Data Processing Addendum to Canva Master Subscription Agreement
Overall Score
Risk by Category
The Canva Data Processing Addendum (DPA) outlines the terms under which Canva acts as a data processor for its customers' (controllers') personal data. It complies with GDPR and other data protection laws, detailing processing instructions, security measures, sub-processor management, data breach notifications, audits, international transfers via Standard Contractual Clauses (SCCs), and data return/deletion obligations. It emphasizes Canva's role in processing data only on documented instructions, maintaining confidentiality, and ensuring subprocessors provide equivalent protections.
Canva uses approved subprocessors like AWS, Google Cloud, and Zendesk; customers can object but changes require notice.
Relies on SCCs and adequacy decisions for data transfers outside EEA; no BCRs mentioned.
Limited to reasonable requests; Canva may charge fees for excessive audits.
Implements technical and organizational measures including encryption, access controls, and regular audits.
Notifies controllers without undue delay upon becoming aware of a breach.
Deletes or returns customer data at end of services, except for backup copies retained briefly.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Includes personal data uploaded to designs, user profiles, and collaboration info.
Logs for service improvement, limited to necessary metrics.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Canva processes personal data only on documented instructions from the controller (customer).
Data used solely to provide Canva's design and collaboration services.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Sub-processors like AWS for hosting, Intercom for support; full list available.
Google Analytics for usage stats; opt-out possible via objection.
Limited sharing within Canva group for operational needs.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Customer (controller) handles data subject rights requests; Canva assists reasonably.
Customer directs export; Canva supports formats compatible with services.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
All customer data deleted within 30 days after service end, except legal retention.
Encrypted backups retained up to 90 days for recovery purposes.
Aggregated analytics retained indefinitely without identifiers.
Security & Transparency
Data at rest and in transit encrypted using AES-256 and TLS 1.2+.
Incident response plan with controller notification within 48 hours.
ISO 27001, SOC 2 Type II compliant; regular penetration testing.
Role-based access, multi-factor authentication enforced.
Source Text
Canva maintains a list of subprocessors and notifies of changes; customers may object.
Interpretation
Transparent but customer must actively monitor and object.
Source Text
Appendix 2 incorporates SCCs for transfers.
Interpretation
Standard protection but relies on EU adequacy evolving.
Source Text
Detailed Annex 2 security measures required.
Interpretation
Robust commitments exceeding basic requirements.
Source Text
Customer audit rights upon reasonable notice.
Interpretation
Balanced with cost recovery for Canva.
Source Text
Processor assists controller in fulfilling rights requests.
Interpretation
Appropriate division of labor.
Canva acts as a data processor, processing personal data only on your (controller's) instructions.