Last Updated: September 8, 2022
This Data Processing Agreement ("DPA") is incorporated into each Agreement between Articulate Global, LLC (together with its Affiliates, “Articulate”) and the customer (“Customer”, “you”, “your”) for Articulate’s provision of the Services, as defined below. Customer enters into this DPA on behalf of itself and any of its Affiliates that it permits to use the Services pursuant to the Agreement (“Authorized Affiliate”). Articulate and Customer are each referred to individually as a “party” and collectively as the “parties”.
1. Definitions. For purposes of this DPA, capitalized terms have the meanings set forth below. Other capitalized terms have the meaning set forth in the Agreement.
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA.
1.2 “Agreement” means the underlying agreement(s) entered into by Articulate and Customer in writing for Articulate’s provision of Services to Customer.
1.3 "Applicable Law" means all laws, regulations and other legal requirements applicable to either (i) Articulate in its role as provider of the Services or (ii) you. This may include, for example, the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); equivalent requirements in the United Kingdom including the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”); the California Consumer Privacy Act and associated regulations (“CCPA”), and the California Privacy Rights Act and its implementing related regulations when effective (“CPRA”); the Personal Information Protection and Electronic Documents Act, SC 2000, c.5 (“PIPEDA”); Australia’s Privacy Act 1988 and the Australian Privacy Principles (the “Privacy Act”); the Virginia Consumer Data Protection Act when effective (“VCDPA”); the Utah Consumer Privacy Act when effective (“UCPA”), and the Colorado Privacy Act and related regulations when effective (“CPA”). Each party is responsible only for the Applicable Law applicable to it.
1.4 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.5 “Customer Content” (or “Your Content”) refers to all content and information that Customer, an Authorized Affiliate, or a User uploads, imports, or develops in or to the Services, or that Articulate otherwise receives by or through the Services from Customer, an Authorized Affiliate, or a User.
1.6 “Data Subject” means an identified or identifiable natural person. Where the CCPA or CPRA apply, the term also includes an identified or identifiable household.
1.7 "Personal Data" means (i) any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies); (ii) “personal data” within the meaning of the VCDPA and CPA (regardless of whether they apply); (iii) “personal information” within the meaning of PIPEDA, the CCPA, the CPRA, and the Privacy Act (regardless of whether they apply); and (iv) any analogous term as defined in Applicable Law.
1.8 "Personal Data Breach" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.9 "Process" and "Processing" mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.10 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
1.11 “Services” means Articulate’s software-as-a-service offering as set forth in a price quote (i.e., Articulate 360, Rise, or both), or other services identified in a price quote.
1.12 "Standard Contractual Clauses" and “2021 SCCs” mean the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
1.13 "Subprocessor" means any subcontractor engaged by Articulate for the Processing of Personal Data.
1.14 “Trust & Compliance Documentation” means the documentation regarding privacy, data security, and Subprocessor information applicable to the specific Services purchased by Customer, as may be updated periodically, and accessible via Articulate’s website at https://articulate.com/trust and https://articulate.com/gdpr.
1.15 “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance), completed as set forth in the “Data Transfers” section below.
1.16 “User” means an individual or individuals that Customer permits to access and use the Services.
2. Scope and Relationship of the Parties
2.1 This DPA applies only to the Personal Data in Customer Content.
2.2 For such Personal Data, you are (or you represent that you are acting with full authority on behalf of) the Controller, and Articulate is your Processor.
2.3 If you are acting on behalf of a third-party Controller (or on behalf of intermediaries such as other Processors of the Controller), to the extent legally permissible:
2.3.1 You will serve as the sole point of contact for Articulate with regard to any such third parties;
2.3.2 Articulate need not interact directly with any such third party in matters relating to this DPA; and
2.3.3 Where Articulate would otherwise be required to provide information, assistance, cooperation, or anything else to such third party, Articulate may provide it solely to you; but
2.3.4 Articulate is entitled to follow the instructions of such third party with respect to such third party’s Personal Data instead of your instructions if Articulate reasonably believes this is legally required under the circumstances.
