Trust Center

Instructure Trust Center


Security is built into the fabric of our cloud platform, infrastructure, and processes, so you can rest assured that your data is safeguarded.

Enterprise Security

Instructure has implemented a robust enterprise information security program that operates on a continuous PDCA (Plan-Do-Check-Act) cycle. This program is based on Information Security Standards.

Canvas app icon

Information Technology

Instructure maintains both a Network Security Policy and an IT Acceptable Use Policy which outline procedures, processes and policies for all endpoints on both production and corporate networks. These policies are evaluated against both SOC 2 and ISO 27001 standards. Company and employee devices are secure, encrypted, tracked, and have mandatory 2FA applied.



Instructure recognizes that people are our first line of defense. This begins by creating foundational awareness wherein all Instructure personnel are required to complete Instructure's Compliance, Privacy, and Security Awareness Training upon hire, as per our employment terms and conditions, and annually thereafter. The content of this training includes all relevant areas of security (online, mobile, physical, 2FA, etc.), privacy, and compliance requirements for each employee - including our policies. Furthermore, Instructure conducts continuous awareness campaigns to ensure employees are informed of our constantly changing threat landscape and that they are equipped and empowered to identify and report security risks. In addition, employees are subjected to simulated phishing campaigns on a regular basis.

Computer icon
CEO icon


At Instructure, we prioritize safety and security in our workforce.

As part of our rigorous hiring process, we conduct comprehensive criminal background checks on all employees and contractors. The results of these checks play a crucial role in determining employment eligibility.


Platform Security

Instructure’s platform (and associated data) is hosted in the cloud by Instructure and delivered over the internet through Amazon Web Services (AWS).

Cloud Security Top of Mind

The Instructure Learning Platform is hosted on Amazon Web Services (AWS) with cloud security top of mind. This includes conforming with AWS’ well-architected framework, implementation of control plane hardening standards and benchmarks, and continuous workload monitoring.

Instructure’s products are designed to make full use of AWS’ security tools and services including AWS WAF, Shield, GuardDuty, Security Groups, KMS, and more. Cloud infrastructure configuration is stored securely with a ‘Infrastructure as code’ approach.

Amazon Web Services (AWS) holds a variety of formal accreditations including ISO 27001, FedRAMP, and SOC 1/2/3, among others.

Laptop icon

Protected by a Comprehensive Access Control Framework

​​The Instructure Learning Platform is protected by a comprehensive access control framework. Access to the platform is secured by authentication, authorization, and 2FA (where applied). Access to the cloud infrastructure is protected by a comprehensive access control framework with multiple layers, including VPN, 2FA, SSH, and digital certificates. Access to our systems is granted based on principle of least privilege and need to know and supported by regular user access reviews and auditing processes.

Arrow in clouds icon

Data Protection

All data is encrypted in transit. Inbound and outbound traffic is encrypted using TLS 1.2 or higher.

All data is stored at rest within encrypted volumes.

Data is replicated in real-time for your protection.

Places icon
Overhead view of Canvas on tablet

Application Security

Secure Development

All code goes through a developer peer-review process before it is merged into the code base repository. The code review includes security auditing based on the Open Web Application Security Project (OWASP) secure coding and code review documents (including the OWASP Top Ten) and other community sources on best security practices.

Security Testing

We place great importance on security testing. We want our code to run as smoothly as possible for our customers, and that's why we take extreme care to implement both preventative and detective mechanisms throughout the SDLC, with an integrated QA process to the design, development, and maintenance of our products. The bottom line for our customers: all code changes run through our full QA test suite before they can be accepted into the relevant product to ensure secure code, consistent performance, and a great all-round experience.

Vulnerability Disclosure Program

Instructure highly values the security research community's engagement and involvement in contributing to the enhancement of the security of our products and services. To facilitate and optimize this endeavor, we have established a responsible vulnerability disclosure policy and a private bug bounty program. Before conducting any form of security research on Instructure's products and services, please thoroughly review Instructure's Vulnerability Disclosure policy.

If you are interested in participating in our ongoing private Bug Bounty Program, please contact and provide your Bugcrowd username.

Should you wish to report a security vulnerability or defect, please utilize our Responsible Disclosure Form.

Security Monitoring

​​As a fully hosted SaaS solution, the Instructure Learning Platform is actively monitored by Instructure's Operations and Security teams on behalf of all customers. Included in Instructure’s comprehensive hosting services, Instructure continually monitors system usage, performance, health, and security. Our Ops team uses a combination of internal and external industry-standard monitoring and alerting systems as well as custom alerting systems to ensure maximum coverage. Any incident alerts triggered are sent to the appropriate teams via PagerDuty.


Logging & Detection Capabilities

By utilizing the extensive protections and safeguards of the AWS cloud infrastructure, Instructure provides robust and considerable network and security monitoring to protect our customers and detect potential threats before they have a chance to have any impact. Some detection safeguards include leveraging services such as AWS GuardDuty to alert and inform on security incidents occurring against Instructure’s services hosted in AWS. All output is sent to Instructure's centralized logging management system for further analysis and alert generation.

Front view of software code on a monitor

Get the Support You Need