Setting up workflows often entails handling of API credentials (usernames, passwords, API keys) and sensitive information (personal information, social security numbers, etc). Leaked API keys could potentially give an outsider access to large amounts of sensitive data.
We do not consider normal email to be a secure way to share such information, so we strongly recommend that all Canvas developers and partners use alternative, more secure means for handling and sharing sensitive data, which adheres to GDPR regulations.
Here are some suggestions:
Ask costumers to add apps themselves:
You may ask your clients to register applications in their account themselves. This avoids sending of credentials over the internet, as the client can enter the details directly into their Canvas account.Use secure sharing methods:
If sensitive data must be shared, we recommend using more secure methods. We have developed a SecureShare solution which you could potentially use.
When sending information via SecureShare the sender will receive a one-time code, and the recipient will receive an email with a temporary link.
To open the link, the recipient must have the one-time code. The code can be sent via normal email, text message, or other methods. The link can only be opened once using the one-time code, and the link will be made invalid after 72 hours.