3. Your Instructions to Articulate
3.1 Articulate will Process the Personal Data only as described in the Agreement, unless obligated to do otherwise by Applicable Law. In such case, Articulate shall inform you of that legal requirement before the Processing unless legally prohibited from doing so.
3.2 The details of the Processing are set forth in Attachment 1 to this DPA.
3.3 The Agreement, including this DPA, along with your configuration of any settings or options in the Services, constitute your complete and final instructions to Articulate regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses, if they apply.
3.4 You will comply with Applicable Law relevant to your use of the Services, including by obtaining any consents and providing any notices required under Applicable Law for Articulate to provide the Services. You will ensure that you are entitled to transfer the Personal Data to Articulate so that Articulate and its Subprocessors may lawfully Process the Personal Data in accordance with this DPA.
3.5 You shall not instruct Articulate to Process Personal Data in violation of Applicable Law. Articulate shall promptly inform you if, in Articulate’s opinion, an instruction from you infringes Applicable Law.
4. Data Use Limitation
4.1 Articulate will not “sell” Personal Data as such term is defined under the CCPA (regardless of whether the CCPA applies), VCDPA, or the CPA, and will not “share” Personal Data within the meaning of the CPRA (regardless of whether the CPRA applies). Articulate will not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Articulate.
4.2 In the case of a legal obligation to provide Personal Data to a third party, to the extent legally permitted: (i) Articulate will promptly provide Customer a reasonable opportunity to contest the legal obligation or to seek protection for the disclosure and (ii) Articulate, after consultation with Customer, will disclose only the minimum amount of Personal Data necessary to comply with the legal obligation.
4.3 Articulate will comply with any applicable restrictions under the CPRA on combining Personal Data in Customer Content with Personal Data that Articulate receives from, or on behalf of, another person or persons, or that Articulate collects from any interaction between it and a Data Subject.
5. Subprocessors
5.1 Articulate may engage Subprocessors to Process Personal Data in connection with providing the Services, in compliance with Applicable Law. Prior to a Subprocessor’s Processing of Personal Data, Articulate will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Articulate under this DPA. Articulate is liable for its Subprocessors’ performance to the same extent Articulate is liable for its own performance under the Agreement.
5.2 A current list of Subprocessors is available at https://articulate.com/trust/gdpr/subprocessors for Articulate 360 services and https://rise.com/gdpr/subprocessors for Rise services. Articulate will promptly (and in any event, thirty (30) days before a new Subprocessor is scheduled to begin Processing Personal Data) provide notice to Customers by updating the aforementioned subprocessor list(s) regarding any such new Subprocessor prior to its Processing of Personal Data, unless exigent circumstances (such as the failure of an existing Subprocessor) require their earlier Processing of Personal Data.
5.3 You may object to Articulate’s use of a new Subprocessor by notifying Articulate within ten (10) business days after Articulate notifies you of the new Subprocessor pursuant to Section 5.2. If you reasonably object to a new Subprocessor, Articulate will use reasonable efforts to make available to you a change in the Services or recommend a commercially-reasonable change to your configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening you. If Articulate is unable to make available such change within a reasonable time period, which shall in no event exceed thirty (30) days, you may terminate the Agreement and/or applicable order(s) by providing written notice to Articulate and ceasing use of the Services on the effective date of the termination. Articulate will refund you a prorated amount covering the remainder of the term of such subscription or order(s) following the effective date of termination with respect to such terminated Services. If you do not object to use of the new Subprocessor and terminate as set forth above, the Subprocessor is deemed to be accepted by you.
5.4 Your agreement to this Section 5 constitutes your consent under the Standard Contractual Clauses, if they apply, and to Processing of Personal Data by the Subprocessors that are listed in the applicable Trust & Compliance Documentation as of the effective date of the Agreement.
5.5 Upon written request, Articulate will provide to Customer copies of Subprocessor agreements; provided, however, that to the extent that such Subprocessor agreements contain commercial information or provisions unrelated to information required by applicable Data Protection Laws and Regulations, such unrelated information may be removed or redacted by Articulate in its discretion.
