Instructure, Inc. (and our subsidiaries) may on occasion receive a request from a law enforcement or other government agency seeking access to data belonging to a customer. This policy explains the process that we follow if we receive such a request.

Our goal is always to protect your data, while complying with applicable laws.

Transparency of our privacy practices is paramount at Instructure. Unless prohibited by law, Instructure always notifies a customer when we receive a legally binding and valid request for a customer’s data, including a government request. We notify an affected customer of that request or any direct access to customer data by a law enforcement or other government agency, unless we are explicitly prohibited from doing so by law

We believe our customers should have as much control as possible over their data. Instructure is not the owner of our customers’ data, and we strongly believe that any government agency seeking access to our customer’s data should address its request directly with that customer. Accordingly, if we receive a government request for customer data, unless prohibited by law, we try to refer the request to the affected customer so that the customer can work with the government agency directly to respond.

We do not disclose customer data to government agencies unless compelled to do so by law. We will challenge requests we deem unlawful. We review each government request for customer data on a case-by-case basis and only comply if the request is legally binding and valid. When reviewing the lawfulness of a government request, we take into account all applicable laws, including the laws of other jurisdictions. We require government agencies to follow the required legal process under applicable laws, such as issuing their request via a subpoena, court order, or search warrant. Where we believe a government request for our customer’s data is invalid or unlawful, we try to challenge it. If we are required to disclose customer data to government agencies, we ensure the transfer is necessary and proportionate and provide the minimum amount of information possible, based on a reasonable interpretation of the request.

If prohibited by law from notifying the affected customer, we try to get that legal restriction waived.

If we receive a government agency request for data, and we are prohibited by law from notifying our customer, we use best efforts to request that the confidentiality requirement be waived in order for us to notify the appropriate data protection authorities. We keep a record of the actions we have taken to waive any applicable confidentiality requirements.