Data Processing Addendum

Last updated: 08 January 2024

This Data Processing Addendum with its appendices (together, this "DPA") is incorporated into the Operator General Terms and Conditions of each Service (or other mutually executed written agreement) between the entity identified as the Customer (“Customer”) and Canva Austria GmbH ("Operator") governing Customer’s access to and use of any Service of the Operator (the “Agreement”). This DPA applies to each of our Services including remove.bg, Unscreen and Designify.

In the course of providing the Service to Customer pursuant to the Agreement, Operator may process Customer Personal Data (as defined below) on behalf of Customer. This DPA reflects the parties’ agreement with respect to the Processing of Customer Personal Data that is subject to Applicable Privacy Laws (as defined below). This DPA applies where and to the extent that Operator is acting as a Processor or service provider (of Customer Personal Data on behalf of Customer under the Agreement. This DPA is effective as of the effective date of the Agreement.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict.

1. Definitions and interpretation

In this Addendum, the following terms shall have the following meanings:

  • "Applicable Privacy Laws" means all worldwide data protection and privacy laws and regulations directly applicable to the Processing of Customer Personal Data under the Agreement, including European Privacy Laws; the California Consumer Privacy Act of 2018 and its regulations (the ‘CCPA’); and the Australian Privacy Act 1988 (Cth); in each case as amended, superseded or replaced from time to time.
  • Customer Personal Data’ means Personal Data that has been provided by or for the Customer to the Service or collected and Processed by or for the Customer through the Service.
  • "Data Subject" means an identified or identifiable individual whose Personal Data is processed.
  • "European Privacy Laws" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR"); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (the "Swiss DPA"); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded or replaced from time to time.
  • "Personal Data" means any information relating to an identified or identifiable individual or any other information defined as 'personal data' or 'personal information' under Applicable Privacy Laws.
  • "Restricted Transfer" means (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
  • Security Incident” means a breach of Operator’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
  • The terms "Controller", "Processor", "Data Subject" and "Processing" have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and "process", "processes" and "processed" shall be interpreted accordingly) and the terms "Business" and "Service Provider" have the meanings given to them in the CCPA.

Any capitalised terms used but not defined in this DPA shall have the meanings given to them under the Agreement.

