Your one-stop-shop for information regarding Pluralsight's terms of service, data privacy, and policies.

Hero image

Customer Data Processing Agreement (Controller:Processor)

Effective Date:July 1, 2022

I. Introduction

The undersigned, Pluralsight, LLC for and on behalf of itself and its Affiliates, (collectively, “Pluralsight”) and [Legal entity name of data exporter] for and on behalf of itself and its Affiliates (collectively, “Customer”) agree to the terms of this Data Protection Addendum (“DPA”) which sets forth their obligations with respect to the processing and security of Customer Data in connection with the Products provided by Pluralsight to Customer, (collectively, the “Parties”) in conjunction with the terms and conditions entered into between the Parties for the Products. Such terms and conditions and any other terms set out by Pluralsight in conjunction with the Products, including without limitation Pluralsight’s Terms of Use, Sales Orders and terms for professional services, shall be collectively referred to as the “Agreements.” The DPA is deemed incorporated by reference into the Agreements. The provision of third party products and services made available to Customer via the Platform are governed by separate terms provided to Customer, including different privacy and security terms as provided by such third party.

For the purpose of this DPA and compliance with the GDPR, the Parties agree to enter into the Standard Contractual Clauses issued by the EU Commission on June 4, 2021. Where applicable, and as set out in Addendum 1, for transfers of Personal Data from a Customer established in the EEA, or Switzerland, as a data controller, to a Pluralsight entity established in a country outside the EEA, or Switzerland, as a data processor, the Parties agree to enter into the Controller to Processor SCCs. The Controller to Processor SCCs will only apply to Personal Data that is transferred outside the EEA, or Switzerland, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data.

For purposes of this DPA and compliance with the UK GDPR, the Parties agree to enter into the IDTA issued by the UK Information Commissioner's Office on March 21, 2022, as set out in Addendum II. The IDTA will only apply to Personal Data that is transferred outside the UK, either directly or via onward transfer, to any country not recognized by the UK as providing an adequate level of protection for personal data.

In the event of any conflict or inconsistency between the DPA Terms and any other terms in Customer’s Agreements, the DPA Terms shall prevail. The provisions of the DPA Terms supersede any conflicting provisions of the Pluralsight Privacy Notice that otherwise may apply to processing of Customer Data as defined herein. Where the SCCs and/or IDTA apply and as required by Clause 5 of the Controller to Processor SCCs, and Clauses 9 thru 11 of the IDTA, the Controller to Processor SCCs and IDTA prevail over any other term of the DPA Terms and terms of the Agreements.

II. Definitions

Capitalized terms used but not defined in this DPA will have the meanings provided in the Agreements. The following defined terms are used in this DPA:

“Affiliate” means, (i) in the case of Pluralsight, any entity controlled by Pluralsight, LLC, and (ii) in the case of Customer, any entity controlled by Customer. For purposes of the preceding sentence, “control” means the direct or indirect ownership of more than 50% of the voting interests of an entity.

“Controller to Processor SCCs” or (“SCCs”) means the set of Standard Contractual Clauses set out in Module II of the European Commission decision 2021/914, dated 4 June 2021 and set out in Addendum 1 of this DPA.

“Customer Data” means all data, including all text, sound, video, or image files related to Customer that are provided to Pluralsight by Customer through use of the Platform. Customer Data also includes Customer’s Personal Data that is Customer Data.

“Data Protection Requirements” means the GDPR, Local EU/EEA/Switzerland Data Protection Laws, the UK Data Protection Act 2018, the UK GDPR and any other applicable laws, regulations, and other legal requirements relating to privacy and data security, including any future legislation on data protection and security in the United Kingdom.

“DPA Terms” means the terms in this DPA.

“EEA” means the European Economic Area.

“EU” means the European Union.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

"IDTA" means the International Data Transfer Addendum set out in Deendum II of this DPA.

“Local EU/EEA/Switzerland Data Protection Laws” means any legislation and regulation implementing the GDPR.

“Non-Pluralsight Products” shall bear the meaning set forth in the Agreements and where not defined therein shall mean any third party products or services made available ancillary to the Products whether via the Platform or otherwise and are subject to the third party’s terms of use, DPA and privacy policy.

