Instructure Strengthens Commitment to a Secure, Trusted Learning Experience with Renewal of ISO 27001, SOC 2 Type II, and PCI DSS 4.0.1 Certifications

Reinforces Instructure's dedication to safeguarding data, protecting learning environments and supporting institutions with a secure-by-design ecosystem

SALT LAKE CITY - December 9, 2025 - Instructure, the world's leading edtech ecosystem and maker of Canvas Learning Management System (LMS), today announced the successful renewal of several globally recognized security and compliance certifications across its portfolio, including ISO 27001, SOC 2 Type II and PCI DSS 4.0.1 Attestation of Compliance. These renewals underscore Instructure's unwavering commitment to providing a safe, secure and trusted learning experience for institutions, educators and learners worldwide.

Instructure's comprehensive certification program spans key solutions across the Instructure learning ecosystem, including Canvas (with Studio, Catalog and Intelligent Insights), Elevate Data Sync, Elevate Standards Alignment, Impact, Mastery Connect, Parchment and Parchment Digital Badges. These renewals highlight the company's secure-by-design approach, strong privacy safeguards and long-standing posture of operational resilience. The renewed certifications also reinforce the security of the platform services that enable seamless integrations across the ecosystem. Systems handling payment transactions, including Catalog and Parchment, also maintain full PCI DSS 4.0.1 compliance, validating adherence to the most stringent global standards for secure financial data processing.

"At Instructure, security is a central pillar of the trust we build with our customers and partners," said Steve Proud, chief information security officer at Instructure. "A strong trust relationship is essential to preparing learners, educators and institutions for their next chapter. Our comprehensive security approach strengthens the secure, future-ready ecosystem that empowers educators and learners to thrive in an increasingly complex, technology-driven world."

A Secure Foundation for a Future-Ready Learning Ecosystem

Through continuous monitoring, dedicated incident response and rigorous internal and external testing, Instructure's compliance program reflects its commitment to transparency, reliability and institutional control.

Maintaining these certifications ensures that the Instructure learning ecosystem continues to provide:

• A secure and resilient foundation for mission-critical learning environments
• Proven protection of sensitive data across teaching, learning and administrative workflows
• Transparency for institutions through clear data-handling practices and access to compliance documentation
• Reliable and scalable infrastructure that supports the evolving readiness needs of learners and institutions

Overview of the Renewed Standards

ISO 27001

The internationally recognized standard for establishing, implementing and improving an information security management system (ISMS). Instructure's certification demonstrates ongoing governance, risk management and security best practices.

SOC 2 Type II

Evaluates the effectiveness of controls related to security, availability and confidentiality over an extended period. The renewed reports affirm the strength and consistency of Instructure's operational and security controls.

PCI DSS 4.0.1

A rigorous standard that ensures the secure storage, transmission and processing of cardholder data. This certification for Catalog and Parchment reaffirms Instructure's dedication to secure digital transactions.

"Our customers depend on us to maintain the integrity, security and continuity of their learning environments," said Deepa Talreja, senior director of governance, risk and compliance at Instructure. "By continually renewing these certifications, we reinforce our role as a stable and trusted partner committed to protecting sensitive data and supporting institutional readiness for today's demands and the demands of the future."

Security as an Enabler of Institutional Readiness

Education leaders face increasing pressure to modernize programs, navigate complex regulatory expectations and deliver trusted digital experiences. As outlined in Instructure's readiness narrative, confidence, security and trust are essential for enabling the next chapter of learning, whether that involves preparing K-12 learners, scaling institutional programs, supporting hybrid delivery models or enabling career mobility at scale.

By maintaining these certifications year after year, Instructure continues to support institutions with:

• Safe, secure and reliable environments for learners and educators
• Compliance-aligned tools that reduce administrative burden
• System stability at a global scale, so institutions can focus on learning, not infrastructure
• A trusted partner committed to long-term stewardship of data and privacy

Explore Instructure's Security Credentials

For information about Instructure's credentials and the company's commitment to data security and compliance, please visit the Instructure Trust Center.

About ISO

The International Organization for Standardization (ISO) is an independent, non-governmental international organization that develops and publishes a wide range of standards to ensure the quality, safety, and efficiency of products, services, and systems. ISO is a globally recognized mark of excellence, indicating an organization's adherence to international standards and best practices.

About SOC 2 Attestation

SOC 2 is a stringent standard set by the American Institute of CPAs (AICPA), ensuring that service providers securely manage data to protect the interests and privacy of their customers. Achieving SOC 2 demonstrates an organization's commitment to data security, privacy and compliance.

About PCI DSS 4.0.1

PCI DSS 4.0.1 is a rigorous security standard developed by the Payment Card Industry Security Standards Council to protect cardholder data. By meeting this standard, we demonstrate a lasting commitment to safeguarding payment information, reducing fraud, and upholding customer trust with every transaction. Achieving PCI DSS 4.0.1 signals our dedication to secure processes, transparent controls, and a safer, more reliable experience for customers and partners.