2. Processing of Personal Data

  • 2.1 Description of the Processing: The type of Customer Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the Processing, and the categories of data subjects, are described in Annex 1.B.
  • 2.2 Relationship of the parties: Customer is a Controller or Business (as applicable) of the Customer Personal Data and Operator shall process the Customer Personal Data solely as a Processor or Service Provider (as applicable) on behalf of Customer. Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this DPA shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws.
  • 2.3 Purpose limitation: Operator will process Customer Personal Data in accordance with the requirements of Applicable Privacy Laws binding on it in the performance of this DPA. Operator shall Process the Customer Personal Data as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (as set out in the Agreement, including this DPA, the Order(s) and the Customer’s configuration of any settings, or as otherwise agreed in writing between the parties) (the “Permitted Purpose”). Operator shall not: (i) retain, use, disclose or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose (including for its own commercial purpose), except where otherwise required by any law applicable to Operator or, (ii) "sell" the Customer Personal Data within the meaning of the CCPA or otherwise. Operator shall immediately inform Customer if it becomes aware that Customer's Processing instructions infringe Applicable Privacy Laws but without obligation to actively monitor Customer's compliance with Applicable Privacy Laws. The parties acknowledge that Customer's transfer of Customer Personal Data to Operator is not a "sale" of Personal Data within the meaning of Applicable Privacy Laws and Operator provides no monetary or other valuable consideration to Customer in exchange for the Customer Personal Data.
  • 2.4 Customer’s responsibilities: Customer shall, in its use of the Service, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Laws. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws, including any applicable requirements to provide notice to Data Subjects of the use of Operator as Data Processor. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer shall ensure that the Customer is entitled to transfer the relevant Customer Personal Data to Operator so that Operator and its Sub-processors may lawfully use, process and transfer the Customer Personal Data in accordance with this DPA and the Agreement on Customer’s and its Affiliates’ behalf.
  • 2.5 Confidentiality of Processing: Operator shall ensure that any person that it authorises to process the Personal Data (including Operator's staff, agents and subcontractors) (an "Authorised Person") shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty).
  • 2.6 Security: Operator shall implement appropriate technical and organisational measures designed to protect the Customer Personal Data from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to Customer Personal Data. Such measures shall include the measures identified at Annex 2 (the "Security Measures"). Customer acknowledges that Operator may update or modify the Security Measures from time to time provided it will not materially reduce the overall protections provided herein.
  • 2.7 Subprocessing:
  • 2.7.a Appointment of Subprocessors. Customer generally authorises Operator to engage third party Processors ("Subprocessors") in accordance with the terms of this Section 2.7 and approves Operator’s use of the Subprocessors listed in the Subprocessors List to process the Customer Personal Data for the Permitted Purpose provided that (i) Operator has entered into a written agreement with each Subprocessor containing substantially the same standard of protection of Personal Data provided under this DPA, to the extent applicable to the nature of the Service provided by such Subprocessor, and (ii) Operator remains liable for any breach of this DPA that is caused by the acts or omissions of its Supbrocessors to the same extent Operator would be liable if it had caused the breach itself.
  • 2.7.b Identification of Subprocessors. Operator will maintain an up-to-date list of Subprocessor here (“Subprocessors List”). Operator shall update the Subprocessor List with any new and replacement Subprocessor to be appointed at least fourteen (14) days prior to the date on which any new and replacement Subprocessor commences Processing Customer Personal Data. The Subprocessor List contains a mechanism for Customer to subscribe to notifications of new and replacement Subprocessor. The Customer may sign up to receive email notification of such changes on the Subprocessor List (a ‘Change Notice’).
  • 2.7.c Objections to Subprocessors. If Customer objects within 14 days of a Change Notice by sending an email to the Service (Remove.bg: to any change regarding a Subprocessor, Operator will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Operator is unable to make available such change within a reasonable period of time, which shall not exceed fourteen (14) days, Operator will have the right to terminate the applicable Order Form(s) with respect to those Service which cannot be provided by Operator without the use of the objected Subprocessor by providing written notice to Customer and Operator will refund to Customer any prepaid fees covering the remainder of the term of the Order Form(s) following the effective date of termination with respect to such terminated Service. [email protected] , Unscreen: [email protected] , or Designify: [email protected])
  • 2.8 International transfers: Customer acknowledges that Operator and its Sub-Processors may Process Customer Data in countries that are outside of the EEA, United Kingdom and Switzerland. Where a Restricted Transfer is made, Operator shall take such measures as are necessary to ensure the transfer is made in compliance with Applicable Privacy Laws.
  • 2.9 Cooperation and Data Subjects' rights: Operator shall, to the extent legally permitted, and taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with Operator's Processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Operator, Operator shall promptly inform Customer providing full details of the same.
  • 2.10 Data Protection Impact Assessment: Taking into the nature of the Processing and the information available to Operator, Operator shall, to the extent legally required to do do, provide Customer with reasonable cooperation and assistance as Customer may require in order to comply with its obligation under Applicable Privacy Laws to conduct data protection impact assessments and, if necessary, to consult with its relevant data protection authority related to the Customers’ use of the Service, to the extent Customer does not otherwise have access to that information.
  • 2.11 Security Incidents: Upon becoming aware of a Security Incident, Operator shall inform Customer without undue delay. Such notice will, as required under Applicable Privacy Laws and taking into account the nature of the Processing, provide the details of the Security Incident to the extent such information is reasonably available to Operator. Operator shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and keep Customer informed of all material developments in connection with the Security Incident. Customer will not communicate or publish any notice or admission of liability concerning any Security Incident which directly or indirectly identifies Operator (including in any legal proceeding or in any notification to regulatory authorities or affected Data Subjects) without Operator's prior approval, unless Customer is compelled to do so under applicable law. In any event, Customer shall provide Operator with reasonable prior written notice of any such communication or publication.
  • 2.12 Deletion or return of Data: Upon termination or expiry of the Agreement, Operator shall (at Customer's election) destroy or return to Customer all Personal Data (including all copies of the Personal Data) in its possession or control. This requirement shall not apply to the extent that Operator is required by any law to retain some or all of the Customer Personal Data, in which event Operator shall isolate and protect the Processing Data from any further Processing except to the extent required by such law until deletion is possible.
  • 2.13 Audit: Operator shall respond to any written audit questions concerning its compliance with this Data Processing Addendum that are submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.
  • 2.14 Liability: Customer acknowledges and agrees that any liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.
  • 2.15 Duration: The terms of this DPA will remain in force upon expiration or termination of the Agreement.

ANNEXES

ANNEX I. A. LIST OF PARTIES

Data Controller:

Name: As provided in the Agreement

Address: As provided in the Agreement

Contact person’s name, position and contact details: As provided in the Agreement

Activities relevant to the data transferred under these Clauses: The Data Controller is a customer of the Data Processor and utilising the data importer’s Service for editing photos and videos, automated background removal for pictures and videos and labels annotations.

Data Processor:

Name: Canva Austria GmbH

Address: Ungargasse 37/BT1/3.3, 1030 Wien, Austria

Contact person’s name, position and contact details: As provided in the Agreement

Activities relevant to the data transferred under these Clauses: The Data Processor operates a Service for editing photos and videos, automated background removal for pictures and videos and labels annotations.

ANNEX 1.B. DESCRIPTION OF PROCESSING
Information Description
Categories of data subjects: The Customer may submit Personal Data to the Service to the extent determined and controlled by the Customer, which shall be limited to Personal Data relating to the following categories of Data Subjects:(i) Employees, agents, advisors, contractors and freelancers of the Data Controller who are Users of the Services (who are natural persons); and(ii) Third party individuals whose information is included in the content uploaded by the Customer onto the Services
Categories of personal data: The Customer may submit Personal Data to the Service to the extent determined and controlled by the Customer, which shall be limited to:
  • Access credentials of Users
  • Contact details of Business Users (e.g. name, email address, phone number)
  • Content (including images or videos) uploaded to the Service in an electronic form which may contain Personal Data
Nature of the processing: Operator will Process Personal Data in the course of providing the Service pursuant to the terms of the Agreement.
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The personal data will be retained until termination or expiry of the Agreement, in accordance with Section 2.13 of the Addendum.

