Privacy FAQs for Institutions & Educators
What is Canvas and who is Instructure?
Canvas is a cloud-based Internet accessible learning management system used by your institution to facilitate positive learning outcomes. Canvas is provided by Instructure Inc., (“Instructure”) as a service provider to your institution. Canvas is used by instructors, educators, staff, administrators, parents, and students (collectively “users”) to provide and engage with e-learning courses and related content. Instructure only collects data as necessary to ensure the functionality and usability of Canvas.
What Data does Canvas collect?
Canvas processes different types of data as described below. All of these data types are collectively referred to as “data”.
Personal data is generally defined as information related to an identified or identifiable person. By using Canvas, personal data from a user is processed and stored by Canvas. Canvas only processes personal data to the extent necessary for the provision of user content and the operations of Canvas. Canvas receives personal data directly from the institution’s student information system, or administrative user, or users directly. Personal data elements in Canvas may contain names, email addresses, student identification numbers, and user roles (e.g., student).
Canvas also allows users to enter optional information such as phone numbers, gender, personal pronouns, avatar photos, descriptive information, or links to social media. This information is voluntary and may be changed or deleted by the user at any time.
Institutional data is also processed by Canvas. This may include enrollments, administrators, course, assignments, assessments, institution URL, institution specific settings, SIS integrations, institutional Wiki, and calendars.
When participating in courses or using Canvas, users may submit exercises, assignments, tests, course materials, or learning modules (collectively “user content”). User content is stored in Canvas and may only be viewed, updated, or deleted by the submitting students, instructors, course administrators, or administrator users from the institution. Instructure is not able to directly delete, modify, or update user content except as directed by the institution. Instructure does acquire any ownership rights in user content.
When using Canvas, transactional system data is generated and stored in the database. By participating in courses, groups, tests, assignments, forums, blogs, etc., an assignment between a user’s internal ID and the internal object or reference ID of the respective object in Canvas is created. This data is stored in the Canvas database. System data also includes data generated by Canvas such as log files. System data is recorded for system technical and system analytics purposes.
One of those analytics purposes is to determine what Canvas features and functions are being used, or preferred by users. In this example, Canvas uses certain cookies to collect analytic and session data for users, but this does not contain personal data.
Canvas generates system log files for error reporting if an internal error occurs while processing data. Log files are only used by Canvas and Instructure to solve technical issues and are deleted regularly. The collection of log files is necessary for the operation of Canvas.
How does Instructure and Canvas use the data?
Who else has access to the data?
Instructure only uses data to provide Canvas to the institution, administrators, students, parents, and educators.
- Instructure does not sell Canvas data to third-parties, even in anonymized or aggregated form.
- Instructure does not use Canvas data to advertise to students, parents, or educators.
- Instructure does not share personal data or user content with other companies that do not have permission to see or access the data as described in the contract between Instructure and the institution.
Data is accessible to the applicable institution, teachers, and administrators based on user roles established by the institution. Profile data and personal data are accessible by the institutional administrators and educators.
Instructure uses certain companies to help us provide underlying services to operate Canvas. These companies operate as service providers, or sub-processors to Instructure. Canvas is hosted on Instructure’s servers at Amazon Web Services (AWS). However, AWS does not have direct access to an institution’s data. For a full list of Instructure’s underlying service providers please email [email protected].
What about other tools that are connected through Canvas?
Institutional administrators may choose to connect their Canvas to other services or external tools, such as a Student Information System or a video conferencing system, in order to support teaching and learning. In these cases, the setup of the tool or service may require the exchange of some information with Canvas.
For example, an English department may connect a document annotation tool to Canvas using the LTI standard. This tool would then be available to all teachers and students, who might need to let this tool receive a limited amount of student information in order to work properly.
These tools or services will have their own privacy policies for schools, teachers, or students that don't involve Canvas. With most tools, users will be able to review or change the permissions that they give these tools from within Canvas.
Cookies in Canvas
A cookie is a small data file that is sent to a user’s browser when the user visits a website. Cookies can last only for the duration of a session (session cookies) or for several days, months, or years (persistent cookies). Cookies are browser specific which means that the cookie is attached to and stored in a specific browser. Cookies are used by Canvas for functional and analytical purposes. Canvas uses two types of cookies – functional cookies and analytic cookies.
Functional cookies are necessary and used to identify a user across page views without requiring the user to authenticate themselves for each page. These cookies are set when a user first logs into Canvas and remains in place until the user logs off Canvas or closes their browser.
Analytics cookies are used by Instructure to improve the software, detect fraud, and troubleshoot problems that may arise in Canvas. Canvas uses Google Analytics to collect system analytic data, for example, what pages and objects are clicked by the user during a session, or the time spent on a certain page (“analytics data”). The analytics data collected by Google Analytics is anonymized and not used to identify any individual user. Google stores the analytics data for Instructure.
How can institutions and individuals access the data?
Whether to enable home-grown solutions or just to satisfy curiosity, Instructure believes that institutions and individuals should have access to data. Canvas therefore provides institutions, administrators, and users with secure data access, scoped to a user's permissions, in the following ways, at no extra cost:
- Large-scale data from their entire Canvas instance via Canvas Data Service
- Live streaming of important data elements via Canvas Live Events
- On-demand data from most tools and features via the Canvas Open API
- On-demand reports using Canvas Reports
How can data be deleted from Canvas?
Instructure will delete an institution’s data from Canvas upon request by the institution, or after termination of the applicable agreement between Instructure and the institution. User administrators at the institution can delete user accounts in Canvas whenever needed. Instructure will delete a user account and associated data upon request from that user if Instructure is permitted to by the governing institution. Users can request individual deletion by submitting a help desk ticket in Canvas, or by contacting your institution directly.
If you have any questions, please reach out to [email protected].