Instructure Trust Center
Security
Security is built into the fabric of our cloud platform, infrastructure, and processes, so you can rest assured that your data is safeguarded.
Enterprise Security
Instructure has implemented a robust enterprise information security program that operates on a continuous PDCA (Plan-Do-Check-Act) cycle. This program is based on Information Security Standards.
Information Technology
Instructure maintains both a Network Security Policy and an IT Acceptable Use Policy which outline procedures, processes and policies for all endpoints on both production and corporate networks. These policies are evaluated against both SOC 2 and ISO 27001 standards. Company and employee devices are secure, encrypted, tracked, and have mandatory 2FA applied.
Awareness
Instructure recognizes that people are our first line of defense. This begins by creating foundational awareness wherein all Instructure personnel are required to complete Instructure's Compliance, Privacy, and Security Awareness Training upon hire, as per our employment terms and conditions, and annually thereafter. The content of this training includes all relevant areas of security (online, mobile, physical, 2FA, etc.), privacy, and compliance requirements for each employee - including our policies. Furthermore, Instructure conducts continuous awareness campaigns to ensure employees are informed of our constantly changing threat landscape and that they are equipped and empowered to identify and report security risks. In addition, employees are subjected to simulated phishing campaigns on a regular basis.
Hiring
At Instructure, we prioritize safety and security in our workforce.
As part of our rigorous hiring process, we conduct comprehensive criminal background checks on all employees and contractors. The results of these checks play a crucial role in determining employment eligibility.
Platform Security
Instructure’s platform (and associated data) is hosted in the cloud by Instructure and delivered over the internet through Amazon Web Services (AWS).
Cloud Security Top of Mind
The Instructure Learning Platform is hosted on Amazon Web Services (AWS) with cloud security top of mind. This includes conforming with AWS’ well-architected framework, implementation of control plane hardening standards and benchmarks, and continuous workload monitoring.
Instructure’s products are designed to make full use of AWS’ security tools and services including AWS WAF, Shield, GuardDuty, Security Groups, KMS, and more. Cloud infrastructure configuration is stored securely with a ‘Infrastructure as code’ approach.
Amazon Web Services (AWS) holds a variety of formal accreditations including ISO 27001, FedRAMP, and SOC 1/2/3, among others.
Protected by a Comprehensive Access Control Framework
The Instructure Learning Platform is protected by a comprehensive access control framework. Access to the platform is secured by authentication, authorization, and 2FA (where applied). Access to the cloud infrastructure is protected by a comprehensive access control framework with multiple layers, including VPN, 2FA, SSH, and digital certificates. Access to our systems is granted based on principle of least privilege and need to know and supported by regular user access reviews and auditing processes.
Data Protection
All data is encrypted in transit. Inbound and outbound traffic is encrypted using TLS 1.2 or higher.
All data is stored at rest within encrypted volumes.
Data is replicated in real-time for your protection.
Application Security
Secure Development
All code goes through a developer peer-review process before it is merged into the code base repository. The code review includes security auditing based on the Open Web Application Security Project (OWASP) secure coding and code review documents (including the OWASP Top Ten) and other community sources on best security practices.
Security Testing
We place great importance on security testing. We want our code to run as smoothly as possible for our customers, and that's why we take extreme care to implement both preventative and detective mechanisms throughout the SDLC, with an integrated QA process to the design, development, and maintenance of our products. The bottom line for our customers: all code changes run through our full QA test suite before they can be accepted into the relevant product to ensure secure code, consistent performance, and a great all-round experience.
Bug Bounty - Security Researcher Community Participation
Our Ongoing Bounty Program is a supplemental program to application assessments and/or penetration testing. The program is run by Bugcrowd, who leverage a crowd of security researchers. This increases the probability of discovering esoteric issues that automated testing cannot find and that traditional vulnerability assessments may miss in any given testing period.
For anyone interested in joining our bug bounty program as a security researcher, please contact security@instructure.com with your Bugcrowd username and we will be pleased to add you to the research team.
Security Monitoring
As a fully hosted SaaS solution, the Instructure Learning Platform is actively monitored by Instructure's Operations and Security teams on behalf of all customers. Included in Instructure’s comprehensive hosting services, Instructure continually monitors system usage, performance, health, and security. Our Ops team uses a combination of internal and external industry-standard monitoring and alerting systems as well as custom alerting systems to ensure maximum coverage. Any incident alerts triggered are sent to the appropriate teams via PagerDuty.
Logging & Detection Capabilities
By utilizing the extensive protections and safeguards of the AWS cloud infrastructure, Instructure provides robust and considerable network and security monitoring to protect our customers and detect potential threats before they have a chance to have any impact. Some detection safeguards include leveraging services such as AWS GuardDuty to alert and inform on security incidents occurring against Instructure’s services hosted in AWS. All output is sent to Instructure's centralized logging management system for further analysis and alert generation.
Get the Support You Need