Instructure : Audit Committee Charter

committee of more than three public companies (including the Company's Audit Committee).

Appointment/Term/Removal: The members of the Audit Committee shall be appointed by the Board based on recommendations from the Compensation and Nominating Committee. The members of the Audit Committee shall serve for such term or terms as the Board may determine or until earlier resignation or death. The Board may remove any member from the Audit Committee at any time with or without cause.

STRUCTURE AND OPERATIONS

Leadership: The Board shall designate a member of the Audit Committee as the chairperson based on recommendations of the Compensation and Nominating Committee.

Meetings: The Audit Committee shall meet at least quarterly at such times and places as it deems necessary to fulfill its responsibilities. The agenda and materials for Audit Committee meetings will be prepared by the Audit Committee chairperson in consultation with the other Audit Committee members, the Chief Financial Officer, the Head of Internal Audit, Chief Information Security Officer (the "CISO") and the independent auditor, as applicable. The Audit Committee shall keep minutes of its proceedings and report regularly to the Board regarding its discussions and actions and shall make recommendations to the Board as appropriate. The Audit Committee is governed by the same rules regarding meetings (including meetings in person or by telephone or other similar communications equipment), action without meetings, notice, waiver of notice, and quorum and voting requirements as are applicable to the Board.

The Audit Committee may invite any members of management or the internal auditors or representatives of the Company's independent auditor to its meetings as it deems appropriate. However, the Audit Committee shall meet regularly without such individuals present.

The CISO and Chief Legal Officer (the "CLO") shall act as management liaison to the Audit Committee with respect to oversight of cybersecurity and data protection and shall work with the Audit Committee chairperson to include related topics on the agenda for regularly scheduled meetings. The CISO shall provide the Audit Committee a monthly report summarizing key security metrics, top risks and threats to the Company, incident management and response, product security, and status of key security initiatives.

Onboarding / Education: The Company will provide new members of the Audit Committee with appropriate onboarding briefings, and the full Audit Committee with educational resources and opportunities related to accounting principles and procedures, current accounting topics pertinent to the Company and other matters as may be appropriate or requested by the Audit Committee.

Outside Advisors: The Audit Committee shall have the authority, in its sole discretion, to retain and terminate an independent auditor, outside legal counsel and such other advisors as it deems necessary to fulfill its duties and responsibilities under this Charter. However, the Audit Committee shall not be required to implement or act consistently with the advice or recommendations of the independent auditor, outside legal counsel or other advisor, and the authority granted in this Charter shall not affect the ability or obligation of the Audit Committee to exercise its own judgment in fulfillment of its duties under this Charter. The Audit Committee shall set the compensation and retention terms and oversee the work of the independent auditor, outside legal counsel or any other advisors. Any communications between the Audit Committee

3

and its outside legal counsel will be privileged communications.

Funding: The Audit Committee shall receive appropriate funding from the Company, as determined by the Audit Committee in its capacity as a committee of the Board, for the payment of compensation to any independent auditor, outside legal counsel and any other advisors, and the ordinary administrative expenses of the Audit Committee that are necessary or appropriate in carrying out its duties.

Delegation of Authority: The Audit Committee shall have the authority to delegate any of its responsibilities, along with the authority to take action in relation to such responsibilities, to one or more subcommittees as the Audit Committee may deem appropriate in its sole discretion, provided that decisions of such subcommittees to grant pre-approvals shall be presented to the full Audit Committee at its next scheduled meeting.

Books and Records: The Audit Committee will have access to the Company's books, records, facilities and personnel.

DUTIES AND RESPONSIBILITIES

The Audit Committee shall have the following authority and responsibilities:

1. Auditor Appointment: To (1) appoint, retain or replace an independent registered public accounting firm to act as the Company's independent auditor for the purpose of auditing the Company's annual financial statements, books, records, accounts and internal controls over financial reporting or performing other audit, review or attest services for the Company, (2) set the compensation of the Company's independent auditor, (3) approve all audit engagement fees and terms, (4) oversee the work done by the Company's independent auditor, and (5) terminate the Company's independent auditor, if necessary. The independent auditor shall report directly to the Audit Committee.
2. Pre-Approval: To pre-approve all audit and permitted non-audit and tax services that may be provided by the Company's independent auditor, and establish policies and procedures for the Audit Committee's pre-approval of permitted services in compliance with applicable SEC rules and review such pre-approval policies at least quarterly.
3. Audit: To review and discuss with the Company's independent auditor (1) the auditor's responsibilities under generally accepted auditing standards and the responsibilities of management in the audit process, (2) the overall audit strategy, planning and staffing, (3) the scope and timing of the annual audit, (4) any significant risks identified during the independent auditor's risk assessment procedures and (5) when completed, the results, including significant findings, of the annual audit.
4. Audit Problems: To review and discuss with the Company's independent auditor and management (1) any audit problems or difficulties, including difficulties encountered by the Company's independent auditor or internal audit department during their audit work (such as restrictions on the scope of their activities or their access of information), (2) any significant disagreements with management and (3) management's response to these problems, difficulties or disagreements; and to resolve any disagreements between the Company's independent auditor or internal audit department and management.