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Platform” shall bear the meaning set forth in the Agreements and where not defined therein shall mean Pluralsight’s training platform with applications and features as more fully described in one or more Sales Orders.

“Product(s)”means the SaaS services and associated professional services provided in conjunction with the Platform excluding Non-Pluralsight Products and all on-prem applications.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Security Incident also includes any personal data breach as defined by the GDPR. A Security Incident does not include any activity which does not result in unauthorized access to Customer Data including without limitation, denial of service and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

“Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and implemented by the European Commission decision 2021/914, dated 4 June 2021.

“Sub-processor” means other processors used by Pluralsight to process Customer Data, as described in Article 28 of the GDPR.

“UK GDPR” means the General Data Protection Regulation as incorporated into UK law by the UK Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, (each as amended, replaced, or superseded).

The terms “data importer” and “data exporter” have the meanings assigned in the Standard Contractual Clauses.

Lower case terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”, “processor”, “profiling”, “personal data”, and “data subject” will have the same meaning as set forth in Article 4 of the GDPR, irrespective of whether the GDPR applies.

III. DPA Terms

A. Compliance with Laws

Pluralsight will comply with all laws and regulations applicable to its provision of the Products including security breach notification law, Data Protection Requirements and the SCCs. However, Pluralsight is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not applicable to SaaS providers. Pluralsight does not determine whether Customer’s Data includes information subject to any such specific law or regulation.

Customer must comply with all laws and regulations applicable to its use of Products including laws related to biometric data, confidentiality of communications, Data Protection Requirements and the SCCs. Customer is responsible for determining whether the Products are appropriate for storage and processing of information subject to any specific law or regulation and for using the Products in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of Products.

B. Scope

The DPA Terms apply to all Products except as described in this section.

The DPA Terms will not apply to any Non-Pluralsight Product which is governed by the privacy and security terms in the applicable Non-Pluralsight Product-specific terms.

For clarity, the DPA Terms apply only to the processing of Personal Data in environments controlled by Pluralsight and Pluralsight’s Sub-processors. This includes Personal Data processed by Pluralsight when providing the Products but does not include Personal Data that remains on Customer's premises or in any Customer selected third party operating environments.

C. Limits on Updates

When Customer renews or purchases a new subscription to a Product, the then-current DPA Terms will apply and will not change during Customer’s subscription for that Product.

Notwithstanding the foregoing limits on updates, when Pluralsight introduces features, offerings, supplements or related Products that are new (i.e., that were not previously included with the Products), Pluralsight may provide terms or make updates to this DPA that apply to Customer’s use of those new features, offerings, supplements or related Products. If those terms include any material adverse changes to the DPA Terms, Pluralsight may provide Customer a choice to use the new features, offerings, supplements, or related Products, without loss of existing functionality of a generally available Product. If Customer does not install or use the new features, offerings, supplements, or related Products, the corresponding new terms will not apply.

E. Government Regulation and Requirements

Notwithstanding the foregoing limits on updates, Pluralsight may modify or terminate a Product in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects Pluralsight to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for Pluralsight to continue offering the Product without modification, and/or (3) causes Pluralsight to believe the DPA Terms or the Product may conflict with any such requirement or obligation.

Pluralsight may amend the terms of this DPA where required to comply with Data Protection Requirements and to reflect any changes in the applicable Data Protection Requirements, so long as any such revisions continue to ensure the protection of Personal Data processed by Pluralsight in the course of providing the Products to Customer.

F. Electronic Notices

Pluralsight may provide Customer with information and notices about Products electronically, including via email, an RSS Feed, or through a web site that Pluralsight identifies. Notice is given as of the date it is made available by Pluralsight.

G. Nature of Data Processing; Ownership

Pluralsight will use and otherwise process Customer Data only as described and subject to the limitations provided below (a) to provide Customer the Products in accordance with Customer’s documented instructions, and (b) for business operations incident to providing the Products to Customer.

