Skip to main content

Security & Privacy Compliance

We take our responsibility to protect the confidentiality, availability and integrity of your data seriously, which is why we have the following certifications:

ISO 27701 Badge

ISO/IEC 27701:2019

ISO/IEC 27701:2019 is an extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management — Requirements and Guidelines. It provides additional guidance for the protection of privacy and for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).

ISO/IEC 27701 provides evidence that personal information is processed in compliance with applicable data and privacy legislation and contractual requirements. It extends the technical measures of implementing information security to further include and address privacy requirements. Essentially, it’s a framework for organizations to manage privacy risks and implement appropriate measures – with a focus on personal information.

The standard helps companies align with global privacy regulations and enhances data protection practices. It requires systematic evaluation of privacy risks, implementation of comprehensive privacy controls, and ongoing management to maintain certification.

The goal is to ensure effective privacy measures and build customer trust in data protection practices.

Download certification for ISO/IEC 27701: 2019

ISO 27001 Badge

ISO/IEC 27001:2013

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. This is a widely-recognized international security standard. Certification in the standard requires us to:

  • Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities
  • Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks
  • Adopt an overarching management process to ensure that the information security controls meet our information security needs on an ongoing basis

The key to the ongoing certification under this standard is the effective management of a rigorous security program. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. The ISO/IEC 27001 certification is specifically focused on the D2L ISMS and measures how our internal processes follow the ISO standard. Certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the comprehensive ISO/IEC 27001 certification standard.

Download certification for ISO/IEC 27001:2013

ISO 27018 Badge

ISO/IEC 27018:2019

ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, ISO/IEC 27018:2019 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

Download certification for ISO/IEC 27018:2019

Security certificate ISOIEC 27017

ISO/IEC 27017:2015

ISO/IEC27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

  • additional implementation guidance for relevant controls specified in ISO/IEC 27002;
  • additional controls with implementation guidance that specifically relate to cloud services.

This Recommendation provides controls and implementation guidance for both cloud service providers and cloud service customers.

Download certification for ISO/IEC 27017:2015


The Texas Risk and Authorization Management Program – or TX-RAMP – aims to provide a standardized approach to security assessment, authorization, and continuous monitoring of cloud computing services used by Texas state agencies, including public higher education institutions.

This certification means that D2L Brightspace can continue operations in Texas with state agencies and education institutions. TX-RAMP adds to D2L’s existing security certifications, including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and ISO/IEC 27701. This widely recognized international security standard requires D2L to maintain an ongoing, effective management of a rigorous security program.

Learn more about TX-RAMP

security certificate cloud security alliance

Cloud Security Alliance (CSA) Security, Trust And Assurance Registry (STAR))

As part of the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) Self-Assessment program, D2L submits a self-assessment report, the Consensus Assessments Initiative Questionnaire (CAIQ), that documents our compliance to CSA published best practices.

The STAR program includes a complimentary registry that documents the security controls provided by D2L to manage our cloud instances. This publicly accessible registry is designed for users of our cloud services to assess our specific security practices and assist our current and prospective customers in responding to their security questions.

The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in our Software as a Service (SaaS) offering.

Copy of D2L’s CAIQ is located at:

I2 Cloud Scorecard

As participants in the Internet2 Cloud Scorecard, D2L has made available common security and compliance information in one easy to reference location. You can view the D2L Brightspace Cloud Scorecard. The Cloud Scorecard questionnaire, designed by higher education institutions, is now available for research and education institutions to use to efficiently assess standards.

The scorecard is a self-assessment completed using standards and best practices developed within the research and education community. Your institution can use the scorecard standards to benchmark or evaluate services against key criteria.

security certificate aicpa soc

SOC 1® Type II & SOC 2® Type II

Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how D2L achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the D2L controls established to support operations and compliance.

The D2L SOC Reports include four of the Trusted Services Principles: Security, Confidentiality, Processing Integrity and Availability.

To request a copy of our most recent SOC report(s), please contact your account representative.

Cyber Essentials certificate

Cyber Essentials

Cyber Essentials helps organizations guard against the most common cyber threats and demonstrates their commitment to cybersecurity.

Cyber Essentials is an effective, government-backed scheme that helps protect organizations, regardless of their size, against a whole range of the most common cyber-attacks.

The Cyber Essentials self-assessment option provides organizations with protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark organizations out as targets for more in-depth unwanted attention from cyber criminals and others.

Cyber Essentials Certification offers organizations peace of mind that their defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

Cyber Essentials shows organizations how to address those basics and prevent the most common attacks.


Would you like to visit a page that exists in your region?

Take me there