// Trust & Security Report

    Coursera, Inc. logo

    Coursera, Inc.

    Online education platform offering 1000+ courses, professional certificates, degrees, and specializations from partner universities and organizations. Key products: Coursera Plus (subscription), Coursera for Business (enterprise), Coursera for Campus (university partnerships).

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Coursera's security program is SOC 2 Type 2 attested, affirming that Coursera's information security practices meet or exceed the rigorous SOC 2 security and availability standards.

    Verify on coursera.org
    ISO 27001
    HELD

    Our security policies, procedures, and standards are based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001. Coursera's ISO 27001 certificate details are available publicly in auditor's (Schellman LLC) directory. Certificate #1991452-4.

    Verify on coursera.org
    GDPR
    HELD

    If you reside or are located in the European Economic Area ('EEA') or United Kingdom ('UK'), Coursera is the data controller. Coursera participates in the EU-U.S. Data Privacy Framework, the UK extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Standard Contractual Clauses and UK Addendum used where DPF does not apply.

    Verify on coursera.org
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No evidence of HIPAA compliance or Business Associate Agreement found on Coursera's security or privacy pages despite offering healthcare-related courses and certifications.

    source: coursera.org
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on vendor domain.

    source: coursera.org
    ISO 27017 (Cloud security)
    NOT CONFIRMED

    No evidence of ISO 27017 certification held by Coursera. Coursera offers courses about ISO 27017 but does not claim this certification for its own services.

    source: coursera.org
    ISO 27018 (Personal data in cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification on vendor domain.

    source: coursera.org
    ISO 27701 (Privacy management)
    NOT CONFIRMED

    No evidence of ISO 27701 certification held by Coursera, though courses on this standard are offered.

    source: coursera.org

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary data infrastructure in United States. Coursera participates in Data Privacy Framework (EU-U.S., UK, Swiss-U.S.) for EEA/UK transfers. Subprocessors: AWS (Virginia/Oregon) and Message Systems/Sparkpost (USA).

    Privacy notice describes AI features for teaching support, learning assistance, assessment, and chatbots 'for service delivery rather than model development.' Does not explicitly confirm or deny training of proprietary models on customer data. Users are advised to 'verify any AI outputs that you use in your coursework.'

    // Security controls

    Encryption in transit and at rest

    Uses industry best standards; DPA specifies 'industry-standard cryptographic techniques'

    coursera.org

    Access controls

    Principle of least privilege with regular access reviews limiting personnel access on need-to-know basis

    coursera.org

    Software development lifecycle

    SDLC framework ensuring secure design principles in development pipelines

    coursera.org

    Data breach reporting

    Contact security@coursera.org or HackerOne

    coursera.org

    Disaster recovery

    Disaster recovery procedures included as part of DPA security commitments

    coursera.org

    // Products & data scope

    Coursera Plus (subscription)Individual learning

    data: User profile, course progress, completion records, biometric data (identity verification, deleted after 2 years max)

    Flexible learning platform with 1000+ courses

    Professional CertificatesCareer development

    data: User profile, course completion, assessment data, employer job posting correlations

    Job-ready credentials from industry leaders (Google, IBM, Microsoft, etc.)

    DegreesFormal education

    data: Full student record (academic, personally identifiable, potentially sensitive health/background data per institution)

    Coursera acts as data processor for university partner degree programs in certain circumstances

    Coursera for BusinessEnterprise learning

    data: Employee invitational data (name, email, employee ID provided by employer), course progress, skill assessments

    Coursera acts as data processor for invitation/employee data; enterprise DPA terms available

    Coursera for CampusUniversity partnerships

    data: Student profile data as provided by institution

    Integration with university systems; data controller role varies by program type

    // What to watch

    • No HIPAA compliance despite offering healthcare-related courses (e.g., 'Healthcare Data Security, Privacy, and Compliance', 'Privacy Law and HIPAA') - vendors should be aware Coursera is not suitable for HIPAA-regulated data handling
    • AI training practices ambiguous: Privacy notice does not explicitly state whether Coursera trains proprietary AI models on user learning data; clarification needed
    • Limited liability: Terms of service cap Coursera's liability at $20 or 6 months of fees (whichever greater), including for AI services
    • Security disclaimer: Coursera explicitly states 'cannot guarantee that unauthorized third parties will not be able to defeat our security measures'
    • Subprocessor data flows to US: AWS (Virginia/Oregon) and Sparkpost (USA) handle data even for EEA/UK users, relying on Data Privacy Framework / SCCs for lawful transfer

    // At a glance

    Pricing model

    Freemium (free courses with paid certificates/specializations); Coursera Plus subscription ($39/month or $399/year); Enterprise licensing for Coursera for Business

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Coursera, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    coursera.org

    > Browse all vendor trust reports