Frequently Asked Questions about Subprocessor Notification regarding PING 

What is the use case for Ping?

• They provide identity management services. They will provide a unified login functionality for all services.  More information about Ping
  • Ping Identity Corporation Privacy Policy
  • Ping Security
  • Ping Address: 1001 17th Street, Suite 100, Denver, CO 802020

What products will this affect? 

• This will apply to all Canvas & Catalog services starting in the Summer of 2025. It will be used for Impact, Studio, Learn Platform, and Mastery Connect in 2026.

What personal data will be collected? 

• Ping will process the end-user ID, name, email, login credentials (hashed password), external IDs, organization (e.g., end-users’ school), identity access management, and technical information. 

Where are the hosting regions? 

• Hosting regions are located in Australia, Canada, Germany, Singapore and USA. The hosting region for each customer will be the region closest to the Canvas hosting location.

Will Ping need to be added to our DPA (Data Processing Addendum)?

• The subprocessor notice we send is a notification to customers per our standard DPA. If you have any questions regarding the DPA, please contact your Customer Success Manager.

Does the vendor have a stated data retention policy?

• Yes. Their data retention policy is 30 days for both logs and backups.  See more info here:Tenant environments | PingOne Advanced Identity Cloud Docs

Does the vendor provide methods to have data permanently deleted, either through customer action or request?

• Yes, Instructure can ask the vendor to delete data before the standard retention (currently 30 days)

When will this effect take place?

• Changes will be rolled out by region, beginning in June 2025

What data safeguards does Ping have to protect the shared data?

• Instructure has reviewed Ping’s security program in accordance with Instructure’s Vendor Risk Management Program.

Ping is not listed in the Data Privacy Framework database. What transfer mechanisms are in place? 

• Data is hosted in the customer’s region. By contract, Ping is not permitted to transfer data from the region without Instructure’s written consent.