia 2010 or Canva US, Inc. with offices at 200 E 6th Street, Austin, TX, USA 78701 or Canva UK Operations Limited a company incorporated in England and Wales with company number 08825531 and its registered office at Acre House, 11/15 William Road, London, United Kingdom, NW1 3ER with offices at 33-35 Hoxton Square, London N1 6NN, UK (as applicable) ("Canva") and the entity or person(s) identified as Customer in the relevant customer account or Order Form referencing this Addendum (as applicable) ("Customer"). This Addendum applies where and to the extent that Canva is acting as a Processor or service provider (as applicable) of Personal Data on behalf of Customer under the Agreement. In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict.

1. Definitions and Interpretation

In this Addendum, the following terms shall have the following meanings:

(a) "Applicable Privacy Laws" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable: (i) European Privacy Laws; (ii) the Australian Privacy Act 1988 (Cth) ("Australian Privacy Laws"); (iii) the New Zealand Privacy Act 2020; (iv) the Philippines Republic Act No. 10173; (v) the Brazilian Data Protection Law (Brazil) No. 13,709/2018 (Portuguese: Lei Geral de Proteção de Dados Pessoais) (the "LGPD"); (vi) the California Consumer Privacy Act of 2018 and its regulations (the "CCPA"); the Virginia Consumer Data Protection Act of 2021(the “VCDPA"); the Colorado Privacy Act (the "CPA"); and any other similar state law governing the processing of Personal Data (collectively, “U.S. State Privacy Laws”), in each case as amended, superseded or replaced from time to time.

(b) "Data Subject" means an identified or identifiable individual whose Personal Data is processed.

(c) "European Privacy Laws" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR"); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (the "Swiss DPA"); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded or replaced from time to time.

(d) "Personal Data" means any information relating to an identified or identifiable individual or any other information defined as 'personal data' or 'personal information' under Applicable Privacy Laws.

(e) Personal Data Breach” means a breach of Canva’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.

(f) "Restricted Transfer" means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

(g) "SCCs" means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021(opens in a new tab or window), as may be amended, superseded or replaced from time to time.

(h) "UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time.

(i) The terms "Controller", "Processor", "Data Subject" and "processing" have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and "process", "processes" and "processed" shall be interpreted accordingly) and the terms "Business" and "Service Provider" have the meanings given to them in the CCPA.

(j) Any capitalised terms used but not defined in this Addendum shall have the meanings given to them under the Agreement.

2. Processing of Personal Data

2.1 Relationship of the parties: Customer is a Controller or Business (as applicable) of the Personal Data described in Annex 1.B (the "Customer Personal Data") and Canva shall process the Customer Personal Data solely as a Processor or Service Provider (as applicable) on behalf of Customer. Canva and Customer shall each comply with their respective obligations under Applicable Privacy Laws and further guidance from data protection authorities with respect to such processing. Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this Addendum shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws.

2.2 Purpose limitation: Canva shall only process the Customer Personal Data as necessary to perform its obligations under the Agreement, including this Addendum, and strictly in accordance with the documented instructions of Customer as set out in the Agreement and this Addendum (the "Permitted Purpose"). Canva shall not retain, use, disclose or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose (including for its own commercial purpose), except where otherwise required by any law applicable to Canva. Canva shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Privacy Laws but without obligation to actively monitor Customer's compliance with Applicable Privacy Laws.

To the extent that Canva processes Customer Personal Data within the scope of U.S. State Privacy Laws: Canva shall not (i) ‘sell’, ‘share’ or ‘process for targeted advertising purposes’ the Customer Personal Data as those terms are defined in applicable U.S. State Privacy Laws; or (ii) combine the Customer Personal Data with personal data that Canva receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subjects, except to the extent permitted under the Agreement and Applicable Privacy Laws. Customer retains the right, upon notice, to take reasonable steps to: (i) ensure that Canva processes the Customer Personal Data in a manner consistent with Applicable Privacy Laws; and (ii) stop and remediate unauthorized use of Customer Personal Data, including any use of Customer Personal Data not expressly authorized in the Agreement or this Addendum. The parties acknowledge that Customer's transfer of Customer Personal Data to Canva is not a "sale" of Customer Personal Data within the meaning of Applicable Privacy Laws and Canva provides no monetary or other valuable consideration to Customer in exchange for the Customer Personal Data. Canva certifies it understands its obligations under this Addendum (including without limitation the foregoing restrictions in Section 2.2), and that it will comply with them.

