Frequently Asked Questions about Subprocessor Notification regarding PING 

What is the use case for Ping?

• They provide identity management services. They will provide a unified login functionality for all services. 

What products will this affect? 

• This will apply to all Canvas & Catalog services starting in the Summer of 2025. It will be used for Impact, Studio, Learn Platform, and Mastery Connect in 2026.

What personal data will be collected? 

• Ping will process the end-user ID, name, email, login credentials (hashed password), external IDs, organization (e.g., end-user’s school), identity access management, and technical information. 

Where are the hosting regions? 

• Hosting regions will be the same region where the customer is located: Australia, Canada, Germany, Singapore and USA.

Will Ping need to be added to our DPA (Data Processing Addendum)?

• The subprocessor notice we send is a notification to customers per our standard DPA. If you have any questions regarding the DPA, please contact your Customer Success Manager.

Does the vendor have a stated data retention policy?

• Yes. Their data retention policy is 30 days for both logs and backups. 
• Read more information about Tenant environments at PingOne.

Does the vendor provide methods to have data permanently deleted, either through customer action or request?

• Yes, Instructure can ask the vendor to delete data before the standard retention (currently 30 days)

When will this effect take place?

• Changes will be rolled out by region, beginning in June 2025

What data safeguards does Ping have to protect the shared data?

• Instructure has reviewed Ping’s security program in accordance with Instructure’s Vendor Risk Management Program.

Ping is not listed in the Data Privacy Framework database. What transfer mechanisms are in place? 

• Data is hosted in the customer’s region. By contract, Ping is not permitted to transfer data from the region without Instructure’s written consent.