// Trust & Security Report
edX LLC (owned by 2U, Inc.)
Online learning platform offering courses, certificates, degree programs, and executive education from universities and industry partners; primarily B2C and B2B subscription model with 100M+ global learners
Certifications held
0
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: edx.orgNo public evidence or mention found on edX.org, privacy policy, security policy, or enterprise terms
source: edx.orgNo public evidence or mention found on edX.org, privacy policy, security policy, or enterprise terms
source: edx.orgNo public evidence or mention found on edX.org, privacy policy, security policy, or enterprise terms
source: edx.orgNo public evidence; not mentioned in any public documentation reviewed
source: edx.orgNo public evidence; not mentioned in any public documentation reviewed
source: edx.orgHIPAA not mentioned in privacy policy, security policy, or enterprise terms; edX is an education platform, not primarily a covered entity or business associate for healthcare data
source: edx.orgNo public evidence; FedRAMP authorization not mentioned; edX is primarily a commercial platform
source: edx.orgNo public evidence; not mentioned despite edX offering AI courses and executive education
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region: United States, Australia, Canada, European Economic Area, Mexico, South Africa, United Kingdom
Privacy policy does not disclose AI training on learner data. Policy mentions data uses for 'scientific research' and 'analytics,' but no explicit opt-in/opt-out for AI training.
// Security controls
Encryption in Transit
HTTPS/TLS mentioned implicitly in security policy; AWS Certificate Manager (ACM) used in Open edX deployments; no explicit end-to-end encryption statement for edX.org platform
edx.orgData Encryption at Rest
Not explicitly mentioned for edX.org platform; data security guidelines for research data recommend Open-PGP compatible encryption and full-disk encryption for devices storing learner data
edx.readthedocs.ioData Retention
Data retained for as long as account is active or as needed for services, financial reporting, audit, and legal compliance. User deletion requests honored within 30 days; archived course data retained for research purposes.
edx.orgVulnerability Disclosure
Formal responsible security disclosure policy. edX states it does not offer monetary bug bounties; for disclosures the security team deems significant, it may provide a coupon code valued up to USD $150 toward courses as a token of gratitude. Security contact: security@edx.org
edx.orgData Processing Agreements
Data Sharing Addendum referenced in enterprise sales terms for handling Personal Information; customers must comply with Data Protection Laws per agreement
business.edx.orgCloud Infrastructure
Open edX compatible with AWS and Azure; specific hosting for edX.org platform not publicly disclosed; references to using cloud providers' security features
docs.aws.amazon.com// Products & data scope
data: Learner profile, course progress, basic analytics
Free-to-audit courses collect user data but no payment data; verified certificate option available for fee
data: Full learner profile, payment info, course completion data, identity verification
Learner identity verified; payment processed; includes data from university/institution partners
data: Full academic record, identity, payment, proctoring biometric data
Degree programs include proctored exams; higher data collection for academic and credential purposes
data: Corporate learner profile, completion tracking, employer affiliation
edX for Business subscription model; used by enterprises for employee upskilling
data: Organizational learner data, usage analytics, integration with enterprise LMS
Governed by separate enterprise master service agreement; DPA available upon request
// What to watch
- No formal security certifications (SOC 2, ISO 27001) published on edX.org despite enterprise scale (100M+ learners, university partnerships)
- Parent company 2U, Inc. also does not appear to publicize formal security certifications in public documentation
- Lack of public trust center is unusual for a platform handling sensitive education and payment data at enterprise scale
- Security policy focuses on vulnerability disclosure; does not address encryption, data isolation, or audit procedures
- Privacy policy discloses multi-region data storage but does not specify data residency options or compliance with data localization laws
- Data Processing Addendum mentioned but not publicly available; customers must request separately
- No public statement on AI/ML training or opt-out mechanisms despite offering AI education products
- Enterprise sales terms reference compliance with 'Data Protection Laws' generically without naming specific standards (GDPR, CCPA, etc.)
- Infrastructure relies on cloud providers (AWS/Azure) but edX does not publicize own certifications or third-party audit results
// At a glance
Pricing model
Freemium (audit free, verified certificate paid); subscription-based executive education; degree programs with tuition; B2B enterprise subscriptions
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on edX LLC (owned by 2U, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
edx.org