// Trust & Security Report
Duolingo, Inc. (NASDAQ: DUOL)
Duolingo language learning platform (consumer app, Super Duolingo subscription, Duolingo Max AI tier, Duolingo for Schools, Duolingo English Test, Duolingo ABC children's literacy, Duolingo for Business)
Certifications held
6
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on vanta.com“Duolingo achieved ISO 27001 certification (via Vanta) in 2024, scoped to the Duolingo English Test (DET) program — enabling DET to win university and government institutional customers requiring data-protection assurance.”
Verify on vanta.com“Duolingo completed SOC 2 Type I compliance via Vanta prior to pursuing ISO 27001. Vanta case study confirms both SOC 2 Type I and ISO 27001 were achieved by Duolingo's security program.”
“No primary-source evidence found confirming SOC 2 Type II. Only Type I is confirmed in available public documentation as of June 2026.”
“Duolingo uses Stripe as its payment processor (Stripe handles card data). Whether Duolingo itself holds a PCI DSS attestation is unverified from primary sources.”
Verify on duolingo.com“Privacy policy states: 'You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. Here is a list of EEA Supervisory Authorities, and a link to the UK Supervisory Authority.'”
Verify on privacy.commonsense.org“Common Sense Media evaluation confirms: Duolingo 'obtain[s] parental consent before collecting personal information from children, both in the United States, the European Union, and other countries.'”
> Show 2 unconfirmed / not-held certifications
Duolingo is a consumer language-learning platform. No primary-source documentation from duolingo.com claims HIPAA compliance. Nudge Security's aggregated profile lists it, but that source does not supply a primary quote or audit report.
No evidence on the FedRAMP marketplace or on duolingo.com. Nudge Security lists it without a primary source. Not verified.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not stated
Data region
United States (Amazon Web Services). No explicit EU data residency commitment found for the consumer app. DET supplemental privacy terms may differ.
Duolingo explicitly trains on user-generated content in two ways. First, for AI features (Video Call, Roleplay): 'Duolingo may generate, record, and store audio recordings or transcripts of the text and audio you submit, and use these recordings or transcripts for product improvement and personalization purposes, including training and running Duolingo's own artificial intelligence models.' Second, for all users via anonymization: 'Duolingo may anonymize your personal information, and use this de-identified data for any purpose, such as better understanding learning trends and training artificial intelligence models.' Users can opt out of sharing audio for product improvement in app Settings, but there is no opt-out for training on anonymized data. AI vendors (OpenAI, Google) are contractually barred from using Duolingo user data for their own purposes.
// Security controls
Encryption at rest and in transit
DET Security Report (March 2026) states: 'These include encryption of data at rest, encryption of data in transit, user authentication and authorization, security by design, and cybersecurity audits.' Applies explicitly to DET; assumed consistent with main platform given shared AWS infrastructure.
duolingo-papers.s3.us-east-1.amazonaws.comPenetration testing
Confirmed for DET: 'The DET team secures its API, conducts regular security audits, and strictly controls database permissions.' External paid pen testing is also confirmed in the Duolingo blog: 'security experts are paid to break into our systems, to expose potential weaknesses.' Engineers resolved all found vulnerabilities within one month.
blog.duolingo.comBug bounty / vulnerability disclosure
HackerOne appears in Duolingo's vendor stack per Nudge Security profile. A FireBounty listing confirms a Vulnerability Disclosure Program exists for ro.duolingo.com. Program scope and public/private status are not confirmed from Duolingo's own pages.
security-profiles.nudgesecurity.comInfrastructure
Amazon Web Services (primary hosting), Cloudflare (CDN/DDoS). Confirmed via Nudge Security profile and privacy policy reference to 'hosting providers such as Amazon Web Services'.
duolingo.comMFA / 2FA
MFA posture differs by product. Consumer app: no end-user multi-factor authentication is documented in the privacy policy or terms, and Nudge Security notes the absence of SMS, email, hardware, software, TOTP, or U2F second-factor options for consumer accounts. Duolingo English Test (DET): the DET Trust Center states the program enforces multi-factor authentication, role-based access control, and regular access reviews as part of its identity and access management. Treating Duolingo as having 'no MFA' overall would be inaccurate; the gap is specific to the consumer app.
trust.englishtest.duolingo.comBiometric data collection (DET only)
DET collects face photos, government-issued ID photos, webcam video of full test session, secondary camera room scan video, and ear-scan sensor data (to detect hidden earpieces). Test sessions are recorded front-facing and via secondary camera. These are collected under DET supplemental privacy terms, not the main app policy.
