Skip to main content

Your Security, Our Priority

Your private data needs to stay that way. Which is why we design our products and services to protect it. With robust safeguards, continuous monitoring and real-time security insights, nobody minds your business but us.

Woman working on laptop at a table

Eliminating Vulnerabilities

  • A strong foundation relies on solid building blocks. We favour languages and frameworks with inherent memory safety, built-in XSS prevention, and SQL injection protection.

  • The first step to correcting a vulnerability is to identify it—that’s why we’ve integrated static application security testing (SAST) tools into our CI/CD pipeline.

  • We store data using secure cloud infrastructure and reinforce its protection by implementing security best practices.

Security in Every Step

Your security is top of mind at every stage of our Software Development Lifecycle (SDLC).


Security lays the foundation for design—so it’s prioritized early in our process.


We keep a watchful eye on all product changes. Any—and every—code update is reviewed for quality by our skilled product team.


Our developers are trained on threat modelling and other security principles. Under their expert guidance we’ve implemented a fortified SDLC, ensuring our software is secure every step of the way.


Neutralizing Threats

  • We run periodic dynamic application security testing (DAST) scans, work closely with security researchers and perform annual 3rd party penetration tests to identify—and correct—any weaknesses in our product’s security.

  • Security and learning go hand in hand. Our mandatory employee training program is extensive and dynamic—we are always looking for new ground to cover.

  • We operate an ISO 27001 certified risk management program that ensures vulnerabilities are identified, prioritized and addressed according to documented service level objectives (SLOs).

  • Disruption-free patches and updates keep our software and infrastructure secure as we closely monitor security threats and vulnerabilities.

colleagues collaborating over a tablet in an office

Keeping You in the Loop

  • No Surprises

    We maintain open communication with our customers about the security of our products, including clear documentation of security features, updates and any necessary precautions or issues that require customer action.

  • Dependable

    We work with customers to identify and remove unsafe configurations and we never charge extra for implementing additional security frameworks.

  • Secure Set-up Assistance

    We support and encourage the use of single sign on (SSO) authentication to implement multi-factor authentication (MFA) for all users without additional credentials or MFA prompts.

  • Partnership

    We’re happy to work with customers’ security teams to provide logs and analysis to support security investigations.

Man working on laptop at a desk in an office
  • We take a layered approach to protecting our network infrastructure and resources.

    • Network Firewall guards the network-level with capabilities such as stateful inspection and intrusion prevention. Amazon Virtual Private Cloud (VPC) security group provides protection at the host-level. Web Application Firewall protects the application-level.
    • Amazon VPC helps keep traffic segmented using Private Subnet, Public Subnet and Network Load Balancer. These VPC services separate traffic between network boundaries.
    • We deploy cloud security posture management technology throughout our infrastructure. This technology collects events from end points and enables monitoring, alerting, and remediation of compliance risks and misconfigurations in cloud environments.
    • Threat and intrusion detection services continuously monitor cloud environments for malicious activity.
    • Deep packet inspection technology is available for forensics if required.
    • Connection to the Brightspace environment is established through TLS cryptographic protocols with RSA® encryption, ensuring that customers have secure connection from their browsers to our service.
    • Individual user sessions are identified and re-verified with each transaction using a unique token created at login.
    • Our internal network technology—such as firewalls and WAFs—protects against denial of service (DoS) attacks.
    • We use AWS Shield to protect against distributed denial of service (DDoS) attacks. This service provides detection and mitigation for volumetric, protocol and application DDoS attacks.
  • System Hardening

    Vulnerabilities and Patching

    • We test all code for security vulnerabilities before release and regularly scan its network and systems for vulnerabilities.
    • Our experts regularly review any security patches from underlying software and operating systems to assess the critical nature, risk, and potential effect to D2L services.

    Annual Third Party Assessments

    • We employ a third party to conduct penetration tests against the Brightspace platform annually.
  • Anti-virus software is deployed on all personnel laptops and desktops and is centrally managed to ensure all DAT files are up to date. Centralized reporting ensures malware infections are properly quarantined and escalated for further actions where needed.

Skyscraper windows
  • Applications are developed using the OWASP Top Ten framework and various security components are integrated into application architecture. Security analysts regularly look for weaknesses through code reviews and application scans. Third parties validate the technical controls by conducting regularly scheduled network penetration and application vulnerability tests.

  • Our Security and Privacy Incident Management process handles security and privacy incidents. This process can be initiated by a D2L customer, internal D2L employee or the public. If a security incident is identified, the following high-level process is followed:

    • Monitoring and Awareness: A security and/or privacy incident is identified, communicated to the Security Incident Response Team (SIRT).
    • Detection and Analysis (triage): The incident is assessed to determine the severity, priority, scope and impact. This step can include evidence preservation and containment activities.
    • Mitigation: Recommendations are created and implemented to contain, eradicate and/or contain the incident in question.
    • Recovery: Containment is complete. Where applicable, scanning of environments occurs to ensure recovery is complete.
    • Communications: This can include communications with internal resource teams, stakeholders and D2L customers. Based on the findings of triage and analysis, the appropriate communications are drafted, approved and shared.
    • Post Incident Activity: In this stage, lessons learned are completed to gather feedback and evolve incident response process and procedures. Where applicable, the root cause is identified and logged.
  • We vet all applicable vendors and subcontractors to ensure they too provide an appropriate level of security.

    • Our security awareness program ensures that employees understand the importance of security and its intersection with their workday.
    • New employees are required to take security training, and training completion is audited throughout the year.
    • The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest security threats. This information is shared through regular security awareness campaigns to help D2L staff are informed of these threats and what to do if they encounter them.

Secure by Design

We are committed to the continuous refinement of our security operations and practices, including ensuring that security is treated as an integral aspect of the D2L product roadmap. Because when your private data stays that way, everyone wins.