// Trust & Security Report

    edX LLC (owned by 2U, Inc.) logo

    edX LLC (owned by 2U, Inc.)

    Online learning platform offering courses, certificates, degree programs, and executive education from universities and industry partners; primarily B2C and B2B subscription model with 100M+ global learners

    Certifications held

    0

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence or mention found on edX.org, privacy policy, security policy, or enterprise terms

    source: edx.org
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence or mention found on edX.org, privacy policy, security policy, or enterprise terms

    source: edx.org
    ISO 27001
    NOT CONFIRMED

    No public evidence or mention found on edX.org, privacy policy, security policy, or enterprise terms

    source: edx.org
    ISO 27017
    NOT CONFIRMED

    No public evidence; not mentioned in any public documentation reviewed

    source: edx.org
    ISO 27018
    NOT CONFIRMED

    No public evidence; not mentioned in any public documentation reviewed

    source: edx.org
    HIPAA
    NOT CONFIRMED

    HIPAA not mentioned in privacy policy, security policy, or enterprise terms; edX is an education platform, not primarily a covered entity or business associate for healthcare data

    source: edx.org
    PCI DSS
    NOT CONFIRMED

    No public evidence; not mentioned in available documentation

    source: edx.org
    FedRAMP
    NOT CONFIRMED

    No public evidence; FedRAMP authorization not mentioned; edX is primarily a commercial platform

    source: edx.org
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence; not mentioned despite edX offering AI courses and executive education

    source: edx.org

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region: United States, Australia, Canada, European Economic Area, Mexico, South Africa, United Kingdom

    Privacy policy does not disclose AI training on learner data. Policy mentions data uses for 'scientific research' and 'analytics,' but no explicit opt-in/opt-out for AI training.

    // Security controls

    Encryption in Transit

    HTTPS/TLS mentioned implicitly in security policy; AWS Certificate Manager (ACM) used in Open edX deployments; no explicit end-to-end encryption statement for edX.org platform

    edx.org

    Data Encryption at Rest

    Not explicitly mentioned for edX.org platform; data security guidelines for research data recommend Open-PGP compatible encryption and full-disk encryption for devices storing learner data

    edx.readthedocs.io

    Data Retention

    Data retained for as long as account is active or as needed for services, financial reporting, audit, and legal compliance. User deletion requests honored within 30 days; archived course data retained for research purposes.

    edx.org

    Vulnerability Disclosure

    Formal responsible security disclosure policy. edX states it does not offer monetary bug bounties; for disclosures the security team deems significant, it may provide a coupon code valued up to USD $150 toward courses as a token of gratitude. Security contact: security@edx.org

    edx.org

    Data Processing Agreements

    Data Sharing Addendum referenced in enterprise sales terms for handling Personal Information; customers must comply with Data Protection Laws per agreement

    business.edx.org

    Cloud Infrastructure

    Open edX compatible with AWS and Azure; specific hosting for edX.org platform not publicly disclosed; references to using cloud providers' security features

    docs.aws.amazon.com

    // Products & data scope

    Free/Audit CoursesOnline Courses

    data: Learner profile, course progress, basic analytics

    Free-to-audit courses collect user data but no payment data; verified certificate option available for fee

    Verified Certificates & Paid ProgramsProfessional Certificates

    data: Full learner profile, payment info, course completion data, identity verification

    Learner identity verified; payment processed; includes data from university/institution partners

    Degree Programs (Bachelor's/Master's)Degrees

    data: Full academic record, identity, payment, proctoring biometric data

    Degree programs include proctored exams; higher data collection for academic and credential purposes

    Executive EducationProfessional Development

    data: Corporate learner profile, completion tracking, employer affiliation

    edX for Business subscription model; used by enterprises for employee upskilling

    edX for Business / Enterprise SubscriptionsB2B Enterprise

    data: Organizational learner data, usage analytics, integration with enterprise LMS

    Governed by separate enterprise master service agreement; DPA available upon request

    // What to watch

    • No formal security certifications (SOC 2, ISO 27001) published on edX.org despite enterprise scale (100M+ learners, university partnerships)
    • Parent company 2U, Inc. also does not appear to publicize formal security certifications in public documentation
    • Lack of public trust center is unusual for a platform handling sensitive education and payment data at enterprise scale
    • Security policy focuses on vulnerability disclosure; does not address encryption, data isolation, or audit procedures
    • Privacy policy discloses multi-region data storage but does not specify data residency options or compliance with data localization laws
    • Data Processing Addendum mentioned but not publicly available; customers must request separately
    • No public statement on AI/ML training or opt-out mechanisms despite offering AI education products
    • Enterprise sales terms reference compliance with 'Data Protection Laws' generically without naming specific standards (GDPR, CCPA, etc.)
    • Infrastructure relies on cloud providers (AWS/Azure) but edX does not publicize own certifications or third-party audit results

    // At a glance

    Pricing model

    Freemium (audit free, verified certificate paid); subscription-based executive education; degree programs with tuition; B2B enterprise subscriptions

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on edX LLC (owned by 2U, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    edx.org

    > Browse all vendor trust reports