6. Security
6.1 Articulate will assist you in your compliance with the security obligations of the GDPR and other Applicable Law, as relevant to Articulate role in Processing the Personal Data, taking into account the nature of Processing and the information available to Articulate, by implementing technical and organizational measures described in Attachment 2 to this DPA, without prejudice to Articulate’s right to make future replacements or modifications to the measures that do not materially lower the level of security of the Personal Data.
6.2 You are solely responsible for reviewing any available security documentation and features (if available) and evaluating for yourself whether the Services and related security meet your needs, including your security obligations under Applicable Law. You may use the Services only if the security commitments in this DPA would provide a level of security appropriate to the risk in respect of the Personal Data. By signing this DPA, Customer agrees and represents that the security commitments in this DPA provide a level of security appropriate to the risk in respect of the Personal Data.
6.3 Articulate will ensure that the individuals Articulate authorizes to Process the Personal Data (i) are subject to a written confidentiality agreement covering such data or are under an appropriate statutory obligation of confidentiality and (ii) receive training appropriate to their role in the Processing of the Personal Data.
7. Personal Data Breach Notification
7.1 Articulate and Customer will comply with the Personal Data Breach-related obligations directly applicable to them under the GDPR and other Applicable Law, including any obligations to notify Data Subjects, government authorities, or third parties.
7.2 Taking into account the nature of Processing and the information available to Articulate, Articulate will reasonably assist you in complying with the Personal Data Breach-related obligations applicable to you under Applicable Law by informing you without undue delay after becoming aware of a confirmed Personal Data Breach. Such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include Articulate’s then-current assessment of the following, which may be based on incomplete information:
7.2.1 The nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
7.2.2 The likely consequences of the Personal Data Breach; and
7.2.3 Measures taken or proposed to be taken by Articulate to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
7.3 Articulate shall make reasonable efforts to identify the cause of a confirmed Personal Data Breach and take such remediation measures as Articulate deems necessary and reasonable.
7.4 At all times, Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
8. Assistance Responding to Data Subjects
8.1 If Articulate receives a Data Subject Request or complaint directed to Customer or an Authorized Affiliate, Articulate will forward the Data Subject Request or complaint to Customer promptly.
8.2 Taking into account the nature of the Processing, Articulate will reasonably assist you with the fulfillment of your obligation to honor requests by individuals to exercise their rights under the GDPR or other Applicable Law (such as rights to access their Personal Data) (“Data Subject Request”) by appropriate organizational and technical measures, insofar as possible. To the extent that you, in your use of the Services, are unable to address a Data Subject Request, Articulate will upon your request provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent that Articulate is required to do so under Applicable Law and is legally authorized to do so.
9. Assistance with DPIAs and Consultation with Supervisory Authorities
9.1 Taking into account the nature of the Processing and the information available to Articulate, Articulate will, upon your written request, provide reasonable assistance and cooperation to you for your performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data in connection with the Services, and with related consultation with supervisory authorities. Additional support for data protection impact assessments or relations with regulators will require mutual agreement on fees, the scope of Articulate’s involvement, and any other terms that the parties deem appropriate.
10. Data Transfers
10.1 You authorize Articulate and its Subprocessors to make international transfers of the Personal Data in accordance with this DPA and Applicable Law.
10.2 To the extent otherwise legally required, the 2021 SCCs form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and (except as described in Section 10.4) they will be deemed completed as follows:
10.2.1 To the extent you act as a controller and Articulate acts as your processor with respect to the Personal Data subject to the 2021 SCCs, its Module 2 applies. To the extent you act as a processor and Articulate acts as your subprocessor with respect to the Personal Data subject to the 2021 SCCs, its Module 3 applies.
10.2.2 Clause 7 (the optional docking clause) is included.
10.2.3 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of Subprocessors is available at https://articulate.com/trust/gdpr/subprocessors for Articulate 360 services and https://rise.com/gdpr/subprocessors for Rise services. If Articulate intends to add or replace a Subprocessor on that list, Articulate will notify Customers by updating the aforementioned list(s) at least thirty (30) days prior to the date that such Subprocessor is scheduled to begin Processing Personal Data.
10.2.4 Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
10.2.5 Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.
