In general, organizations use a variety of means to obtain the required level of security assurance prior to purchasing anything. We not only have a robust, comprehensive security program, but also have the supporting security assurance documentation to demonstrate the level of security organizations are looking for.
Instructure’s information security program effectively and continually identifies, assesses, mitigates, and monitors security risks that might impact the integrity, confidentiality, and security of customer data. We recognize the level of trust customers place in Instructure’s ability to handle data, and are committed to ensuring the secure handling of these data elements continually--from the initial moment these data elements are entrusted to us to the point these data elements are securely destroyed upon customer request or end of contract. Our security program is established based on ISO 27001, conforms with ISO 27001, and is audited annually to confirm the design and operation of security, availability, confidentiality, processing integrity, and privacy controls to produce a SOC2 Type 2 report by a reputable third party, and prepared using both SSAE 18 and ISAE 3402 reporting standards.
Internationally, Instructure also maintains compliance with and obtains on an annual basis a Cyber Essentials Plus certificate, evidencing our data and privacy commitments are congruent with the security requirements set forth by the UK Government. In addition to these, Instructure maintains compliance with GDPR, evidencing our standards, processes, and agreements are aligned with those set forth by the EU, and maintains FERPA-compliance, evidencing our standards align with those set forth by the US Government. Instructure also holds German Trusted Cloud status, evidencing our standards align with those instantiated by the government of Germany.
Furthermore, Instructure is the only LMS provider to openly publish--annually--the results of its ongoing, third-party security penetration tests (made available here). Instructure partners with Bugcrowd to conduct these continual testing exercises, and hosts an active bug bounty program that provides financial incentives to qualified researchers and ethical hackers who discover valid issues. Instructure is the only LMS provider that does this in this way. Read more about this in a previous blog post here.
Additionally, we recognize that organizations carry the same level of demand for due diligence of fourth and fifth parties as they do for third parties. We realize that, together, we’re only as strong as the weakest link in the chain of service providers. Conscious of this, we engage services from only those that meet (or exceed) Instructure’s high security bar.
One key third party used by Instructure is Amazon Web Services. Instructure products are hosted on Amazon Web Services--considered the most security compliance “decorated” and proven-secure (see list of security compliance certifications here) cloud service providers available today. As one of the benefits of utilizing AWS cloud infrastructure, Instructure builds upon a cloud service provider that has (among so many others) the following security certifications:
- SOC1 and SOC 2 Type 2, SOC3
- ISO 27001, 27017, 27018
- PCI-DSS Level 1 Service Provider
We hope this helps outline how we think about security--specifically how we help our customers reach the assurance they require to trust us and to use our amazing products. Thousands of organizations have vetted us so far, and have concluded that we’re meeting their standards. This way is just another way we demonstrate our commitment to taking the security of your data seriously.