duolingo-papers.s3.us-east-1.amazonaws.comHistorical breach
In January 2023, scraped profile data for approximately 2.6 million Duolingo users (email addresses, usernames, public profile data) was posted on a hacking forum. Data was obtained via an exposed API that mapped emails to accounts. No passwords were included. Duolingo confirmed the breach was limited to publicly available profile information.
duolingo.comCompliance automation platform
Duolingo uses Vanta for continuous compliance monitoring, automated tests, policy management, and vendor security assessments. Mandy Matthew, Lead Security Risk Program Manager at Duolingo: 'Everything is in Vanta — automated tests, manual tests, policies, vendor security assessments, and more.'
vanta.com// Products & data scope
data: Username, email, age, learning activity, speaking audio (optional), device/browser data, IP address, FullStory session replays. Personalized advertising enabled by default (opt-out available). Third-party ad networks (Unity, Meta, Google, LiftOff, Pangle, Moloco) share data.
Common Sense Media 'Warning' rating due to ad targeting and data sharing with third parties. Not appropriate for enterprise procurement without reviewing advertising data flows.
data: Same as free app plus AI feature audio/transcripts (Video Call, Roleplay) shared with OpenAI and Google. Transcripts may be used to train Duolingo's own AI models. Duolingo Max includes Roleplay and Explain My Answer AI features.
AI vendors (OpenAI, Google) are contractually barred from using user data for their own purposes. However, Duolingo retains and trains on recordings. Users should not share sensitive/confidential information in AI features.
data: Teacher and student accounts linked; learning progress shared with teacher. Children under 13 have FullStory and Session Replay disabled. Parental consent obtained for minors. COPPA-compliant consent mechanism confirmed.
FERPA compliance claimed in Duolingo for Schools FAQs but no DPA was publicly confirmed as of assessment date. Schools should request a signed data processing agreement before deploying district-wide.
data: Highest data sensitivity: government-issued ID, biometric face scan, full-session webcam video, secondary camera room scan, ear-scan sensor data, keystroke/mouse logs, IP address, device fingerprint. Governed by Supplemental DET Privacy Terms. ISO 27001 certified (2024). Data retained; 'anonymized examination data may be kept indefinitely.'
ISO 27001 and SOC 2 Type I certifications are confirmed specifically for DET, making it the highest-compliance Duolingo product. Institutions accepting DET scores should refer to trust.englishtest.duolingo.com.
data: Separate privacy policy (duolingo.com/abc-privacy). No ads, no social features, no public profiles. Designed explicitly for young children. Minimal data collection compared to main app.
Separate child-focused privacy policy is a positive signal. No certifications confirmed specifically for ABC.
data: Aggregated learning analytics for employees; individual learning data subject to main app privacy policy unless a corporate DPA is in place.
Enterprises should request a DPA before deploying. No public DPA or enterprise terms were found as of assessment date. Contact privacy@duolingo.com.
// What to watch
- AI training on user audio and transcripts from interactive AI features is opt-in for product improvement but NO opt-out exists for anonymized model training — disclosed in privacy policy but not prominently surfaced in UI.
- Broad perpetual IP license grant in Terms: 'full-paid, royalty free, perpetual, irrevocable, worldwide... license to use, reproduce, copy, adapt, modify... create derivative works from the Content' — applies to user-submitted content.
- DET collects highly sensitive biometric data (face scan, government ID, ear-scan sensor data, full video recordings) — governed by separate Supplemental DET Privacy Terms, not the main app policy.
- ISO 27001 and SOC 2 Type I are confirmed only for Duolingo English Test scope per available evidence. No public SOC 2 Type II report found.
- 2023 data breach: ~2.6 million user profiles (email + public data) scraped via exposed API and published on hacking forum.
- Common Sense Media 'Warning' rating: shares data with advertising networks (Unity, Meta, Google, LiftOff, Pangle, Moloco); data profiling for personalized ads.
- No MFA/2FA for consumer-app end users is documented; this gap is specific to the consumer app. The Duolingo English Test program does enforce MFA per its Trust Center, so it should not be characterized as having no MFA.
- No publicly available DPA for enterprise or school deployments — procurement teams must request one directly.
- Trust Center URL (trust.englishtest.duolingo.com) is scoped to DET only; no equivalent trust center found for the consumer app or Duolingo for Business.
// At a glance
Pricing model
Freemium (free consumer tier with ads; Super Duolingo at approx. $6.99-13.99/month; Duolingo Max at approx. $29.99/month; DET at $59 per test; Duolingo for Business custom pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Duolingo, Inc. (NASDAQ: DUOL)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.englishtest.duolingo.com