1. Processing to Provide Customer the Products and Services
For purposes of this DPA, “to provide” a Product consists of:

• Delivering functional capabilities as licensed, configured, and used by Customer and its users, including providing personalized user experiences;

• Troubleshooting (preventing, detecting, and repairing problems including Security Incidents);

• Ongoing improvement (installing the latest updates if and when available and making improvements to user productivity, reliability, efficacy, quality, and security); and

• Providing services ancillary to the Products.

2. Processing for Business Operations

For purposes of this DPA, “business operations” consist of the following, each as incident to delivery of the Products to Customer: (1) billing and account management; (2) compensation (e.g., calculating Pluralsight employee commissions and partner incentives); (3) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud and cybercrime; (5) improving functionality of the Products and the Customer experience; and (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Processed Data outlined below). Pluralsight will comply with its obligations, as an independent data controller, under the GDPR for such use.

H. Disclosure of Processed Data

Pluralsight will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law and in any event in accordance with clause 14 and 15 of the Controller to Processor SCCs. For purposes of this section, “Processed Data” means: Customer Data and any other data processed by Pluralsight in connection with the Products that is Customer’s confidential information under the Agreements. All processing of Processed Data is subject to Pluralsight’s obligation of confidentiality under the Agreements.

Pluralsight will not disclose or provide access to any Processed Data to law enforcement unless required by law. If law enforcement contacts Pluralsight with a demand for Processed Data, Pluralsight will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose or provide access to any Processed Data to law enforcement, Pluralsight will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third-party request for Processed Data, Pluralsight will promptly notify Customer unless prohibited by law. Pluralsight will reject the request unless required by law to comply. If the request is valid, Pluralsight will attempt to redirect the third party to request the data directly from Customer.

Pluralsight will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Processed Data; (b) platform encryption keys used to secure Processed Data or the ability to break such encryption; or (c) access to Processed Data if Pluralsight is aware that the data is to be used for purposes other than those stated in the third party’s request.

In support of the above, Pluralsight may provide Customer’s basic contact information to the third party.

With respect to clause 15. 1 (c) of the Controller to Processor SCCs, if permitted by the laws of the country of destination, Pluralsight will provide to Customer, upon Customer’s written request, at regular intervals and in no event more than once in a twelve months’ period starting from the term of the applicable Agreement for its duration, as much relevant information as possible on the requests for disclosure received.

I. Processing of Personal Data; GDPR

All Personal Data processed by Pluralsight in connection with providing the Products is obtained as part of either Customer Data or data generated, derived or collected by Pluralsight or its Sub-processors, including data sent to Pluralsight as a result of Customer’s use of service-based capabilities. Pseudonymized identifiers may be included in data processed by Pluralsight in connection with providing the Products and are also Personal Data. Any Personal Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Personal Data is also Personal Data.

1. Processor and Controller Roles and Responsibilities

Customer and Pluralsight agree that Customer is the controller of Personal Data and Pluralsight is the processor of such data, except (a) when Customer acts as a processor of Personal Data, in which case Pluralsight is a Sub-processor. When Pluralsight acts as the processor or Sub-processor of Personal Data, it will process Personal Data only on documented instructions from Customer. Customer agrees that its Agreements (including the DPA Terms and any applicable updates), are Customer’s complete documented instructions to Pluralsight for the processing of Personal Data. Any additional or alternate instructions must be agreed to according to the process for amending Customer’s Agreements. In any instance where the GDPR applies and Customer is a processor, Customer warrants to Pluralsight that Customer’s instructions, including appointment of Pluralsight as a processor or Sub-processor, have been authorized by the relevant controller.

2. Data Subject Rights; Assistance with Requests

Pluralsight will make available to Customer, in a manner consistent with the functionality of the Products and Pluralsight’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR. If Pluralsight receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with the Products for which Pluralsight is a data processor or Sub-processor, Pluralsight will promptly notify the Customer and redirect the data subject to make its request directly to Customer. Pluralsight will assist Customer in fulfilling its obligations to respond to data subjects’ requests by implementing technical and organizational measures set out in Annex II of Addendum I. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Products. Pluralsight shall comply with requests by Customer to assist with Customer’s response to such a data subject request where Customer is otherwise unable to leverage the functionality of the Products as a result of Pluralsight’s failure to make such functionality available.