ANNEX 2 - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

This describes the minimum security standards that Operator applies to Customer Data received under the Services under the Agreement.

  • 1. Measures of pseudonymisation and encryption of personal data

    Operator encrypts Data transmitted between customers and the Operator application over public networks using TLS 1.2 or higher. Customer Data stored on Operator’s servers is encrypted using AES 256 or stronger.

  • 2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

    Operator has personnel responsible for oversight of security and privacy. Operator has a business continuity plan designed to maintain service and/or recovery from reasonably foreseeable emergency situations or disasters. Customer Data is securely backed up on a regular basis.

  • 3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

    In order to support availability of the service, Operator utilises Google Cloud Platform (‘GCP’) auto scaling, GCP availability zones, extensive application and infrastructure monitoring.

    Operator maintains backups of the data stores, including Customer Data, that support the core functionalities of Operator application. Backups are stored in a location geographically-separated from the primary data storage location.

    Operator maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Operator personnel and a requirement for post-incident reviews.

  • 4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

    Operator employs a third-party application vulnerability scanning service and runs a public bug bounty program of its applications and infrastructure.

  • 5. Measures for user identification and authorisation

    Where a Customer’s account contains a password for authentication, Operator stores the password salted and hashed using an industry-standard password hashing function.

  • 6. Measures for the protection of data during transmission

    Operator encrypts Data transmitted between customers and the Operator application over public networks using TLS 1.2 or higher. Customer Data stored on Operator’s servers is encrypted using AES 256 or stronger.

  • 7. Measures for the protection of data during storage

    Operator Services are hosted on Google Cloud Platform (‘GCP’). The Customer Data stored within GCP is encrypted at all times. More information about GCP security is available at https://cloud.google.com/architecture#security .

    Operator encrypts Data transmitted between customers and the Operator application over public networks using TLS 1.2 or higher. Customer Data stored on Operator’s servers is encrypted using AES 256 or stronger.

  • 8. Measures for ensuring physical security of locations at which personal data are processed

    The Operator Service hosted on Google Cloud Platform (‘GCP’) data servers are protected by the physical, environmental and infrastructure controls of GCP. GCP is ISO/IEC 27001 compliant. As such, Operator relies on the physical, environmental and infrastructure controls of GCP. Detailed information about GCP security is available at https://cloud.google.com/architecture#security .

    Operator periodically reviews certifications and third-party attestations provided by GCP relating to the effectiveness of its data center controls.

  • 9. Measures for ensuring events logging

    Operator maintains application and infrastructure security audit logs. Audit logs are analysed to detect anomalous activity.

  • 10. Measures for ensuring system configuration, including default configuration

    Operator hardens its server infrastructure using a hardening standard based on a common industry standard. Operator applies security patches to its servers in accordance with a standard vulnerability management process.

  • 11. Measures for internal IT and IT security governance and management

    Operator maintains internal policies on the acceptable use of IT systems and general information security. Operator staff personnel with access to Customer Data must complete new hire security awareness training, as well as annual refresher, that includes the protection of such information.

    Operator has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:

    • cryptographically protecting passwords when stored in computer systems or in transit over the network;
    • altering default passwords from vendors; and
    • education on good password practices.

    Operator personnel access to production infrastructure requires multi-factor authentication (MFA). Operator personnel are subject to confidentiality obligations and a Personal Data Handling Policy.

  • 12. Measures for certification/assurance of processes and products

    The Operator Service, hosted on Google Cloud Platform (‘GCP’) data servers, are protected by the physical, environmental and infrastructure controls of GCP. GCP is ISO/IEC 27001 compliant. Detailed information about GCP security is available at https://cloud.google.com/architecture#security . Operator periodically reviews certifications and third-party attestations provided by GCP relating to the effectiveness of its data center controls.

  • 13. Measures for ensuring data minimisation

    Operator minimises the Data it requires from Customers to only what is necessary to provide the service requested. When using the Services, the Customer may submit personal data onto the Services. The Customer determines and controls the personal data that is being inputted onto the Services.

  • 14. Measures for ensuring data quality

    Operator ensures the quality of its data through verification of emails that sign up to the Operator platform. Operator also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Success Team.

  • 15. Measures for ensuring limited data retention

    Operator maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Operator and the purposes of collection.

  • 16. Measures for ensuring accountability

    Data Protection Impact Assessments are carried out for high risk processing activities when applicable to the Services and Operator maintains records of its processing activities.

  • 17. Measures for allowing data portability and ensuring erasure

    Operator has a standard process for deleting Customer Data and enables the download of Customer Data, where necessary.