10.2.6 Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
10.2.7 Under Annex I(A) of the 2021 SCCs (List of parties):
10.2.7.1 The exporter is you. The exporter’s contact information for Articulate to use is as set forth in Agreement. The exporter’s contact information for Data Subjects to use is set forth in its privacy policy, as are the identity and contact details of the exporter’s data protection officer (if any) and representative in the European Union (if any).
10.2.7.2 The exporter’s activity as relevant to the data transferred under these Clauses is its use of the relevant Services.
10.2.7.3 The importer is Articulate. The importer’s mailing address is set forth in the Agreement, and its email address is privacy@articulate.com, subject to an update by Articulate of those addresses in accordance with the Agreement.
10.2.7.4 The importer’s activity as relevant to the data transferred under these Clauses is its provision of the relevant Services.
10.2.7.5 When the Customer purchases the Services, the parties are deemed to be signing Annex I(A) of the 2021 SCCs.
10.2.8 For any particular Services, the details for Annex I(B) of the 2021 SCCs (Description of transfer) are set forth in Attachment 1 of the DPA.
10.2.9 Under Annex I(C) of the 2021 SCCs (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
10.2.10 Annex II of the 2021 SCCs (Technical and organizational measures) is set forth in Attachment 2 of this DPA.
10.2.11 Annex III of the 2021 SCCs (List of subprocessors) is inapplicable.
10.3 To the extent legally required under UK Data Protection Law, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCC Addendum. Undefined capitalized terms used in this Section 10.3 shall have the definitions set forth in the UK SCC Addendum. For purposes of the UK SCC Addendum:
10.3.1 Table 1 of the UK SCC Addendum: the Parties are you and Articulate, with contact details as set forth in Section 10.2.7 of this DPA.
10.3.2 Table 2 of the UK SCC Addendum: the Approved Standard Contractual Clauses are the Standard Contractual Clauses as set forth in Section 10.2 of this DPA.
10.3.3 Table 3 of the UK SCC Addendum:
10.3.3.1 Annex 1A: as set forth in Section 10.2.7 of this DPA.
10.3.3.2 Annex 1B: as set forth in Attachment 1 of this DPA.
10.3.3.3 Annex II: as set forth in Attachment 2 of this DPA.
10.3.3.4 Annex III: not applicable.
10.3.4 Table 4 of the UK SCC Addendum: neither party has the termination right set forth in Section 19 of the UK SCC Addendum.
10.3.5 By entering into this DPA, the parties are deemed to be signing the UK SCC Addendum.
10.4 For transfers of Personal Data that are subject to the Swiss Federal Act on Data Protection (“FADP”), the 2021 SCCs form part of this DPA as set forth in Section 10.2 of this DPA, but with the following differences to the extent required by the FADP:
10.4.1 References to the GDPR in the 2021 SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
10.4.2 The term “member state” in the 2021 SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 SCCs.
10.4.3 References to personal data in the 2021 SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
10.4.4 Under Annex I(C) of the 2021 SCCs (Competent supervisory authority):
10.4.4.1 Where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
10.4.4.2 Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in Section 10.2.9 of this DPA insofar as the transfer is governed by the GDPR.
11. Audits
11.1 Upon your written request, Articulate will make available to you all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits including inspections, conducted by you or another auditor mandated by you, as follows:
11.1.1 If the requested audit scope is addressed in an audit report issued by a third-party auditor within the prior twelve (12) months and Articulate provides such report to you and confirms that there are no known material changes in the controls audited, you agree to accept the findings presented in the report in lieu of requesting an audit of the same controls covered by the report. The report is Confidential Information of Articulate.
11.1.2 If not covered by such report, Articulate will provide a written description of its compliance measures for this DPA. This is Confidential Information of Articulate.
11.1.3 You agree to exercise any right you may have to conduct an audit or inspection, including under the Standard Contractual Clauses, if they apply, by instructing Articulate to provide the report and/or information described above. If you wish to change this instruction regarding the audit, you may request a change to this instruction by sending Articulate written notice as provided for in the Agreement. Such additional support may be available and would require mutual agreement on fees you would be charged, audit scope, the scope of Articulate’s involvement, and any other terms that the parties deem appropriate.
