Moodle Security & Privacy Compliance
Hundreds of thousands of educational institutions, organisations and governments use Moodle in their daily operations. We provide them with the tools to ensure that all of their data, information and operations are secure and protected.
Security by design
At Moodle, we strive to deliver a learning management system that’s secure and protects the privacy and security of learner’s and employee’s data.
To protect all of our users, we practice responsible disclosure, which means we publicly announce issues that come to our attention only when fixes are available and after registered Moodle sites have had time to upgrade or patch their installations.
Moodle’s development practices include security by design. This means that we embed a security mindset right from the start in all of our development to deliver a secure platform.
For those hosting their own Moodle site, we also offer guidance and best practices to enhance the security of your installation.
Constantly monitored by the global security community
In the development of open source software like Moodle LMS, security is an ongoing process. Unlike proprietary software, where the code is hidden and bugs might be exploited, the Moodle community is constantly monitoring the source code and collaborating in making it more secure through public, well-established processes.
This means that any bugs are detected and fixed quickly, reducing the impact of vulnerabilities and security breaches.
Moodle is widely used in military, banking and other high-security environments, and they frequently conduct penetration testing and report findings to our core team. Our fixes are reported globally through the global CVE network, and applied to supported past releases to make sure they reach as many sites as possible.
Pro-active security testing and vulnerability disclosure program
As part of Moodle’s security procedures, we’ve set up a security program with Bugcrowd that enables global security researchers to test our platform continuously, easily submitting any security issue through our Vulnerability Disclosure Program. The Moodle Bugcrowd program allows us to streamline the way in which we detect, triage and fix any vulnerabilities, ensuring that we’re always on top of security to keep your data safe.
Our commitment to privacy: Full data control and transparency
At Moodle we do not collect, use or monetise any student data or anyone’s personal information from any of the thousands of Moodle LMS sites that exist worldwide.
As an open source platform, Moodle LMS enables your organisation to have complete control over your data, including how and where you store it. And, on top of that, we provide you with the best features and tools to ensure you can keep your learners’ data private and secure.
Tools and features to support GDPR compliance
Our leading privacy features ensure that your Moodle LMS is GDPR compliant and adheres to local privacy legislation requirements:
- Write multiple policy documents (including site policy for guests) so that you can be completely transparent with your learners, educators and anyone who visits your site on how you collect, use or disclose their data
- Protect digital minors with age-of-consent checks and manage access for minors who require parental agreement to access your learning management system.
- Handle all data requests from your users and keep track of retention periods in a centralised place
Enable your users to easily request to access or download their data, to see the policies they’ve agreed to and to contact your Data Protection Officer.
Privacy by design
We take data privacy into account every step of the way. With each new development for Moodle LMS, we consider how user data is captured, stored and can be retrieved or removed as required to comply with the law.
To help organisations ensure that their privacy compliance also extends to installed plugins external to Moodle LMS, we’ve created a Privacy API that plugin developers need to implement to make their add-ons GDPR compliant.