Skip to main content

Security Policies and Protection


D2L has privacy and security-conscious policies that apply to all of its information handling practices.

Contractual privacy protection for customers
    • D2L’s contracts include confidentiality provisions that prohibit D2L from disclosing customer confidential information, including customer data, except under certain defined circumstances, such as when required by law.
    • D2L agrees not to access customer’s accounts, including customer data, except to maintain the service, prevent or respond to technical or service problems, at a customer’s request in connection with a customer support issue, or where required by law.
  • For information collected on D2L’s Web sites, D2L provides assurances around the types of information collected, how that information may be shared and how that information may be used. D2L offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications. D2L offers individuals the opportunity to update or change the information they provide.

  • Every D2L employee must follow D2L’s code of conduct, sign a confidentiality and non-disclosure agreement as a condition of employment, and follow D2L’s information security policies.


D2L’s privacy and security program includes having the appropriate people in place to create, manage and drive security, privacy and policy and communicating with personnel about current issues and best practices.

Internal training and communications for D2L personnel
  • D2L regularly communicates with personnel about its obligation to safeguard confidential information. D2L provides online training on confidentiality, privacy, and information security for all new employees. All D2L personnel are required to complete annual privacy and security training and are tested on the materials presented. D2L communicates with all personnel about privacy and information security awareness throughout the year.

  • D2L encourages all of its customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers. D2L communicates with its customers about current issues and trends and informs customers about security issues when necessary and appropriate.


D2L has an Information Security Team under the Chief Technology Officer, that is responsible for managing and maintaining the Information Security Management System and program.

The Chief Privacy Officer is responsible for D2L’s privacy program, including compliance with applicable privacy and data-protection laws.

The Information Security Risk and Compliance Manager is responsible for ensuring policies are kept up to date, enforced and organizational risks are identified and mitigated tactically and strategically through security policies. Additionally, all D2L personnel are required to follow D2L’s confidentiality, privacy, and information security policies.

IMSA Customer
  • Human Resources

    All D2L employees must successfully go through a security background check before they can begin working at D2L.

  • Technology

    D2L maintains a variety of technical measures to protect the D2L Brightspace service. These measures are implemented in alignment with various industry recognized privacy and security standards D2L is certified with.

    See for a full list of certifications

Default Privacy and Security Features

  • Connection to the D2L Brightspace service is via transport layer security (TLS), ensuring that its customers have a secure connection to their data. Individual user sessions are uniquely identified and re-verified with each transaction.

    Application logs record the creator, last updated, timestamps, and originating IP address for every record and transaction completed. Customers’ passwords are not accessible by D2L personnel

    Security controls include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles

  • Hardware and software configurations are designed to provide secure logical separation of customer data.
    The D2L Brightspace service supports delegated authentication.

  • Multiple layers of external firewalls
    Intrusion-detection & prevention sensors
    Security information and event management tools
    Continuous vulnerability scanning and external penetration testing

  • The D2L Brightspace service is highly scalable and redundant, allowing for fluctuation in demand and expansion of users while greatly reducing the threat of outages. Load-balanced networks, pools of application servers, and clustered databases are features of D2L’s design.

  • All customer data is stored in secure data centers and is replicated over secure links to a disaster recovery data center. This design provides the ability to rapidly restore the D2L Brightspace service in the case of a catastrophic event.

  • Customers may determine which of their respective designees can access different categories of data.
    Customers may set customizable password rules.
    Customers may define log-off times for inactivity.