2.3 International transfers: To the extent that Canva transfers the Customer Personal Data (or permits the Customer Personal Data to be transferred) to a country other than the country in which the Customer Personal Data was first collected, it shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Such measures may include (without limitation) transferring the Customer Personal Data to a recipient that has executed standard contractual clauses adopted by the European Commission, UK Secretary of State or Information Commissioner's Office or Brazilian Data Protection Authority (as applicable) or transferring the Customer Personal Data to a recipient that has executed a contract with Canva that ensures the Customer Personal Data will be protected to the standard required by Applicable Privacy Laws. Canva will also protect the Customer Personal Data in a way that overall provides comparable safeguards to the country in which the Customer Personal Data was first collected.

2.4 Standard contractual clauses: To the extent that the transfer of Customer Personal Data from Customer to Canva involves a Restricted Transfer, the SCCs shall be incorporated by reference and form an integral part of this Addendum with Customer as "data exporter" and Canva as "data importer". For the purposes of the SCCs: (i) the module two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted in their entirety; (ii) in Clause 9, Option 2 shall apply; (iii) in Clause 11, the optional language shall be deleted; (iv) in Clause 17, Option 1 shall apply and the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) the Annexes of the SCCs shall be populated with the information set out in the Annexes to this DPA; and (vii) if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

2.4.a.UK transfers: In relation to Customer Personal Data that is protected by the UK GDPR, the SCCs as incorporated under Section 2.4 shall apply with the following modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "importer"; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

2.4.b.Swiss transfers: In relation to Customer Personal Data that is protected by the Swiss DPA, the SCCs as incorporated under Section 2.4 shall apply with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references the Swiss DPA; (ii) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.

2.5 Confidentiality of processing: Canva shall ensure that any person that it authorises to process the Customer Personal Data (including Canva's staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). Canva shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.

2.6 Security: Canva shall implement appropriate technical and organizational measures to protect the Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to the Customer Personal Data as described in Annex 2 ("Technical and Organizational Measures"). Customer acknowledges that Canva may update or modify the Technical and Organizational Measures from time to time by publishing these at the url https://www.canva.com/policies/technical-and-organisational-measures(opens in a new tab or window), provided that such updates and modifications do not result in a degradation to the overall level of security.

2.7Subprocessing: Customer authorises Canva to engage third party Processors ("Subprocessor(s)") to process the Customer Personal Data for the Permitted Purpose provided that:

2.7.a Canva provides reasonable prior notice at least 30 days before the proposed addition or replacement of any Subprocessor by posting details at the url https://www.canva.com/policies/subprocessors(opens in a new tab or window), and will provide Customer with a mechanism to receive notifications of new Subprocessors in order to allow Customer to raise any reasonable objections, on grounds of data protection, related to the protection of Customer Personal Data. Customer shall notify Canva, at privacy@canva.com(opens in a new tab or window), describing its objection within 10 days of notification. Upon receipt of such objection, if Canva is reasonably able to provide the Service to the Customer in accordance with the Agreement without using the objected Subprocessor and decides in its discretion to do so, then Customer will have no further rights under this provision in respect of the proposed use of the Subprocessor. If Canva, in its sole discretion, requires use of the Subprocessor and is unable to satisfy Customer’s objection regarding the proposed use of the new or replacement Subprocessor, then Customer may terminate the applicable Order Form effective upon the date Canva begins use of such new or replacement Subprocessor solely with respect to the Service(s) that will use the proposed new Subprocessors for the processing of Personal Data;

2.7.b Canva imposes data protection terms on any Subprocessor it engages that ensure substantially the same standard of protection provided under this Addendum and Canva remains fully liable for any breach of this Addendum caused by an act, error or omission of its Subprocessors.

Canva's current Subprocessors are identified at the url https://www.canva.com/policies/subprocessors(opens in a new tab or window). For the purposes of Clause 9(c) of the SCCs, Customer acknowledges that Canva may be restricted from disclosing Subprocessor agreements to Customer due to confidentiality obligations. Where Canva cannot disclose a Subprocessor agreement to Customer, Canva shall provide all information (on a confidential basis) it reasonably can in connection with such agreement.

2.8 Cooperation and Data Subjects' rights: Canva shall provide all reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with Canva's processing of the Customer Personal Data, unless prohibited by Applicable Privacy Laws. In the event that any such request, correspondence, enquiry or complaint is made directly to Canva, Canva shall promptly inform Customer providing full details of the same.

