Software that integrates with Canvas via LTI, or that uses OAuth tokens to interact with the Canvas API on behalf of users, can have access to information that is governed by FERPA and by University privacy and data security policies. It’s important that all software and systems that handle and store this data operate in a manner consistent with University policy. Software developers and technical staff can find more details on the Harvard University Information Security website.
Generally speaking, this means ensuring that sensitive data is transmitted and stored securely, and that proper controls are in place to prevent unauthorized users from accessing the information. You can find helpful guides on how to assess your own information security practices on the Information Security website. All HUIT groups complete this security assessment every year, and it’s a good practice for people who have access to sensitive data to review their local practices.
If your application will use OAuth tokens to operate on behalf of (impersonate) users, it’s extremely important that these tokens are stored securely and used properly. One user’s token must never be used to read or write data in Canvas on behalf of a different user.