Compliance

Latest update: October 8, 2021

At LTIAAS, we take privacy and security very seriously. For information about our customer's privacy, please read our Privacy Policy. This page, on the other hand, explains the great lengths that LTIAAS has taken to ensure the privacy and security of the users that use the API hosted by LTIAAS on behalf of our customers. i.e. the teachers and students doing LTI launches through an instance of the LTIAAS API hosted on LTIAAS servers.

Security Highlights

At LTIAAS we take pride in the following:

  1. We don't store personal information if we don't have to: As part of the LTI launch process, an LMS must share user credentials with us. In some cases this is non-identifiable information, but for some LMSs this is a users name and email address. After we receive this information, we only store it for 24 hours, long enough to ensure the user stays connected between the LMS and LTI tool. When LMS administrators are registering an LTI Tool, they can specify the security level of integration and what information gets sent through LTIAAS. The job of choosing what user information gets temporarily stored by LTIAAS is delegated to the institution when registering an LTI Tool. This allows for fine control as to what data gets exposed through LTIAAS.
  2. We don't track: LTIAAS does not use tracking cookies or and other logging mechanisms to track specific users on our website or services. We only store a single metric, which is the total number of monthly users (anonymized), for billing purposes.
  3. All data is encrypted: in transit via SSL/HTTPS and when it is stored via AES-256 encrypted drives. We require both LMSs and LTI tools that use LTIAAS to use SSL/HTTPS as well.
  4. We have policies in place to ensure the privacy of user data: Only our customers have access to their personal API Keys. LTIAAS employees don't have direct access to live user data on our servers. We don't store passwords to our servers and require 2-factor authenticators to access any system in LTIAAS.
  5. Our servers and PCs are constantly monitored: by industry leading intrusion detection and virus scanning software. All LTIAAS production software is scanned for potential vulnerabilities before being deployed. We don't deploy any software with known security issues.
  6. We don't audit our customers: While LTIAAS takes privacy and security seriously, we don't audit our customers to understand their privacy and security practices. It is up to our customers and their users to audit our customer's compliance.

Third-Party Vendor List

At LTIAAS, we rely on few third-party vendors to help provide our services. The table below outlines these vendors and their relationship to our customer's data. When necessary, LTIAAS enters into Data Processing Agreements that restrict what these vendors may use data for.

VendorHosted LTIAAS ServiceAccess to Learning DataNotes
Digital OceanxxDigital Ocean is a SOC-2 certified cloud hosting provider that hosts all of LTIAAS's cloud infrastructure. While their infrastructure has full access to data transferred through and stored at LTIAAS.com, there are strict contractual limits on what Digital Ocean can do with that data.
Google CloudxGoogle Cloud is a SOC-2 certified cloud hosting provider that hosts https://portal.ltiaas.com. They are given access to authenticate our customers and allow them to access their API management portals. No learning information is stored on Google's servers, just customer authentication information such as email address and LTIAAS account number.
New RelicxNew Relic is a log aggregator and security event management platform that LTIAAS subscribes to. We transfer all system logs to New Relic. These logs contain information like requests made to our system, IP address, and name of resource requested. No learning data is accessible to New Relic. This service enables an extra layer of security to LTIAAS by automatically detecting suspicious events like failed logins and unexpected state changes.
GitLabxGitLab is our software code repository of choice. Unlike GitHub (what some of our competitors use), GitLab's contractual agreement with LTIAAS prohibits them from accessing and using LTIAAS repository data. GitLab does not process any customer or learning data.
StripexStripe is our payment processing provider. Stripe is given access a non-identifiable customer ID number, customer coarse location (Country/State), and payment method. No other personal information is shared with Stripe. Stripe does not process any learning data.
Google WorkspacexLTIAAS uses Google Workspace for email (Gmail), chat (Google Meet), and office products (Google Docs, etc.). Google does not process LTIAAS customer learning data, by they do process email about or customers as needed by LTIAAS to do regular business.

Diagrams

LTIAAS uses Digital Ocean to host our customer API instances. Below is a simplified architectural diagram of our infrastructure resources and data flow.

Compliance Documents

DocumentLink
Information Security Management Programdownload
Comprehensive IT Security Policydownload
Comprehensive Security Policydownload
Vendor Management Policydownload
Disaster Recovery Planavailable under NDA
Software Development Lifecycledownload
CAIQ-Lite Questionnairedownload
CAIQ v3.1 Full Questionnairedownload
HECVAT Fulldownload

Contacting Us

If there are any questions regarding LTIAAS privacy and security compliance, you may contact us using the information below.

  • ltiaas.com
  • support@ltiaas.com