Moodle Security & Privacy Compliance
Moodle is trusted by hundreds of thousands of educational institutions, organisations, and governments worldwide in their daily operations. Recognising the critical importance of data, information, and operational security, we at Moodle prioritise Security & Privacy. Our solutions are designed with these priorities in mind, striving to meet the high standards required by our users.
As a proud Certified B Corporation, Moodle is part of a global community with a mission-driven approach. This certification underlines our commitment to social and environmental responsibility and maintaining high standards of security and privacy in our products and solutions, reflecting our dedication to doing good for our community and our users.
Security by design
At Moodle, we strive to deliver a learning management system that’s secure and protects the privacy and security of learner’s and employee’s data. Moodle’s development practices include security by design. This means that we embed a security mindset right from the start in all of our development to deliver a secure platform.
Moodle follows various frameworks for software development and operational performance. OWASP and CWE are referenced to educate developers on writing secure code with security as its primary goal, while CIS CSC offers a set of best practices to improve cybersecurity posture. Moodle US has received certification for SOC2 Type 2, a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants.
To protect all of our users, we practice responsible disclosure, which means we publicly announce issues that come to our attention only when fixes are available and after registered Moodle sites have had time to upgrade or patch their installations. For those hosting their own Moodle site, we also offer guidance and best practices to enhance the security of your installation.
Moodle’s latest release comes with new product enhancements that make Moodle 4.3 our most secure version yet, including:
- Multi-factor authentication,
- Integration with physical security keys,
- Secure user passwords with password peppers,
- Read once web service tokens,
- Admin customisable site security settings,
- Security overview report (available to Admins.)
Constantly monitored by the global security community
In the development of open-source software like Moodle LMS, security is a distributed & open process. Unlike proprietary software, where the code is hidden and can only be reviewed by a few people, Moodle’s open-source ethos ensures that our source code is constantly monitored by large numbers of people from the community. This means more eyes on our code to find any potential issues but also more people collaborating to make it more secure. Bugs can be detected and triaged quickly through well-established processes and resolved at pace, reducing the impact of vulnerabilities.
In addition, Moodle is widely used in military and other high-security environments. These organisations apply rigorous cyber security reviews to their software solutions, well beyond the standards of regular organisations. In the spirit of open source, these organisations frequently share their findings with our development team, helping Moodle benefit from world-leading cyber security reviews. Fixes to the issues identified are then reported globally through the global CVE network. Moodle ensures that these fixes are applied to supported past releases, helping to ensure they reach as many sites as possible.
Pro-active security testing and vulnerability disclosure program
As part of Moodle’s security procedures, we have a long-standing security program, facilitated in partnership with “Bugcrowd” that enables global security researchers to test our platform continuously and easily submit any security issue they find through our Vulnerability Disclosure Program.
The Moodle Bugcrowd program streamlines how we detect, triage and fix vulnerabilities, helping us in our efforts to keep your data safe.
Our commitment to privacy: Full data control and transparency
At Moodle, we do not collect, use or monetise any personal information from any of the hundreds of thousands of Moodle LMS sites that exist worldwide.
As an open source platform, Moodle LMS enables your organisation to have complete control over your data, including how and where you store it. On top of that, we provide you with the best features and tools to help you keep your learners’ data private and secure.
Tools and features to support GDPR compliance
Our leading privacy features ensure that your Moodle LMS can be GDPR compliant and adhere to local privacy legislation by enabling you to:
- Write multiple policy documents (including site policy for guests) so that you can be completely transparent with your learners, educators and anyone who visits your site on how you collect, use or disclose their data.
- Protect digital minors with age-of-consent checks and manage access for minors who require parental agreement to access your learning management system.
- Handle all data requests from your users and keep track of retention periods in a centralised place.
- Enable your users to easily request to access or download their data, to see the policies they’ve agreed to and to contact your Data Protection Officer.
Privacy by design
We take data privacy into account every step of the way. With each new development for Moodle LMS, we consider how user data is captured, stored and can be retrieved or removed as required to comply with the law.
For example, for organisations that use YouTube or Vimeo as part of their learning content, Moodle LMS now leverages the “do not track” option provided by these services. When enabled by an administrator this option greatly reduces the amount of data sent to Youtube and Vimeo to the minimum required by those services to deliver video to your learners.
To help organisations ensure that their privacy compliance also extends to installed plugins external to Moodle LMS, we’ve created a Privacy API that plugin developers need to implement to make their add-ons GDPR compliant.