3. Records of Processing Activities

To the extent the GDPR or any other Data Protection Requirements requires Pluralsight to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to Pluralsight and keep it accurate and up-to-date. Pluralsight may make any such information available to any supervisory or regulatory authority if required by the Data Protection Requirements.

J. Data Security

1. Security Practices and Policies

Pluralsight will implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise processed. Those measures shall be set forth in a Pluralsight Security Policy. Pluralsight will make available to Customer information reasonably requested by Customer regarding Pluralsight security practices and policies.

2. Data Encryption

Customer Data in transit over public networks between Customer and Pluralsight, or between Pluralsight entities, is encrypted by default. Pluralsight also encrypts Customer Data stored at rest.

3. Data Access

Pluralsight employs least privilege access mechanisms to control access to Customer Data. Role-based access controls are employed to ensure that access to Customer Data is for an appropriate purpose and approved with management oversight. Pluralsight maintains Access Control mechanisms described in the table entitled “Security Measures” in Appendix A.

4. Customer Responsibilities

Customer is responsible for making an independent determination as to whether the technical and organizational measures for Products meet Customer’s requirements, including any of its security obligations under applicable Data Protection Requirements. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Pluralsight provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

K. Auditing Compliance

Pluralsight will conduct audits of the security of the computers, computing environment, and physical data centers that it uses in processing Customer Data as follows:

• Where a standard or framework provides for audits, an audit of such control standard or framework will be initiated at least annually.

• Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework.

• Each audit will be performed by qualified, independent, third party security auditors at Pluralsight’s selection and expense.

Each audit will result in the generation of an audit report (“Pluralsight Audit Report”), which Pluralsight will make available upon written request. The Pluralsight Audit Report will be Pluralsight’s Confidential Information and will clearly disclose any material findings by the auditor. Pluralsight will promptly remediate issues raised in any Pluralsight Audit Report to the satisfaction of the auditor. If Customer requests, Pluralsight will provide Customer with each Pluralsight Audit Report. The Pluralsight Audit Report will be subject to non-disclosure and distribution limitations of Pluralsight and the auditor.

To the extent Customer’s audit requirements under the SCCs or Data Protection Requirements cannot reasonably be satisfied through audit reports, documentation or compliance information Pluralsight makes generally available to its customers, Pluralsight will promptly respond to Customer’s additional audit instructions. Before the commencement of an audit, Customer and Pluralsight will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit Pluralsight to unreasonably delay performance of the audit. To the extent needed to perform the audit, Pluralsight will make the processing systems, facilities and supporting documentation relevant to the processing of Customer Data by Pluralsight, its Affiliates, and its Sub-processors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Pluralsight, and subject to reasonable confidentiality procedures. Neither Customer nor the auditor shall have access to any data from Pluralsight’s other customers or to Pluralsight systems or facilities not involved in providing the applicable Products. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Pluralsight expends for any such audit, in addition to the rates for services performed by Pluralsight. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Pluralsight and Pluralsight shall promptly cure any material non-compliance.

L. Security Incident Notification

If Pluralsight becomes aware of a Security Incident regarding Customer Data while processed by Pluralsight in the context of providing the Products, Pluralsight will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident; and (4) comply with the requirements of clause 8.6 of the SCCs where applicable.

Notification(s) of security Incidents will be delivered to Customer by any means Pluralsight selects, including via email. It is Customer’s sole responsibility to ensure Customer maintains accurate contact information with Pluralsight for each applicable Product. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.

Pluralsight shall reasonably assist Customer in fulfilling Customer’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.

Pluralsight’s notification of or response to a Security Incident under this section is not an acknowledgement by Pluralsight of any fault or liability with respect to the Security Incident.

Customer must notify Pluralsight promptly about any possible misuse of its accounts or authentication credentials or any security incident related to the Products at security@pluralsight.com.

M. Data Transfers

Customer Data that Pluralsight processes on Customer’s behalf may not be transferred to or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided below in this section. Taking into account such safeguards, Customer appoints Pluralsight to transfer Customer Data to the United States or any other country in which Pluralsight or its Sub-processors operate and to store and process Customer Data, and Personal Data to provide the Products, except as described elsewhere in the DPA Terms.

