Instructure
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🔴 Do Not Approve
Privacy score 64.4% · band Average
Hard no: the vendor explicitly does something disqualifying — Q11 (Data Safety). An explicit gate violation beats the privacy score.
Hard-fail gate(s): Q11 — an explicit disqualifying practice. This beats the privacy score.
Dimension scorecard
| Dimension | Score | |
|---|
| Data Collection GATE |
| 60.0% |
| Data Sharing GATE |
| 100.0% |
| Data Sold GATE |
| 100.0% |
| Data Rights GATE ⚠ |
| 33.3% |
| Data Safety GATE ⚠ |
| 20.0% |
| Ads & Tracking GATE |
| 100.0% |
| Parental Consent |
| 100.0% |
| School Purpose |
| 100.0% |
| AI & Model-Training GATE ⚠ |
| 0.0% |
| Jurisdiction & Residency |
| 100.0% |
Findings — 18 questions, every answer cited
Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good
T3
Answer: Yes
“We limit our collection and use of your personal information only to those elements required to operate our Products, or as otherwise disclosed in this Privacy Notice.”
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good
T3
Answer: No
“We limit our collection and use of your personal information only to those elements required to operate our Products, or as otherwise disclosed in this Privacy Notice.”
Q3Is any image of the user collected?
✗ Concern
T3
Answer: Yes
“Video images and voice recordings”
Listed under Personal Information collected
Q4Does the vendor collect precise geolocation data?
✗ Concern
T3
Answer: Yes
“Some Products may collect precise location information about your mobile device, but only with your consent.”
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good
T3
Answer: Yes
“We do not permit our third-party service providers to use personal information we share with them for their own advertising or marketing purposes, or for any other purpose other than in connection with the services they provide to Instructure.”
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good
T3
Answer: Yes
“We do not permit our third-party service providers to use personal information we share with them for their own advertising or marketing purposes, or for any other purpose other than in connection with the services they provide to Instructure.”
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good
T3
Answer: No
“We do not sell or rent personal information to third parties.”
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
? Not addressed
T0
Answer: Unclear
Policy does not explicitly address student/educator/parent/school ownership of uploaded content or IP
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good
T3
Answer: Yes
“You may request that we modify or delete your information by emailing us at privacy@instructure.com or submitting a help desk ticket through our Products. We will respond to your request, when permitted by law and subject to exceptions, within 30 days.”
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed
T0
Answer: Unclear
Policy does not mention automatic data deletion after a defined period of inactivity
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✗ Concern
T3
Answer: Yes
“If you use Portfolium, examples of sharing your personal information may occur when you: Create an account, your name and other profile information will be viewable and searchable by other users and Employer Partners. Post content to Portfolium, such as videos, photos, school projects, and comments, which are displayed on Portfolium and viewable by other users by default. Access public blogs, community forums, or the newsfeed within the Product.”
Portfolium allows students to interact with unknown users (employers, other users) in public forums and through searchable profiles
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good
T3
Answer: No
“We do not engage in automatic decision making, advertising to students, or profiling.”
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good
T3
Answer: No
“We do not sell or rent personal information to third parties.”
Policy explicitly states no sale/rental of personal information; no mention of sharing student data for ad-targeting
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✓ Good
T3
Answer: Yes
“For users of Canvas LMS and the Mastery suite of products, we may take steps intended to comply with the Children's Online Privacy Protection Act ("COPPA"). Please see our Children's Online Privacy Protection Act Privacy Notice.”
References COPPA compliance for children under 13; separate COPPA notice referenced
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good
T3
Answer: Yes
“We primarily provide our Products to Academic Institutions, such as K-12 schools and higher education institutions”
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
? Not addressed
T0
Answer: Unclear
Policy does not address whether student/user data is used to train, fine-tune, or improve AI/ML models. References AI tools but does not disclose training practices.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed
T0
Answer: Unclear
Policy mentions AI-powered chatbots and translation tools but does not disclose which specific AI sub-processors/models power features or automated decisions affecting students
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good
T3
Answer: Yes
“Instructure (which includes Parchment) complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce.”
Discloses compliance with DPF regimes; storage locations not explicitly named but references EU, UK, Switzerland, and US (Salt Lake City, London offices listed)
Jurisdiction & residency — Nord Anglia footprint
Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score —
a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Instructure (which includes Parchment) complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce. For users of Canvas LMS and the Mastery suite of products, we may take steps intended to comply with the Children's Online Privacy Protection Act ("COPPA").”
| Country | Privacy law | Coverage |
|---|
| MexicoLatAm | LFPDPPP | ⚠ Gap |
| Costa RicaLatAm | Law 8968 | ⚠ Gap |
| PanamaLatAm | Law 81/2019 | ⚠ Gap |
| Dominican RepublicLatAm | Law 172-13 | ⚠ Gap |
| BrazilLatAm | LGPD | ⚠ Gap |
| ColombiaLatAm | Ley 1581/2012 | ⚠ Gap |
| EcuadorLatAm | LOPDP (2021) | ⚠ Gap |
| PeruLatAm | Law 29733 | ⚠ Gap |
| ChileLatAm | Law 21.719 | ⚠ Gap |
| UruguayLatAm | Law 18.331 | ⚠ Gap |
| United States | FERPA / COPPA | ✓ Named |
| GDPR (overlay) | Nord Anglia is UK-headquartered, global | ⚠ Gap |