11.1.4 Customer must provide Articulate with sixty (60) days’ written notice before conducting an audit, and such audits may occur no more than once during twelve (12) months. Customer may only conduct audits during Articulate’s normal business hours and must minimize business disruption to Articulate.
11.1.5 To the extent legally permissible, and to the extent that audits interrupt the normal course of Articulate’s business, you will reimburse Articulate for any time expended for audit-related assistance at the rates mutually agreed upon by the parties.
11.1.6 Nothing in this DPA will require Articulate to disclose or make available:
11.1.6.1 any data of any other customer of Articulate;
11.1.6.2 access to systems;
11.1.6.3 Articulate’s accounting or financial information;
11.1.6.4 any trade secret of Articulate;
11.1.6.5 any information or access that, in Articulate’s reasonable opinion, could (A) compromise the security of Articulate systems or premises; or (B) cause Articulate to breach its obligations under Applicable Law or applicable contracts; or
11.1.6.6 any information sought for any reason other than the good faith fulfillment of your obligations under Applicable Law to audit compliance under this DPA.
11.1.7 You will promptly notify Articulate of, and provide information about, any actual or suspected non-compliance discovered during an audit.
12. Return or Destruction
12.1 Articulate will, at your choice, return to you and/or destroy all Personal Data upon your request or six months after the termination or expiration of your use of the relevant Service except to the extent Applicable Law requires storage of the Personal Data. The certification of deletion required by the Standard Contractual Clauses (if they apply) will be provided only on written request.
12.2 Nothing will oblige Articulate to delete Personal Data from files created for security, backup and business continuity purposes sooner than required by Articulate’s reasonable data retention processes.
13. General
13.1 Assignment. This DPA shall inure to the benefit of, and be binding upon, any successor to all or substantially all of the business and assets of either party, whether by merger, sale of assets, or other agreements or operation of law.
13.2 Counterparts; Facsimile Signatures. This DPA may be executed in multiple counterparts, each of which, when executed and delivered, shall be deemed an original, but all of which shall constitute one and the same instrument. Any signature page of any such counterpart, or any facsimile transmission thereof, may be attached or appended to any other counterpart to complete a fully executed counterpart of this DPA, and any facsimile transmission of any signature of a party shall be deemed an original and shall bind such party.
13.3 Order of Precedence. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will control.
13.4 Liability. To the extent legally permitted, this DPA is subject to the limitations of liability clause in the Agreement.
13.5 Miscellaneous. This DPA constitutes the entire understanding of the parties with respect to the subject matter of this DPA and merges all prior communications, understandings, and agreements. This DPA may be modified only by a written agreement signed by the parties. The failure of either party to enforce at any time any of the provisions hereof shall not be a waiver of such provision, or any other provision, or of the right of such party thereafter to enforce any provision hereof. If any provision of this DPA is declared invalid or unenforceable, such provision shall be deemed modified to the extent necessary and possible to render it valid and enforceable. In any event, the unenforceability or invalidity of any provision shall not affect any other provision of this DPA, and this DPA shall continue in full force and effect, and be construed and enforced, as if such provision had not been included, or had been modified as above provided, as the case may be.
Subject Matter, Nature and Purpose of Processing, and details of processing operations: Provision of the Services pursuant to the Agreement.
Term/Duration of Processing: As set forth in the Agreement and/or any applicable Price Quote, Customer order, or Statement of Work.
Categories of Data Subjects: The Personal Data transferred may concern current and prospective employees of the exporter and its contractors, and other third parties, as determined by the exporter.
Categories of Data
For Articulate 360 and Rise:
Special Categories of Data (if any): Not applicable.
Applied safeguards and restrictions specific to any special categories of data: Not applicable. In any case, the same high standard of protection described in Attachment 2 to the DPA applies to this and other categories of Personal Data.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous for as long as necessary to provide the Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The lesser of six (6) months, as long as needed to provide the Services pursuant to the Agreement, or as long as required by Applicable Law.
Articulate (the data importer) implements the following technical and organizational security measures.
