Instructure Trust Center
Instructure Security
We built security into the fabric of our cloud platform, infrastructure, and processes, and we’ll continue to reassess our security posture so you can rest assured your data is safeguardedto keep our products available and safe for use.
For information related to the security incident, please visit https://www.instructure.com/incident_update.
Information Security Management System
The Information Security Management System (ISMS) is designed to provide a structured approach to protecting information, ensuring its confidentiality, integrity, availability, and privacy while helping Instructure comply with legal, regulatory, and contractual obligations, ensuring alignment with ISO/IEC 27001:2022.
Key Areas Supporting the Information Security Management System
Instructure assesses and treats risks, including methodologies, risk criteria, and the process for identifying, evaluating, and mitigating risks to acceptable levels.
Establishes controls to manage access to information and systems, ensuring that access is restricted to authorized users based on their roles and responsibilities.*
Manage daily operations securely, such as malware protection, backups, logging, monitoring, and secure configuration of systems.
Protects the security of communications, including network security management, secure transfer of information, and protection against unauthorized access.
Address security considerations for employee lifecycle management, including screening, onboarding, training, and termination of staff to minimize insider threats.
Requires security logs and monitoring activities to detect and respond to unauthorized actions or security breaches.
Integrating security into the software development lifecycle, including secure coding, vulnerability scanning, and secure deployment practices.
Protect against malware threats, including anti-malware software, regular updates, and user awareness training.
Acceptable and prohibited behaviors for using the organization’s information systems, ensuring users are aware of their responsibilities in maintaining security.
Instructure's Compliance, Privacy, and Security Awareness Training upon hire, as per our employment terms and conditions, and annually thereafter to ensure that all employees and contractors understand their role in protecting information.
*Further, any Instructure employee accessing a customer instance has to provide a logged reason for that specific instance and re-authenticate through Okta when performing any sensitive operations. On the account permissions level, we have restricted administrative access to trusted locations only and added rate limits to block automated attempts by unauthorized actors to identify valid accounts. We have also locked down sensitive admin functions and tightened API access controls so that internal tools can only use internal APIs and third-party integrations are restricted by geographic location and network rules.
Platform Security
Cloud Security Top of Mind
The Instructure learning platform is hosted on Amazon Web Services (AWS) with security top of mind. This includes conforming with AWS’ well-architected framework, implementation of control plane hardening standards and benchmarks, and continuous workload monitoring.
Instructure’s products are designed to make full use of AWS’ security tools and services. Amazon Web Services (AWS) holds a variety of formal accreditations including ISO 27001, FedRAMP, and SOC 1/2/3, among others. Customer data sits in separate databases, and, in many cases, on separate application servers.
Vulnerability Disclosure Program
Instructure highly values the security research community's engagement and involvement in contributing to the enhancement of the security of our products and services. To facilitate and optimize this endeavor, we have established a responsible vulnerability disclosure policy and a private bug bounty program. Before conducting any form of security research on Instructure's products and services, please thoroughly review Instructure's Vulnerability Disclosure policy.
If you are interested in participating in our ongoing private Bug Bounty Program, please contact security@instructure.com and provide your Bugcrowd username.
Should you wish to report a security vulnerability or defect, please utilize our Responsible Disclosure Form.
