You may have seen recent reporting about a security incident involving Instructure/Canvas. We want to proactively clarify that Harmonize was not impacted by this incident.
After reviewing the available information and our own implementation, our engineering team has confirmed that Harmonize does not use the inherited, cross-tenant keys that appear to be central to the reported issue. Harmonize keeps client data segmented into distinct tenants for each institution, with tenant-specific CNAMEs and configurations rather than a shared inherited key structure.
That tenant-segmented architecture provides additional inherent protection in our infrastructure because each school’s environment is separated from the others rather than relying on shared cross-tenant access patterns.
Based on our review:
Harmonize systems were not breached.
Harmonize customer data was not accessed through this incident.
Client data remains segmented by institution in distinct tenant environments.
No Harmonize customer action is required at this time.
We continue to monitor the situation closely, but our current assessment is that this was isolated to Instructure-managed systems and does not affect Harmonize.
Please let us know if your security or IT team would like any additional information.