4

1. Critical Audit Matters: To engage in a dialogue with the independent auditor to understand the nature of each identified critical audit matter, the auditor's basis for identifying a matter as a critical audit matter and how each such identified matter will be described in the auditor's report.
2. Internal Audit: To review, discuss with the Company's independent auditor, and approve the functions of the Company's internal audit department, including its role, purpose, authority, organization, responsibilities, budget and staffing; and to review the scope and performance of the department's internal audit plan, including the results of any internal audits, any reports to management and management's response to those reports or internal audit department; and to review and approve the hiring, dismissal, evaluation and compensation of the Head of Internal Audit.
3. Internal Controls: To review with management, internal audit, and the Company's independent auditor the adequacy and effectiveness of the Company's internal control over financial reporting and disclosure controls and procedures, including any significant deficiencies, material weaknesses or other major issues in the design or operation of, and any material changes in, the Company's controls and any special audit steps adopted in light of any material control deficiencies, and any fraud involving management or other employees with a significant role in such internal controls, and review and discuss with management and the Company's independent auditor disclosure relating to the Company's controls, management's and the independent auditor's report on the effectiveness of the Company's internal control over financial reporting and the required management certifications to be included in or attached as exhibits to the Company's annual report on Form 10-K or quarterly report on Form 10-Q, as applicable.
4. Risk Oversight:To review and discuss with management the risks faced by the Company and the policies, guidelines and process by which management assesses and manages the Company's risks, including the Company's directors' and officers' insurance policies (and the procurement and adequacy thereof), major financial risk exposures and cybersecurity risks (as discussed in greater detail below) and the steps management has taken to monitor and control such exposures.
5. Cybersecurity and Data Protection: To review and discuss with management the following matters with respect to cybersecurity and data protection:
6. • the effectiveness of the Company's cybersecurity programs and its practices for identifying, assessing, and mitigating cybersecurity risks across the Company's products, services, and business operations;
   • the Company's controls, policies and guidelines to prevent, detect, and respond to cybersecurity incidents or threats involving the Company's products, services, and business operations;
   • the Company's security strategy and technology planning processes;
   • the safeguards used to protect the confidentiality, integrity, availability and resiliency of the Company's products, services, and business operations;
   • the Company's cybersecurity crisis preparedness, security breach and incident response plans, communication plans, and disaster recovery and business continuity

5

capabilities, including those in place to comply with the Company's disclosure obligations to customers, regulators or other parties;

1. • the Company's compliance with applicable information security and data protection laws and industry standards;
   • the Company's cybersecurity budget, investments, training, and staffing levels to ensure they are sufficient to sustain and advance successful cybersecurity and industry compliance programs;
   • the threat landscape facing the Company and the Company's products, services, and business operations;
   • any new or updated legal implications of security, data privacy, and/or other regulatory or compliance risks to the Company or the Company's products, services, and business operations; and
   • other matters as the chairperson or other members of the Audit Committee determine relevant to the Committee's oversight of cybersecurity programs and risk assessment and management.
2. Annual Financials: To review and discuss with the Company's independent auditor and management the Company's annual audited financial statements (including the related notes), the form of audit opinion to be issued by the independent auditor on the financial statements and the disclosure under "Management's Discussion and Analysis of Financial Condition and Results of Operations" to be included in the Company's annual report on Form 10-K before the Form 10-K is filed. The Audit Committee shall recommend to the Board whether the audited financial statements should be included in the Company's annual report on Form 10- K.
3. Quarterly Financials: To review and discuss with the Company's independent auditor and management the Company's quarterly financial statements (including the related notes) and the disclosure under "Management's Discussion and Analysis of Financial Condition and Results of Operations" to be included in the Company's quarterly report on Form 10-Q before the Form 10-Q is filed.
4. Earnings Releases: To review and discuss with management and the Company's independent
   auditor: (1) the Company's earnings press releases, including the type of information to be included and its presentation and the use of any pro forma, adjusted or other financial information that is not in conformity with generally accepted accounting principles ("GAAP"); and (2) any financial information and earnings guidance provided to analysts and ratings agencies, including the type of information to be disclosed and type of presentation to be made. Such discussions may be general (consisting of discussing the types of information to be disclosed and the types of presentations to be made), provided that each earnings release or each instance in which the Company provides earnings guidance need not be discussed in advance.
5. Financial Statements Issues: To review with management and the Company's independent
   auditor: (1) any major issues regarding accounting principles and financial statement presentations, including any significant changes in the Company's selection or application of accounting principles; (2) analyses prepared by management setting forth significant financial