2.9 Data Protection Impact Assessment: Canva shall provide Customer with all such reasonable and timely assistance as Customer may require in order to comply with its obligation under Applicable Privacy Laws to conduct data protection impact assessments and, if necessary, to consult with its relevant data protection authority.

2.10 Personal Data Breach: Upon becoming aware of a Personal Data Breach, Canva shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may reasonably require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Privacy Laws. Canva shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Personal Data Breach insofar as it affects the Customer Personal Data and keep Customer informed of all material developments in connection with the Personal Data Breach. Customer will not communicate or publish any notice or admission of liability concerning any Personal Data Breach which directly or indirectly identifies Canva (including in any legal proceeding or in any notification to regulatory authorities or affected Data Subjects) without Canva's prior approval, unless Customer is compelled to do so under applicable law. In any event, Customer shall provide Canva with reasonable prior written notice of any such communication or publication.

2.11 Deletion or return of Customer Personal Data: Upon termination or expiry of the Agreement, Canva shall (at Customer's election) destroy or return to Customer all Customer Personal Data (including all copies of the Customer Personal Data) in its possession or control. This requirement shall not apply to the extent that Canva is required by any law to retain some or all of the Customer Personal Data, in which event Canva shall isolate and protect the Customer Personal Data from any further processing except to the extent required by such law until deletion is possible.

2.12 Audit: Customer acknowledges that Canva is regularly audited against ISO 27001 standards by independent third party auditors. Upon request, Canva shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement. Canva shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year. Customer agrees that Customer shall exercise its rights under Clause 8.9 of the SCCs by instructing Canva to comply with the audit measures described in this Section 2.12.

ANNEXES

ANNEX I. A. LIST OF PARTIES

Data exporter(s):

Name: The entity identified as the "Customer" on the Order Form or the name specified in Customer's account.

Address: The Customer’s Billing Address specified on the Order Form or the address specified in Customer's account.

Contact person’s name, position and contact details: The Primary Contact Name, Primary Contact Position and Primary Contact Email specified on the Order Form or the contact information specified in a Customer's account.

Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer and utilising the data importer’s services on canva.com to create graphics, presentations, posters, documents and other visual content.

Role (controller/processor): Controller


Data importer(s):

Name: The Canva entity identified on the Order Form.

Address: The Canva entity’s address specified on the Order Form.

Contact person’s name, position and contact details: Head of Privacy and Product Counsel, Jacqueline Davy, legal@canva.com

Representative contact details: (EEA) European Data Protection Office (EDPO), Regus Block 1, Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, Dublin, D15 AKK1, Ireland; (UK) European Data Protection Office UK (EDPO UK), 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.

Activities relevant to the data transferred under these Clauses: The data importer operates a graphic design platform used to create graphics, presentations, posters, documents and other visual content.

Role (controller/processor): Processor


Annex 1.B. DESCRIPTION OF TRANSFER

Categories of data subjects:

- Users of the Service pursuant to the Agreement between Canva and Customer, which may include Customer’s employees, contractors or agents.

- Third party individuals whose information is included in Designs created in the Service by Customer or Users.

Categories of personal data: The categories of personal data are determined and controller by Customer in its sole discretion and may include:

- Access credentials of Users;

- Contact details of Users (e.g. name, email address, phone number); and

- any other personal data that Customer or Users include in Designs created in the Service.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

Any sensitive data included by Customer or Users in Designs created in the Service, the extent of which is determined and controlled by Customer in its sole discretion. See Annex 2 for applied restrictions and safeguards.

Frequency of the transfer: Continuous

Nature of the processing: Processing of the Customer’s and Users’ usernames, passwords and contact details in order to access and manage the Services and upload Designs to the Service.

Purpose(s) of the data transfer and further processing: Provision of the Service pursuant to the Agreement.

Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The personal data will be retained until termination or expiry of the Agreement, in accordance with Section 2.11 of this Addendum.

Annex 1.C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the EEA Member State in which Customer is established or, if Customer is not established in the EEA, the EEA Member State in which Customer's representative is established or in which Customer's End Users are predominantly located.

ANNEX 2 - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

ANNEX 3 – LIST OF SUB-PROCESSORS

The Customer has authorised the use of the sub-processors set out at this url https://www.canva.com/policies/subprocessors(opens in a new tab or window).

Last updated: 22 August 2024