Frequently Asked Questions

• ISO/IEC 27001
• NIST 800-53
• AICPA's Trust Service Principles and Criteria (SOC)

The Instructure Security Packages are a collection of industry-standard papers, questionnaires, and certifications that cover Amazon Web Services, Instructure as a company, and each of our products. These packages address the majority of questions we receive from customers.

Our Product Security Packages are located on the Resources page.

Instructure’s platform (and associated data) is hosted in the cloud by Instructure and delivered over the internet through the world's most trusted and secure public cloud provider, Amazon Web Services (AWS). Data is stored in a customer’s region.

Yes, all customer data is stored both in transit and at-rest using industry-standard encryption and data protection.

User passwords are salted and hashed, and never stored in the application infrastructure. Rather, passwords are stored using a combination of a random, user-specific salt value and one-way hash algorithm. Incoming credentials are passed through the same procedure and compared against the hashed and salted stored value.

Yes. Both customers and prospective customers can view some of our audit reports. For more information on the audits and assessments we undertake, please see our Compliance page. Our SOC 3 reports are available in our product Security Packages (where available). These can be downloaded from our Resources page. SOC 2 reports require a signed NDA and can be requested. If you are an existing customer, please reach out to your designated Customer Success Manager (CSM) or Regional Director to request the appropriate SOC 2 report. If you are a prospective customer, please email us at info@instructure.com.

Yes, we support customers undertaking their own testing under certain conditions. Please reach out to your designated Customer Success Manager (CSM) or Regional Director to make a request.