6

reporting issues and judgments made in connection with the preparation of the Company's financial statements, including analyses of the effects of alternative GAAP methods on the Company's financial statements; (3) the effect of regulatory and accounting initiatives, as well as off-balance sheet structures, on the Company's financial statements; (4) consideration of the judgment of both management and the independent auditor about the quality, not just the acceptability, of accounting principles; and (5) the completeness and clarity of the disclosures in the financial statements.

1. Auditor National Office: To discuss with the independent auditor material issues on which the national office of the independent auditor was consulted by the Company's audit team.
2. Auditor Communications: To review and discuss with the Company's independent auditor (1) all critical accounting policies and practices to be used; (2) all alternative treatments of financial information within GAAP that have been discussed with management, the ramifications of the use of such alternative treatments and the treatment preferred by the independent auditor; and (3) other material written communications between the independent auditor and management, such as any management letter or schedule of unadjusted differences.
3. Quality Control/Independence Report: At least annually, to obtain and review a report by the Company's independent auditor that describes (1) the independent auditor's internal quality control procedures, (2) any material issues raised by the most recent internal quality control review, peer review or Public Company Accounting Oversight Board review or inspection of the firm or by any other inquiry or investigation by governmental or professional authorities in the past five years regarding one or more audits carried out by the independent auditor and any steps taken to deal with any such issues, and (3) all relationships between the independent auditor and the Company or any of its subsidiaries in order to assess the independent auditor's independence.
4. Audit Committee Report: To produce the audit committee report required to be included in the Company's proxy statement, and review the disclosure in the Company's proxy statement regarding the Audit Committee.
5. Auditor Evaluation: At least annually, to evaluate the qualifications, performance and independence of the Company's independent auditor, including an evaluation of the lead audit partner, and taking into account the opinions of management and the internal auditor.
6. Auditor Rotation: To assure the regular rotation of the lead audit partner at the Company's independent auditor as required by law; and to consider regular rotation of the accounting firm serving as the Company's independent auditor. The Audit Committee shall present its conclusions with respect to the independent auditor to the Board.
7. Hiring Former Auditors: To set Company hiring policies for employees or former employees of the Company's independent auditor.
8. Code of Ethics: To monitor compliance with the Company's Code of Ethics (the "Code"), to investigate any alleged breach or violation of the Code, and to enforce the provisions of the Code.

7

1. Related Party Transactions: To review, approve and oversee any transaction between the Company and any related person (as defined in Item 404 of Regulation S-K) on an ongoing basis, in accordance with Company policies and procedures; to keep the Company's independent auditor informed of the Audit Committee's understanding of the Company's relationships and transactions with related parties that are significant to the Company and whether any of the Audit Committee has concerns regarding relationships or transactions with related persons and, if so, the substance of those concerns; and to review and discuss with the Company's independent auditor the independent auditor's evaluation of the Company's identification of, accounting for, and disclosure of its relationships and transactions with related parties, including any significant matters arising from the audit regarding the Company's relationships and transactions with related parties.
2. Legal Compliance: To review, with the CLO and outside legal counsel, legal and regulatory matters relating to the Company and its subsidiaries that could have a significant impact on the Company's financial statements; to review the Company's compliance with applicable laws and regulations; and to review and oversee the Company's policies, procedures and programs designed to promote and monitor legal and regulatory compliance and sustainability.
3. Whistleblowers: To establish and oversee procedures for the receipt, retention and treatment of complaints received by the Company regarding accounting, internal accounting controls or auditing matters and the confidential, anonymous submission by Company employees of concerns regarding questionable accounting or auditing matters.
4. Tax Planning: Review with management the Company's policies and processes for tax planning and compliance.
5. Audit Committee Performance Evaluation: To conduct an annual evaluation of the performance of its duties under this Charter and to present the results of the evaluation to the Board. The Audit Committee shall conduct this evaluation in such manner as it deems appropriate.
6. Audit Committee Charter Review: To review this Charter at least annually and recommend any proposed changes to the Board for approval.

8