Security & compliance
We work with organizations in healthcare, financial services, defense, and other regulated industries. Protecting your data and meeting your compliance requirements isn’t an add-on — it’s built into how we operate.
Last updated: April 2026
Encryption in transit
All data transmitted between your team and ours is encrypted via TLS/SSL. File transfers use secure, access-controlled channels.
Encryption at rest
Project files and client materials are stored in encrypted cloud environments with reputable providers.
Access controls
Project materials are accessible only to team members assigned to your engagement. Access is revoked upon project completion.
Data retention
Project files are retained for 90 days after final delivery to support post-launch optimization. After 90 days, files are archived securely. We permanently delete all copies upon your written request and confirm deletion in writing.
Breach notification
In the event of a data breach affecting your project materials, we notify you within 72 hours with details of the breach, the data affected, and the remediation steps taken.
During an engagement you share organizational data with us — employee names and roles, performance metrics, process documentation, proprietary content, and in some cases regulated information such as protected health information or financial records. This section explains exactly how that data is handled from the moment you share it to the moment it is deleted.
What we collect
Only data necessary to complete the engagement. We do not request, retain, or process any client data beyond what is required to design, develop, and deliver the agreed training program.
How it is stored
All project materials are stored in encrypted cloud environments with access restricted to the team members assigned to your engagement. Files are organized in project-specific workspaces. No client data is stored on personal devices.
Who can access it
Only the named team members on your engagement have access to your project materials. Access permissions are granted by the project lead and revoked immediately upon project completion or team member departure. You can request a list of personnel with access at any time.
Subprocessors
We use a limited set of third-party tools to deliver projects — including cloud storage, project management, and communication platforms. All subprocessors are bound by confidentiality obligations consistent with our obligations to you. A current list of subprocessors is available upon request.
Retention and deletion
Project files are retained for 90 days after final delivery to support post-launch optimization and any revision requests. After 90 days, files are archived in encrypted storage. We permanently delete all copies — including backups — upon your written request and confirm deletion in writing within 5 business days.
Regulated data
Engagements involving protected health information (HIPAA), personal data subject to GDPR, CCPA/CPRA, PIPEDA, or other data protection regulations are governed by a signed Data Processing Agreement (DPA) or Business Associate Agreement (BAA) before any data is shared. We accept your template or provide ours.
Breach notification
In the event of a confirmed or suspected breach affecting your project data, we notify you within 72 hours with the nature of the incident, the data affected, the steps taken to contain it, and our remediation plan.
If your organization requires a completed vendor security questionnaire, a data flow diagram, or a formal data processing agreement prior to engagement, contact us and we will work with your legal and procurement teams to provide what you need.
If your organization requires additional agreements — vendor security questionnaires, custom confidentiality terms, or industry-specific compliance documents — we’re happy to work with your legal and procurement teams.
All eLearning deliverables are built and tested to meet WCAG 2.1 Level AA conformance standards. Accessibility is validated at every stage of development — not audited at the end.
Testing methodology
Accessibility is checked at three stages: during development using automated tools (axe, Lighthouse) to catch structural issues early; during QA using manual keyboard navigation testing across Chrome, Firefox, and Safari; and pre-delivery using screen reader testing on NVDA (Windows) and VoiceOver (macOS/iOS). All failures are remediated before the module is released.
What we test against
WCAG 2.1 Level AA — the standard required by ADA Title III, Section 508, EN 301 549 (EU), and most enterprise accessibility policies. We test all four principles: Perceivable, Operable, Understandable, and Robust.
Built-in compliance, not bolted on
Accessibility requirements are defined during the Design phase and written into the storyboard. This means color contrast, keyboard flow, caption requirements, and alt text are specified before a single screen is built — eliminating costly remediation at the end of development.
Documentation we provide
Section 508
For US federal contractors and recipients of federal funding, we build to Section 508 standards (which align with WCAG 2.1 AA). Section 508 compliance should be specified in the statement of work if required, as it may affect authoring tool selection and development approach.
Custom accessibility requirements
If your organization has an internal accessibility policy, a specific conformance level above AA, or platform-specific requirements (e.g., a particular screen reader or assistive technology), define these during the discovery call and we will design to those specifications from the start.
To request a VPAT, accessibility conformance report, or documentation for a specific deliverable, contact us at hello@instructionaldesign360.com.
Every engagement is led by our founder and delivered by our 20+ person in-house team of instructional designers, eLearning developers, media specialists, learning technology specialists, QA testers, and project managers.
Your engagement team is drawn from this in-house roster based on the skills your project requires. Every team member is a direct employee or long-term retained specialist — not a subcontractor sourced for the project.
All deliverables are tested for technical functionality, accessibility compliance, and learner experience before final delivery.
We maintain continuity plans to ensure your project is not disrupted by the unavailability of any single team member, including the project lead.
