Latest update: November 19, 2022

At LTIAAS, we take privacy and security very seriously. For information about our customer's privacy, please read our Privacy Policy. This page, on the other hand, explains the great lengths that LTIAAS has taken to ensure the privacy and security of the users that use the API hosted by LTIAAS on behalf of our customers. i.e. the teachers and students doing LTI launches through an instance of the LTIAAS API hosted on LTIAAS servers.

Security Highlights

At LTIAAS we take pride in the following:

  1. We don't store personal information if we don't have to: As part of the LTI launch process, an LMS must share user credentials with us. In some cases this is non-identifiable information, but for some LMSs this is a users name and email address. After we receive this information, we only store it for 24 hours, long enough to ensure the user stays connected between the LMS and LTI tool. When LMS administrators are registering an LTI Tool, they can specify the security level of integration and what information gets sent through LTIAAS. The job of choosing what user information gets temporarily stored by LTIAAS is delegated to the institution when registering an LTI Tool. This allows for fine control as to what data gets exposed through LTIAAS.
  2. We don't track: LTIAAS does not use tracking cookies or and other logging mechanisms to track specific users on our website or services. We only store a single metric, which is the total number of monthly users (anonymized), for billing purposes.
  3. All data is encrypted: in transit via SSL/HTTPS and when it is stored via AES-256 encrypted drives. We require both LMSs and LTI tools that use LTIAAS to use SSL/HTTPS as well.
  4. We have policies in place to ensure the privacy of user data: Only our customers have access to their personal API Keys. LTIAAS employees don't have direct access to live user data on our servers. We don't store passwords to our servers and we require 2-factor authenticators to access any system in LTIAAS.
  5. Our servers and PCs are constantly monitored: by industry leading intrusion detection and virus scanning software. All LTIAAS production software is scanned for potential vulnerabilities before being deployed. We don't deploy any software with known security issues.
  6. We don't audit our customers: While LTIAAS takes privacy and security seriously, we don't audit our customers to understand their privacy and security practices. It is up to our customers and their users to audit our customer's compliance.

Third-Party Vendor List

At LTIAAS, we rely on few third-party vendors to help provide our services. The table below outlines these vendors and their relationship to our customer's data. When necessary, LTIAAS enters into Data Processing Agreements that restrict what these vendors may use data for.

VendorHosted LTIAAS ServiceAccess to Learning DataNotes
Google CloudxxGoogle Cloud is a SOC-2 certified cloud hosting provider that hosts all of LTIAAS's cloud infrastructure. They are given access to authenticate our customers and allow them to access their API management portals. There are strict contractual limits on what Google Cloud can do with LTIAAS data.
Amazon Web ServicesxAmazon Web Services (AWS) is a SOC-2 certified cloud hosting provider. LTIAAS uses one product called 'API Gateway'. AWS does not store any customer or learning data, it only proxies SSL encrypted data through the gateway and on to the Google Cloud Servers. The API Gateway product enables more enhanced security such as rate-limiting, multi-site availability, and Web Application Firewall.
GitLabxGitLab is our software code repository of choice. Unlike GitHub (what some of our competitors use), GitLab's contractual agreement with LTIAAS prohibits them from accessing and using LTIAAS repository data. GitLab does not process any customer or learning data.
StripexStripe is our payment processing provider. Stripe is given access a non-identifiable customer ID number, customer coarse location (Country/State), and payment method. No other personal information is shared with Stripe. Stripe does not process any learning data.
Google WorkspacexLTIAAS uses Google Workspace for email (Gmail), chat (Google Meet), and office products (Google Docs, etc.). Google does not process LTIAAS customer learning data, but they do process email about or customers as needed by LTIAAS to do regular business.


LTIAAS uses Google Cloud to host our API services. Below is a simplified architectural diagram of our infrastructure resources and data flow.

Compliance Documents

Information Security Management Programdownload
Comprehensive IT Security Policydownload
Comprehensive Security Policydownload
Vendor Management Policydownload
Disaster Recovery Planavailable under NDA
Software Development Lifecycledownload
CAIQ-Lite Questionnairedownload
CAIQ v3.1 Full Questionnairedownload
HECVAT Fulldownload

Contacting Us

If there are any questions regarding LTIAAS privacy and security compliance, you may contact us using the information below.