Setting up and maintaining integrations can often entail some handling of sensitive information.
Whether you are handling API credentials (usernames, passwords, API keys) or personal information in a support case, it is important to use safe methods for transmitting and storing the information. Leaked API keys could potentially give an outsider access to large amounts of sensitive data.
We do not consider normal email to be a secure way to share such information, so we strongly recommend that all Canvas developers and partners use alternative, more secure means for handling and sharing sensitive data, which adhere to GDPR regulations.
Here are some suggestions:
Ask costumers to add apps themselves:
You may ask your clients to register applications in their account themselves. This avoids the sending of credentials over the internet, as the client can register the information directly into their Canvas account.Use secure sharing methods:
If sensitive data must be shared, we recommend using more secure methods. We have developed a SecureShare solution which you could potentially use this.
When sending information via SecureShare the sender will receive a one-time code, and the recipient will receive an email with a temporary link. To open the link, the recipient must have the one-time code.
The code can be sent via normal email, text message, or other methods. The link can only be opened once using the one-time code, and the link will be made invalid after 72 hours.