1.Pseudonymisation and encryption: Personal data is encrypted at rest on our servers using industry standards (e.g., AES 256-bit), and key management is managed by Articulate’s hosting environment provider, Amazon Web Services (AWS).
2.Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Articulate uses an intrusion detection system to analyze, detect, and report network events and other alert situations, and engages a third-party partner(s) to conduct security and application assessments. Articulate also uses Amazon Web Services (AWS) as its hosting provider, which provides redundancies (e.g., across three (3) or more physically isolated and resource independent availability zones).
3.Disaster recovery and business continuity measures (restoring the availability and access to personal data in the event of a physical or technical incident): Articulate has a disaster recovery policy and related procedures which provide that Articulate, in the event of a disaster, will rebuild its infrastructure to restore services as quickly as possible with an RTO of 72 hours and RPO of 24 hours.
4.Testing, assessment, and evaluation of security measures: Articulate has an incident response policy that is tested at least annually, or whenever there is a material change to our security.
5.User identification and authorization: Articulate 360 services do not store user credentials; instead, it relies on a third-party single sign-on service that implements tested and industry-accepted identity protocols to authenticate users, including encryption at rest using a minimum of AES-256 cryptographic strength.
6.Protection of data during transmission: Confidential data is encrypted in transit using at a minimum the Transport Layer Security protocol of TLS 1.2.
7.Protection of data during storage: Confidential data is encrypted at rest on our servers using the Advanced Encryption Standard 256-bit industry standard. Key management is managed by Articulate’s hosting environment provider, AWS.
8.Physical security of locations at which personal data are processed: Articulate is a fully distributed company, meaning we do not have physical offices. We host Articulate services on AWS servers. AWS data centers are state of the art, using innovative architectural and engineering approaches, are housed in nondescript facilities, and physical access is strictly controlled both at the perimeter and at building ingress points (e.g., professional security staff, video surveillance).
9.Events logging: Articulate uses SIEM solutions in alignment with defined standards for log centralization and alerting functionalities, and AWS CloudWatch and AWS CloudTrail to track all changes in infrastructure
10.System configuration, including default configuration: Articulate codifies all infrastructure changes in version control and uses industry best practices for safely and securely applying these changes to Articulate services.
11.Internal IT and IT security governance and management: Articulate employees sign confidentiality agreements and complete security training upon hire, and security training continues annually thereafter. Articulate has policies and procedures on proper data protection, management, retention, and deletion. Articulate also uses state-of-the art antivirus and mobile device management software on all Articulate workstations, monitors vendor and third-party sources for updated vulnerability information, distributes pertinent patch information promptly, and requires that the workstations for all Engineering team members and others who have access to AWS (our host) servers be encrypted at rest.
12.Certification/assurance of processes and products: Articulate undergoes an annual SOC2 Type 2 audit conducted by a third party and has ISO 27001 and ISO 27701 certifications. Employees are required to complete security awareness training upon hire and annually thereafter to understand their obligations and responsibilities in complying with corporate policies that are designed to protect customer data.
13.Data minimization: Articulate collects personal data necessary to provide services to customers and grants access to personal data only if necessary to enable human resources to perform their jobs. Articulate also periodically reviews access privileges and removes privileges within 24 hours of a person being terminated from Articulate. Further, personal data is retained and securely destroyed in accordance with Articulate’s data retention policies (or earlier upon customer request), so long as there is no legal requirement to retain such data.
14.Data quality: Articulate services validate user input and HTTP parameters.
15.Limited data retention: Articulate has retention policies that require regular deletion of personal data. Articulate performs daily backups as part of our disaster recovery process, which data is archived for approximately 60 days and then is automatically overwritten.
16.Accountability: Articulate has implemented a privacy program, appointed a Data Privacy Officer, implemented privacy policies and practices (including on incident response), and conducts employee trainings at least annually.
17.Data portability and erasure: Articulate abides by the processes set forth in its Data Processing Agreement for responding to customer requests for a copy, correction, or deletion of their end users’ personal data.
18.For transfers to (sub-) processors: specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter: The exporter’s administrators and/or users can use self-service features in the Services for accessing, deleting, or correcting data about end users. All other relevant assistance would be provided through the customer support team.