Transfers from Switzerland shall be governed by the SCCs pending any revision or replacement of the SCCs by the Swiss Federal Data Protection Authority. In the event of such revision or replacement, Pluralsight shall amend this DPA to reflect the updates as required to continue the transfers.

All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

N. Data Retention and Deletion

At all times during the term of Customer’s Agreements, Customer will have the ability to access, extract and delete Customer Data stored in the Platform, subject to availability as set forth in the Agreements.

Pluralsight will return or destroy Customer Data upon the expiration or termination of any Agreement or at Customer’s instructions at any time, where such Customer Data is no longer required to be processed, in accordance with Data Protection Requirements.

The Platform may not support retention or extraction of data by third party software provided by Customer and Pluralsight has no liability for the deletion of Customer Data or Personal Data in this manner.

O. Notice and Controls on use of Sub-processors

Pluralsight may hire Sub-processors, including Pluralsight Affiliates, to provide certain limited or ancillary services on its behalf. Customer authorizes Pluralsight’s engagement of Sub-processors.

Where the Controller to Processor SCCs apply, the Parties agree to use “Option 2” in clause 9 of the Controller to Processor SCCs (i.e., Customer’s general written authorization for the engagement of Pluralsight’s Sub-processors). Pluralsight is responsible for its Sub-processors’ compliance with Pluralsight’s obligations in this DPA. Pluralsight makes available information about Sub-processors on Pluralsight’s website for Skills and Flow Products and A Cloud Guru's website https://legal.acloudguru.com/policies?name=platform-sub-processors for Cloud Products. When engaging any Sub-processor, Pluralsight will ensure via a written contract that the Sub-processor may access and use Customer Data only to deliver the services Pluralsight has retained them to provide and is prohibited from using Customer Data for any other purpose. Pluralsight will ensure that Sub-processors are bound by written agreements that provides for, in substance, the same data protection obligations as those binding Pluralsight under the SCCs where applicable . Pluralsight agrees to oversee the Sub-processors to ensure that these contractual obligations are met.

From time to time, Pluralsight may engage new Sub-processors. Pluralsight will give Customer notice (by updating the website or providing Customer with a mechanism to obtain notice of that update) of any new Sub-processor at least thirty (30) days in advance of engaging that new Sub-processor. If Pluralsight engages a new Sub-processor for a new Product that processes Customer Data Pluralsight will give Customer notice prior to availability of that Product.

If Customer does not reasonably approve of a new Sub-processor, then Customer may terminate any subscription for the affected Product without penalty or termination fee by providing, before the end of the relevant notice period, written notice of termination. Customer may also include an explanation of the grounds for non-approval together with the termination notice, in order to permit Pluralsight to re-evaluate any such new Sub-processor based on the applicable concerns. After termination, Pluralsight will remove payment obligations for any subscriptions or other applicable unpaid services for the terminated Products or Services from subsequent invoices to Customer or its reseller.

P. Limitation of liability

Except as regards towards data subjects and as otherwise provided by the Data Protection Requirements, either Party’s liability to the other shall be as set forth in the applicable Agreements.

Q. California Consumer Privacy Act (CCPA)

If Pluralsight is processing Personal Data within the scope of the CCPA, Pluralsight makes the following additional commitments to Customer. Pluralsight will process Customer Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the DPA Terms and as permitted under the CCPA, including under any “sale” exemption. In no event will Pluralsight sell any such data. These CCPA terms do not limit or reduce any data protection commitments Pluralsight makes to Customer in the DPA Terms or other Agreements between Pluralsight and Customer.

R. How to Contact Pluralsight

If Customer has any questions, please contact Pluralsight at the following mailing address:

Pluralsight, LLC, 42 Future Way, Draper, UT 84020. Attn. Legal Email: contract-notices@pluralsight.com

Whereas the Parties’ authorized signatories have duly executed this DPA:

<<Customer Name>>

Pluralsight, LLC

Signature:

Signature:

Name:

Name:

Title:

Title:

Date:

Date: