// Trust & Security Report
Khan Academy, Inc.
Khan Academy is a US 501(c)(3) nonprofit education platform (free K-12/college video lessons and practice). Khanmigo is its GPT-4-based AI tutor/teaching-assistant product, offered directly to individual learners/parents/teachers and, separately, bundled into Khan Academy Districts for schools; Khan Academy Kids is a distinct app for under-13 users with its own privacy policy.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on support.khanacademy.org“Khan Academy performs regular security compliance assessments and undergoes an annual external penetration test and annual SOC2 Type2 audits.”
Verify on shop.khanacademy.org“Pursuant to the General Data Protection Regulation ("GDPR"), if you are a resident of the European Economic Area ("EEA"), we process your personal information under the following lawful bases... If you are a resident of the EEA, you have the right to access the Personal Information we hold about you, to port it to a new service, and to ask that your Personal Information be corrected, updated, or erased.”
> Show 7 unconfirmed / not-held certifications
source: khanacademy.orgNo public evidence: no mention of ISO 27001 on khanacademy.org, support.khanacademy.org, or khanmigo.ai; a third-party scanner (Nudge Security) labels Khan Academy 'ISO 27001 Compliant' but this is not a vendor-domain claim and could not be corroborated.
source: khanacademy.orgNo public evidence. Khan Academy is an education product governed by FERPA/COPPA/PPRA, not a covered entity; no vendor page references HIPAA. (A third-party scanner separately mislabels it 'HIPAA Compliant' with no vendor-side support.)
source: khanacademy.orgNo public evidence of a PCI DSS attestation on any Khan Academy-controlled domain.
source: khanmigo.aiNo public evidence found. Despite Khanmigo being an AI-tutor product built on GPT-4, no AI-governance certification is referenced on any Khan Academy domain.
source: khanacademy.orgNo public evidence found; not applicable, Khan Academy sells to K-12 districts, not as a federal cloud service.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary hosting is the US (Google Cloud Platform / Google Cloud Run, per Khan Academy's own security-practices Help Center article). For the separate Khan Academy Store (merchandise, not the core learning/Khanmigo product), the vendor's own policy states EEA personal information is 'initially processed in Ireland and then will be transferred outside of Europe for storage and further processing, including to Canada and the United States.' No dedicated EU-region hosting was found for the core platform.
Khan Academy states content submitted by teachers and students through Khanmigo is not used to train the underlying AI models, and that it does not allow OpenAI (its LLM provider) to train models on student/teacher data or share names/personal information with the LLM provider. Data collected via Khanmigo is described as used only internally to improve the product, not sold. For school partnerships, Khan Academy signs Student Data Privacy Agreements (e.g. via the SDPC/A4L Resource Registry and state-specific templates such as an Ed Law 2D-compliant NY DPA) asserting FERPA/COPPA/PPRA compliance.
// Security controls
Encryption in transit
Personal information is protected with encryption during transmission over the public internet; Khan Academy's Help Center states support for TLS 1.3, AES256 encryption, and SHA256 signatures.
support.khanacademy.orgHosting infrastructure
Website and mobile app hosted on Google Cloud Platform (Google Cloud Run), US region; GCP-encrypted at rest with an additional encryption layer applied to personal data.
support.khanacademy.orgPenetration testing
Annual external penetration test, alongside annual SOC 2 Type II audits.
support.khanacademy.orgIncident response
Documented incident response plan (detection/reporting, communication, isolation, resolution, post-mortem) exercised at least annually.
support.khanacademy.orgVulnerability disclosure
Public vulnerability disclosure / bug bounty program hosted on HackerOne.
hackerone.comNo third-party advertising / no data sale
Khan Academy states it does not sell personal information and does not display third-party advertising; it is a signatory of the Student Privacy Pledge.
khanacademy.org// Products & data scope
data: Learner account, progress/mastery data, optional school rostering
Free, ad-free, nonprofit; consumer and school use.
data: Chat/tutoring conversation content, learner profile
$4/month subscription for learners and parents (up to 10 children per parent account); GPT-4-based, built with OpenAI as the underlying LLM provider.
data: Lesson-planning content, rubric/exit-ticket generation prompts
Free for teachers in 44+ countries.
data: Student rostering data (via Clever/ClassLink), education records (FERPA), classroom AI tutoring interactions
Per-student annual pricing (roughly $5-15/student/year depending on tier); custom Enterprise pricing above ~1,000 licenses; includes signed Student Data Privacy Agreements, automated rostering, and dedicated implementation support.
data: Child account data (under 13), governed by a separate Kids Privacy Policy with its own GDPR/COPPA provisions
Distinct app and privacy policy from the main khanacademy.org Children's Privacy Notice.
// What to watch
- Recommend a human re-check by opening the URL in a normal browser before treating SOC 2 as fully confirmed.
- A third-party security-scanning tool (Nudge Security) publicly labels Khan Academy as 'HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, and ISO 27001 Compliant.' No vendor-domain evidence supports the ISO 27001 or HIPAA portions of that claim, so both are graded held=false here; flagging this as a potential over-claim / contradiction that should not be repeated on the AIFOXX listing.
- No AI-governance-specific certification (ISO/IEC 42001, CSA STAR for AI) found despite Khanmigo being a GPT-4-based AI tutoring product; this is common for the market segment but worth noting given Khanmigo is the AI-facing product being listed.
- GDPR lawful-basis language was found on the Khan Academy Kids privacy policy and the Khan Academy Store (merchandise) privacy policy, both on khanacademy.org/shop.khanacademy.org, but the main khanacademy.org/about/privacy-policy capture (limited to the first ~18,000 characters) did not reach its 'Regional information' section, so GDPR language specific to the core adult/teacher product's own primary privacy policy was not directly re-confirmed in this pass.
// At a glance
Pricing model
Freemium: core platform is free; Khanmigo is a paid consumer add-on ($4/month for learners/parents, free for teachers); Khan Academy Districts uses per-student annual licensing with custom Enterprise pricing above ~1,000 students.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Khan Academy, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
khanacademy.org