// Trust & Security Report
Quizlet, Inc.
Quizlet is a consumer/education flashcard and study platform (free tier + Quizlet Plus subscription) with classroom features for teachers and students (Quizlet for Classes). It previously offered an AI tutor, Q-Chat, built on the OpenAI API, which has since been discontinued (as of mid-2025 per public reporting). No separate enterprise/API product tier or dedicated healthcare offering was found.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
No public evidence. Quizlet has no dedicated trust center; extensive search of quizlet.com, help.quizlet.com, and third-party compliance trackers found no SOC 2 report, badge, or reference.
No public evidence found on any Quizlet-owned domain or in independent coverage.
No public evidence found.
No public evidence found. No AI-governance certification referenced anywhere on Quizlet's site or help center, despite Quizlet shipping AI features (former Q-Chat tutor, Magic Notes, etc.).
No public evidence found.
No public evidence of a HIPAA compliance program or BAA offering. Quizlet is a general consumer/education product, not a healthcare product, so HIPAA is likely out of scope rather than a gap.
No public evidence found. Quizlet Plus billing is a small subscription flow; no PCI attestation is published, and payment processing is most likely handled by a third-party processor (unconfirmed).
No public evidence found; not a government-focused product.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not confirmed publicly. Quizlet's GDPR help-center article (per search-indexed content) describes transferring personal data from the EEA to the US using EU-Commission-approved mechanisms (Standard Contractual Clauses), implying primary data processing/storage in the United States. Could not independently verify wording via direct fetch (see flags).
Could not confirm from vendor-domain evidence whether Quizlet trains its own models on user-generated study content (flashcard sets, answers). Quizlet's AI features (formerly Q-Chat, an AI tutor 'built with OpenAI's ChatGPT API' per Quizlet's own 2023 blog post title found via search) rely on third-party model providers (OpenAI) rather than a Quizlet-trained model, based on available reporting; Q-Chat itself appears to have been discontinued (public reporting indicates it was no longer available as of mid-2025). No explicit AI-training opt-out mechanism or AI-specific data-use page was locatable. This is a gap, not a confirmed absence -- flagged for manual follow-up rather than graded as an over-claim either way.
// Security controls
Encryption in transit / at rest
Unconfirmed by direct fetch. Search-engine-indexed text attributed to Quizlet's privacy policy states Quizlet 'uses reasonable efforts to follow generally accepted industry standards to protect personal information submitted to it, both during transmission and after receipt' -- this is a general best-efforts statement, not a specific encryption-standard disclosure (e.g. TLS 1.2+/AES-256), and could not be independently verified against the live page because quizlet.com blocked automated fetch (Cloudflare bot challenge).
quizlet.comVulnerability / abuse reporting contact
A security contact email (security@quizlet.com) is referenced in search-indexed privacy-policy content, suggesting Quizlet accepts security reports, but no public bug bounty program or responsible-disclosure page was found.
quizlet.comInternational data transfer mechanism
Quizlet's GDPR help-center article (search-indexed) describes use of EU-Commission-approved transfer mechanisms including Standard Contractual Clauses for EEA-to-US transfers. The same indexed summary also referenced the EU-US and Swiss-US Privacy Shield Frameworks, which were invalidated (Schrems II, 2020) and later superseded by the EU-US Data Privacy Framework (2023); if the live article still cites 'Privacy Shield' verbatim, that would be stale legacy language -- could not confirm current wording via direct fetch.
help.quizlet.comTrust center / compliance documentation portal
None found. No trust.quizlet.com, security.quizlet.com, or equivalent portal exists; no downloadable SOC 2 report, security whitepaper, or subprocessor list was located.
// Products & data scope
data: User-generated study sets, account/profile data, usage/study activity (some profile and activity data may be publicly visible per the product's social features).
Primary consumer product; account creation via email or SSO (Google/Apple, unconfirmed specifics).
data: Same as free tier plus payment/billing data for subscription management.
Adds AI-assisted study features (e.g. Magic Notes/summary tools per public reporting); billing handled by an unconfirmed third-party payment processor.
data: May include minor (K-12 student) data where used in schools; teacher-managed class rosters and student study activity.
No dedicated COPPA/FERPA compliance page or Student Privacy Pledge signatory confirmation could be located on Quizlet's own domain during this review -- flagged for manual follow-up given the product is widely used in K-12 settings.
data: Conversational study-session data.
Publicly reported as launched in 2023 and no longer available as of mid-2025; not confirmed as currently offered.
// What to watch
- No trust center and no evidence of SOC 2, ISO 27001, HIPAA, PCI DSS, ISO 42001, CSA STAR, or FedRAMP anywhere on Quizlet's own domain or in independent coverage -- normal for a consumer-focused edtech product, but means AIFOXX should not display any compliance badges for this vendor.
- Automated fetch of quizlet.com and help.quizlet.com was blocked by Cloudflare bot-challenge / 403 responses on every attempt. All privacy/security text in this assessment is derived from search-engine-indexed summaries of vendor pages, not a directly verified live fetch -- treat quoted/paraphrased text as indicative, not verbatim-confirmed, until a human re-checks the live pages.
- Possible stale legacy reference to the invalidated EU-US/Swiss-US 'Privacy Shield' framework in Quizlet's GDPR help article (per indexed summary); Privacy Shield was struck down in 2020 and replaced by the EU-US Data Privacy Framework in 2023. Needs direct human verification of the current live wording -- could be an outdated document rather than an active claim.
- No confirmation found of COPPA/FERPA-specific compliance messaging or Student Privacy Pledge signatory status despite Quizlet's significant use in K-12 classrooms -- worth a direct follow-up given the age-sensitive user base.
- AI-training posture (whether user-generated flashcard content is used to train Quizlet's own models, and whether any opt-out exists) could not be confirmed from vendor-domain evidence.
// At a glance
Pricing model
Freemium consumer subscription (Quizlet Plus); no visible enterprise/seat-based or API pricing tier was found.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Quizlet, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
quizlet.com