// Trust & Security Report

    Yanka Industries, Inc. (d/b/a MasterClass) logo

    Yanka Industries, Inc. (d/b/a MasterClass)

    Digital learning platform delivering on-demand video instruction from celebrity/expert instructors, professional certificate programs, AI-powered coaching (On Call), and enterprise learning and development (MasterClass at Work), accessible via web and native mobile apps

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Trust center resources list 'MasterClass-2025-Type 2 SOC 2-Final Report' and the Compliance section explicitly shows 'SOC 2' as a certified framework

    Verify on trust.masterclass.com
    GDPR (compliance posture)
    HELD

    Trust center states 'MasterClass strictly adheres to all applicable data privacy laws and regulations, such as GDPR, CCPA, and others'; enterprise DPA covers SCCs for EU data transfers

    Verify on trust.masterclass.com
    CCPA
    HELD

    Trust center states 'MasterClass strictly adheres to all applicable data privacy laws and regulations, such as GDPR, CCPA, and others'; privacy policy includes dedicated California Privacy Notice

    Verify on trust.masterclass.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on trust center or any vendor-domain page; not listed in trust center compliance section

    source: trust.masterclass.com
    HIPAA
    NOT CONFIRMED

    No public evidence; MasterClass is a consumer/enterprise learning platform with no healthcare data processing scope; HIPAA not claimed on trust center or privacy pages

    source: trust.masterclass.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification; MasterClass collects payment card data but no PCI DSS attestation found on trust center or public vendor-domain pages

    source: trust.masterclass.com
    CSA STAR
    NOT CONFIRMED

    CAIQ 4.1.0 (2026) document available on trust center ('CAIQv4.1.0_2026-export.xlsx') indicating a self-assessment; no CSA STAR listing found in public CSA registry search; self-assessment alone does not constitute STAR certification

    source: trust.masterclass.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence; not claimed on trust center or any vendor-domain page

    source: trust.masterclass.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence; not listed on trust center

    source: trust.masterclass.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Not specified publicly; MasterClass is US-headquartered; privacy policy references an 'International Transfer and Data Privacy Framework' section and the enterprise DPA uses 2021 EU SCCs for cross-border transfers

    Privacy policy states MasterClass 'may use and process your information (including, in some instances, through the use of artificial intelligence (AI) and large language model technologies)' for service delivery purposes, but does not explicitly state whether user data is used to train AI models. The 'On Call' AI coaching product builds on partnerships with 'world-class experts' but publishes no data handling or model training posture. No opt-out mechanism for AI/LLM data processing is documented. Terms of Service prohibit third parties from scraping MasterClass content for AI training but are silent on whether MasterClass itself trains on customer interaction data.

    // Security controls

    Encryption in transit

    TLS/SSL confirmed; homepage states 'Secured with SSL'; trust center lists 'data encryption utilized' as a product security control

    trust.masterclass.com

    Encryption at rest

    Confirmed; trust center lists 'data encryption utilized' under product security controls; Cryptography Policy document available

    trust.masterclass.com

    Multi-factor authentication

    Remote access MFA enforced (trust center infrastructure security control)

    trust.masterclass.com

    Penetration testing

    Annual third-party pen test; 2025 Web and Mobile App penetration test summary publicly available on trust center

    trust.masterclass.com

    Employee background checks

    Employee background checks performed (trust center organizational security control)

    trust.masterclass.com

    Anti-malware

    Anti-malware technology utilized (trust center organizational security control)

    trust.masterclass.com

    Portable media encryption

    Portable media encrypted (trust center organizational security control)

    trust.masterclass.com

    Business continuity and disaster recovery

    Continuity and disaster recovery plans established; dedicated BCDR policy document available on trust center

    trust.masterclass.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (trust center internal security procedures control)

    trust.masterclass.com

    Data retention and deletion

    Data retention procedures established; customer data deleted upon account departure (trust center data and privacy controls)

    trust.masterclass.com

    Third-party risk management

    Third-Party Risk Management Policy available on trust center; service providers contractually prohibited from using data for other purposes

    trust.masterclass.com

    Vulnerability disclosure / security contact

    security@masterclass.com published on trust center for reporting security issues

    trust.masterclass.com

    // Products & data scope

    MasterClass IndividualConsumer on-demand learning

    data: Email, billing details, viewing history, voice recordings (speech-to-text features), device and usage telemetry, marketing preferences

    Starting at ~$10/month billed annually; 30-day money-back guarantee; 200+ video classes; individual consumer DPA not available; security commitments are platform-wide

    MasterClass at WorkEnterprise learning and development

    data: All individual data plus team/org usage analytics, authorized-user account management, enterprise admin controls

    Enterprise DPA available at masterclass.com/enterprise-dpa; covers GDPR, CCPA, UK Privacy Act, Swiss FADP with SCCs; audit rights included; enterprise security commitments backed by SOC 2 Type 2

    MasterClass CertificatesProfessional credential programs

    data: Application materials (written responses, audio/video submissions, resumes) processed by third-party evaluation partners; completion credentials

    Third-party application processors may handle sensitive application data; review sub-processor privacy policies independently

    MasterClass On CallAI-powered coaching

    data: Conversational AI interaction data, user prompts, coaching session content; exact data scope unpublished

    Built 'in exclusive partnership with world-class experts'; no published AI model identity, data retention policy, or training posture; significant data handling gap for AI feature

    MasterClass ExecutiveExecutive-focused learning program

    data: Similar to MasterClass at Work; executive-tier access

    Limited public information on distinct security posture vs. at-work tier

    // What to watch

    • AI training posture unresolved: privacy policy permits AI/LLM processing of user data but is silent on whether data trains models; no opt-out documented
    • On Call AI coaching product has no published data handling, model identity, or training posture - significant gap for AI-powered product
    • SOC 2 Type 2 report is gated (access request required via trust center) - scope and criteria covered cannot be independently verified by third parties without NDA
    • CSA STAR: CAIQ 4.1.0 self-assessment document available but no CSA STAR certification found in registry; listing as STAR-certified would be an over-claim
    • PCI DSS: MasterClass collects payment card data but no PCI DSS attestation is published; scope may be handled via payment processor (Stripe or similar) rather than direct PCI certification
    • DPA is enterprise-only: individual consumer accounts have no explicit DPA coverage or equivalent contractual security SLA
    • Data residency not specified: enterprise customers requiring data-at-rest in specific regions cannot confirm this capability from public documentation

    // At a glance

    Pricing model

    Subscription; individual from ~$10/month (billed annually); team/enterprise pricing via sales

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Yanka Industries, Inc. (d/b/a MasterClass)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.masterclass.com

    > Browse all vendor trust reports