If business continuity is a priority for your engagement, we’re happy to discuss specific arrangements during the discovery call.
We maintain professional indemnity (errors and omissions) insurance and general liability insurance appropriate to the nature and scale of our engagements.
Proof of insurance and certificate of coverage are available upon request during the vendor qualification process.
Every engagement is fixed-scope. What’s included in your quote is protected throughout the project. Here’s exactly how revisions and scope changes work so there are no surprises on either side.
Included revisions
Two rounds of consolidated feedback are included at each milestone — storyboard, prototype, and final delivery. Six revision rounds total across a standard engagement. A round is one set of feedback submitted in a single document. Batched or sequential feedback after a round has been actioned counts as an additional round.
What counts as a revision
Corrections, refinements, and adjustments to content or design within the agreed scope — updating scenario wording, adjusting visual style, correcting factual errors, refining assessment questions.
What counts as a scope change
Any request that adds to, removes from, or substantially alters the agreed deliverables or requirements. Examples: adding modules not in the original brief, changing the delivery platform after storyboard approval, adding languages or accessibility standards not specified at project initiation, switching from illustrated eLearning to video production, or changing the target audience after design has begun.
Change order process
When a scope change is identified, we pause the affected work and issue a written change order documenting the change, the timeline impact, and the additional fee. Work on the change proceeds only after you approve the change order in writing. No additional charges are incurred without a signed change order.
For enterprise engagements requiring custom payment structures — quarterly billing cycles, purchase order workflows, or extended net terms — we’re happy to accommodate your procurement requirements. Raise these during the scoping call and we’ll build them into the project agreement.
Additional revision rounds
Revision rounds beyond the two included per milestone are billed at the standard hourly rate defined in your project agreement. You are notified and must approve before any out-of-scope revision work begins.
The best way to minimize revisions and scope changes is thorough discovery. Our Discover phase is designed specifically to surface misalignments before they become expensive — the three weeks you invest upfront save weeks of revision later.
IP ownership is defined clearly before work begins. Here is our standard position on every category of intellectual property involved in a project.
Deliverables — you own them
Upon receipt of full payment, we assign all rights, title, and interest in the custom deliverables created for your engagement — eLearning modules, storyboards, scripts, assessments, and instructional content. No ongoing license fees, no usage restrictions. You own what you paid for.
Our pre-existing IP
We retain ownership of our proprietary frameworks, methodologies, templates, design systems, and code libraries. Where these are embedded in your deliverables, you receive a perpetual, non-exclusive, royalty-free license to use them as part of the delivered work. You may not extract or resell the underlying IP independently.
Third-party assets
Stock photography, video, icons, fonts, and audio are sourced under commercial licenses appropriate for your delivery format. A full asset list with license details is available upon request. If you intend to use deliverables beyond the original scope — for example, in broadcast advertising — notify us during scoping so we source assets under the correct license tier.
Your content
Everything you provide — brand assets, source materials, data, proprietary processes — remains yours. We use it only to complete your project and never for any other purpose.
IP transfer timing
IP transfers upon final payment. During the engagement, Instructional Design 360 retains ownership of work-in-progress deliverables. This protects both parties: you cannot be left without deliverables if payment is made, and we are not left without recourse if payment is withheld.
If your organization requires a specific IP assignment structure — including explicit work-for-hire language required by your legal team — we accommodate this in the project agreement. Raise it during the scoping call.
All engagements are invoiced on a fixed-scope basis with a structured milestone schedule. There is no hourly billing and no surprise invoices. Payment terms are defined in the project agreement before work begins.
Deposit
30% of the total project fee is due at signing. This secures your project team and initiates discovery. The deposit is non-refundable once discovery has commenced.
Milestone payments
The remaining 70% is invoiced against defined project milestones: 30% at storyboard approval, 30% at prototype approval, and 10% at final delivery. Milestone percentages are adjustable by mutual agreement in the project SOW.
Net terms
Standard payment terms are Net 30 from invoice date. Invoices unpaid after 30 days accrue interest at 1.5% per month. We reserve the right to pause work on engagements with invoices more than 15 days overdue, without liability for resulting timeline delays.
Cancellation
If an engagement is cancelled after signing, the client is responsible for fees covering all work completed to the date of cancellation. The deposit is non-refundable. Any unused portion of a milestone payment is credited against the final invoice.
Currency & taxes
All fees are quoted and invoiced in US dollars. Clients are responsible for any applicable sales, use, or withholding taxes beyond the quoted project fee.
For enterprise engagements requiring custom payment structures — quarterly billing cycles, purchase order workflows, or extended net terms — we’re happy to accommodate your procurement requirements. Raise these during the scoping call and we’ll build them into the project agreement.
Questions about security or compliance?
If you need additional documentation — vendor security questionnaires, specific compliance certifications, or a detailed security review — we’re happy to work with your procurement and legal teams.
