What is LTI 1.3 and why does it matter?

LTI 1.3 is the latest standard for connecting tools to your LMS. It enables SSO, grade passback, and deep linking so Scaffold works seamlessly inside Canvas, Moodle, or Blackboard.

Do I need developers or IT support?

No. Most educators complete the LTI setup themselves in under 10 minutes using our guided wizard.

Can I migrate existing content?

Yes. Scaffold imports Common Cartridge, QTI, SCORM packages, and plain HTML.

Is student data safe?

Absolutely. SOC 2 Type II compliant, FERPA-aligned, GDPR-ready. Data encrypted at rest and in transit.

What happens after the waitlist?

We onboard teams in small batches. Waitlist members get founding-member pricing and priority onboarding.

Security

Last updated: 13 March 2026

Scaffold is trusted by educational institutions to handle sensitive student and course data. Security is foundational to how we build and operate the platform.

Infrastructure

Hosting

Scaffold is hosted on Amazon Web Services (AWS). Our primary infrastructure runs in EU regions (Ireland eu-west-1, Frankfurt eu-central-1) with UK workloads in London (eu-west-2).

AWS maintains the following certifications for its infrastructure:

SOC 1, SOC 2, SOC 3
ISO/IEC 27001:2022
ISO/IEC 27017:2015 (cloud security)
ISO/IEC 27018:2019 (PII in cloud)
ISO/IEC 27701:2019 (privacy management)
CSA STAR CCM v4.0

Under the shared responsibility model, AWS secures the underlying infrastructure while BrainJam is responsible for application-level security, access management, and data handling.

Network Security

All services run in isolated Virtual Private Clouds (VPCs)
Network segmentation using security groups and network ACLs
Web Application Firewall (WAF) for application-layer protection
DDoS protection via AWS Shield

Data Protection

Encryption

State	Standard	Details
At rest	AES-256	All data stores, backups, and file storage encrypted using AWS KMS-managed keys
In transit	TLS 1.2+	All connections use HTTPS. HSTS enforced. TLS 1.0/1.1 disabled.
LTI tokens	RS256 JWT	LTI 1.3 launch tokens signed with RSA keys, validated against platform public keys

Access Control

Authentication: Platform users authenticate via their institution's LMS through LTI 1.3 / OpenID Connect. Scaffold does not store LMS passwords.
Role-based access: Permissions enforced based on LTI roles (learner, instructor, admin).
Internal access: Staff access to production systems requires MFA and follows the principle of least privilege. Access is reviewed quarterly.
Audit logging: All access to student data is logged with user identity, timestamp, and action.

Data Residency

EU institutions: Data stored in AWS EU regions (Ireland or Frankfurt)
UK institutions: Data stored in AWS London region
Other regions: Data residency can be configured per institutional requirements

Application Security

Secure development: Security is integrated into our development lifecycle. Code reviews are mandatory for all changes.
Dependency management: Automated scanning for known vulnerabilities in dependencies.
OWASP Top 10: Application is hardened against the OWASP Top 10, including injection, XSS, CSRF, and broken authentication.
Penetration testing: Annual third-party penetration testing. Findings are tracked to resolution.
Responsible disclosure: We welcome security researchers to report vulnerabilities. Contact security@brainjam.works.

Compliance

Framework	Status
GDPR (EU)	Compliant. DPO appointed. DPA with SCCs available.
UK GDPR / DPA 2018	Compliant. UK IDTA available for international transfers.
FERPA (US)	Compliant. We act as a "school official" under institutional agreements.
CCPA / CPRA (California)	Compliant. We do not sell or share personal information.
WCAG 2.1 AA	Targeted. All components built with accessibility as a requirement.
LTI 1.3 / 1EdTech	Conformant. LTI Advantage (Deep Linking, AGS, NRPS).
SOC 2 Type II	Planned.

Incident Response

Detection: Centralised logging and monitoring with automated alerting for anomalous activity.
Response: Documented incident response plan with defined roles, escalation paths, and communication procedures.
Notification: Institutional customers notified of confirmed data breaches without undue delay, and within 72 hours at latest, in accordance with GDPR Article 33.
Post-incident: Root cause analysis and remediation for every incident. Findings shared with affected customers on request.

Business Continuity

Backups: Automated daily backups with point-in-time recovery. Backups encrypted and stored in a separate AWS region.
Disaster recovery: Tested recovery procedures with documented RTO and RPO targets.
Redundancy: Multi-AZ deployment for high availability within each region.

Organisational Security

Background checks for all team members with access to production systems
Security awareness training for all staff
Confidentiality agreements for all team members and contractors
Sub-processor security reviews before onboarding

Vendor Assessment

We understand that institutions have their own security review processes. We support:

HECVAT: Higher Education Community Vendor Assessment Toolkit — available on request
Custom questionnaires: We respond to institutional security questionnaires
DPA execution: We sign institutional DPAs and data protection addenda

Contact

For security questions, concerns, or to report a vulnerability:

Security team: security@brainjam.works
Data Protection Officer: dpo@brainjam.works