Student First Trust Center
Product Security
Product Security
We pay great attention to enterprise features such as access control and single sign on. We are happy to provide more details about our enterprise features upon request.
Reports
Reports
We may provide security-related reports upon request.
Data Security
Data Security
We follow industry best practices for data security. We are happy to provide more details about our data security practices upon request.
App Security
App Security
We take application security seriously and are putting together a program to monitor internal apps.
AI
AI
We take the usage of AI seriously in our organization and work to ensure security and reliability of the AI.
ESG
ESG
We prioritize and take environmental, social, and governance (ESG) considerations seriously in our operations and decision-making processes.
Data Privacy
Data Privacy
Privacy of customer data is top of mind. We follow industry best practices and follow all applicable privacy regulations.
Access Control
Access Control
Access is tightly monitored and controlled at our company. We are happy to provide more details about our access control practices upon request.
Infrastructure
Infrastructure
We take great care to work with best-in-class infrastructure providers that provide secure computing and storage. We are happy to provide more details about our infrastructure upon request.
Endpoint Security
Endpoint Security
We follow industry best practices for endpoint security. We are happy to provide more details about our endpoint security practices upon request.
Network Security
Network Security
We protect our corporate network against external & internal threats.
Security Grades
Security Grades
We are constantly monitoring the security of our website. We will post our grades from public security rating agencies when they become available.
Incident Response
Incident Response
We have a dedicated team that responds to security incidents. We are happy to provide more details about our incident response practices upon request.
Risk Management
Risk Management
We have a dedicated team that manages security risks. We are happy to provide more details about our risk management practices upon request.
Asset Management
Asset Management
We have strict asset management policies in place to ensure that all assets are accounted for and secure.
BC/DR
BC/DR
We have a business continuity plan in place to ensure that we can continue to operate in the event of a disaster.
Training
Training
We provide security awareness training to all employees to ensure that they are aware of security best practices.
Change Management
Change Management
We have a change and configuration management process in place to ensure that changes are properly reviewed and approved.
Physical & Environment
Physical & Environment
We have physical and environmental controls in place to ensure that our data centers are secure and reliable.
Continuous Monitoring
Continuous Monitoring
We continuously monitor our systems for security threats and vulnerabilities. We are happy to provide more details about our continuous monitoring practices upon request.
Subprocessors
Subprocessors
Security Advisory | Canvas LMS (Instructure) Third-Party Incident Reference: INC-2026-0509-CANVAS
Overview
Student First is aware of an active security incident affecting Instructure, the company that operates Canvas LMS. We have reached out directly to all customers with Canvas integrations and are sharing this advisory as a transparent record for all institutions, whether or not your integration with Student First includes Canvas.
Student First systems, infrastructure, and customer data have not been compromised. This incident originated entirely within Instructure's environment.
What Happened
On or around April 25, 2026, threat actor group ShinyHunters exploited a vulnerability in Instructure's Canvas platform. Instructure confirmed unauthorized access on May 1, 2026. According to Instructure's public disclosures, data potentially involved includes names, email addresses, and student ID numbers across affected institutions. Instructure has stated there is no evidence that passwords, financial information, or government identifiers were exposed.
Impact to Student First Integrations
Canvas API keys issued by Instructure and stored within Instructure's environment may have been exposed as part of this breach. Out of an abundance of caution, Student First has disabled the Canvas integration for all tenants effective May 9, 2026, while remediation steps are completed.
Canvas data sync is temporarily inactive. No Student First-managed data has been affected.
Actions Required
Institutions with Canvas integrations should take the following steps to restore service:
- Log into Canvas Admin and generate a new API key for the Student First service account.
- Revoke or delete the previously issued Canvas API key.
- Update the new API key in your Student First integration settings.
- Confirm data sync is functioning correctly.
- Notify Student First at support@studentfirst.com once complete so we can validate connectivity and restore your integration.
What Student First Is Doing
- Disabled the Canvas integration platform-wide as a precautionary measure
- Auditing all Canvas API key configurations across affected tenants
- Monitoring Instructure's ongoing investigation and public disclosures
- Requiring confirmed API key rotation before re-enabling integrations on a per-tenant basis
- Opened a vendor security incident against Instructure in our risk management system
- Will request an updated security attestation from Instructure upon conclusion of their investigation
Resources
- Instructure status updates: status.instructure.com
- Questions or to report key rotation completion: support@studentfirst.com
- This advisory will be updated as the situation develops.