// Trust & Security Report
Coursera, Inc.
Online education platform offering 1000+ courses, professional certificates, degrees, and specializations from partner universities and organizations. Key products: Coursera Plus (subscription), Coursera for Business (enterprise), Coursera for Campus (university partnerships).
Certifications held
3
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on coursera.org“Coursera's security program is SOC 2 Type 2 attested, affirming that Coursera's information security practices meet or exceed the rigorous SOC 2 security and availability standards.”
Verify on coursera.org“Our security policies, procedures, and standards are based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001. Coursera's ISO 27001 certificate details are available publicly in auditor's (Schellman LLC) directory. Certificate #1991452-4.”
Verify on coursera.org“If you reside or are located in the European Economic Area ('EEA') or United Kingdom ('UK'), Coursera is the data controller. Coursera participates in the EU-U.S. Data Privacy Framework, the UK extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Standard Contractual Clauses and UK Addendum used where DPF does not apply.”
> Show 5 unconfirmed / not-held certifications
source: coursera.orgNo evidence of HIPAA compliance or Business Associate Agreement found on Coursera's security or privacy pages despite offering healthcare-related courses and certifications.
source: coursera.orgNo public evidence of PCI DSS certification on vendor domain.
source: coursera.orgNo evidence of ISO 27017 certification held by Coursera. Coursera offers courses about ISO 27017 but does not claim this certification for its own services.
source: coursera.orgNo public evidence of ISO 27018 certification on vendor domain.
source: coursera.orgNo evidence of ISO 27701 certification held by Coursera, though courses on this standard are offered.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primary data infrastructure in United States. Coursera participates in Data Privacy Framework (EU-U.S., UK, Swiss-U.S.) for EEA/UK transfers. Subprocessors: AWS (Virginia/Oregon) and Message Systems/Sparkpost (USA).
Privacy notice describes AI features for teaching support, learning assistance, assessment, and chatbots 'for service delivery rather than model development.' Does not explicitly confirm or deny training of proprietary models on customer data. Users are advised to 'verify any AI outputs that you use in your coursework.'
// Security controls
Encryption in transit and at rest
Uses industry best standards; DPA specifies 'industry-standard cryptographic techniques'
coursera.orgAccess controls
Principle of least privilege with regular access reviews limiting personnel access on need-to-know basis
coursera.orgSoftware development lifecycle
SDLC framework ensuring secure design principles in development pipelines
coursera.orgDisaster recovery
Disaster recovery procedures included as part of DPA security commitments
coursera.org// Products & data scope
data: User profile, course progress, completion records, biometric data (identity verification, deleted after 2 years max)
Flexible learning platform with 1000+ courses
data: User profile, course completion, assessment data, employer job posting correlations
Job-ready credentials from industry leaders (Google, IBM, Microsoft, etc.)
data: Full student record (academic, personally identifiable, potentially sensitive health/background data per institution)
Coursera acts as data processor for university partner degree programs in certain circumstances
data: Employee invitational data (name, email, employee ID provided by employer), course progress, skill assessments
Coursera acts as data processor for invitation/employee data; enterprise DPA terms available
data: Student profile data as provided by institution
Integration with university systems; data controller role varies by program type
// What to watch
- No HIPAA compliance despite offering healthcare-related courses (e.g., 'Healthcare Data Security, Privacy, and Compliance', 'Privacy Law and HIPAA') - vendors should be aware Coursera is not suitable for HIPAA-regulated data handling
- AI training practices ambiguous: Privacy notice does not explicitly state whether Coursera trains proprietary AI models on user learning data; clarification needed
- Limited liability: Terms of service cap Coursera's liability at $20 or 6 months of fees (whichever greater), including for AI services
- Security disclaimer: Coursera explicitly states 'cannot guarantee that unauthorized third parties will not be able to defeat our security measures'
- Subprocessor data flows to US: AWS (Virginia/Oregon) and Sparkpost (USA) handle data even for EEA/UK users, relying on Data Privacy Framework / SCCs for lawful transfer
// At a glance
Pricing model
Freemium (free courses with paid certificates/specializations); Coursera Plus subscription ($39/month or $399/year); Enterprise licensing for Coursera for Business
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Coursera, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
coursera.org