// Trust & Security Report

    Udemy, Inc. logo

    Udemy, Inc.

    Online learning marketplace: consumer Udemy.com course marketplace (individual purchases), Udemy Business (Team/Enterprise subscription LMS with SSO, admin controls, and enterprise security), Udemy Business Pro (adds generative-AI authoring and coaching tools), and instructor-facing tools including the Instructor Generative AI (GenAI) Program.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Udemy is pleased to announce the availability of a new SOC 2 Type 2 report; 'SOC 2 Type 2' listed as a document in the Compliance Hub.

    Verify on trust.udemy.com
    ISO/IEC 27001:2022
    HELD

    Effective August 7th, 2024, the Udemy Business platform is officially ISO 27001 certified... Going beyond Udemy's existing SOC 2 Type 2 attestation, ISO 27001 (specifically, ISO/IEC 27001:2022) sets the framework for establishing, implementing, maintaining, and continually improving an Information Security Management System. ('ISO/IEC 27001:2022' also listed as a Compliance Hub document.)

    Verify on about.udemy.com
    GDPR (posture, not a certification)
    HELD

    Udemy Business is designed to comply with the European Union's GDPR, and offers a template Data Processing Addendum that is fully compliant with GDPR. Udemy is a Data Controller and provides a privacy contact (privacy@udemy.com) and Data Processing Addendum; Trust Center lists Transfer Impact Assessments for multiple jurisdictions.

    Verify on business.udemy.com
    SOX (SOX 404 controls)
    HELD

    'SOX' listed as a document/topic in the Trust Center Compliance Hub.

    Verify on trust.udemy.com
    VPAT (accessibility conformance)
    HELD

    'VPAT' listed as a document in the Trust Center Compliance Hub.

    Verify on trust.udemy.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Trust center lists a 'HIPAA Report' document title under Reports, but no accessible vendor text describes its scope, a Business Associate Agreement offering, or a formal HIPAA certification/attestation claim; HIPAA has no third-party certification standard and Udemy's own security FAQ does not claim HIPAA compliance for the product. Treating as unconfirmed / no public evidence of compliance claim.

    source: trust.udemy.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found; not listed on the Trust Center Compliance Hub or Security FAQ.

    source: trust.udemy.com
    ISO 27017 / ISO 27018 / ISO 27701
    NOT CONFIRMED

    No public evidence found; none of these standards are mentioned on the Trust Center page (checked explicitly).

    source: trust.udemy.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence found; not mentioned on the Trust Center or in Udemy's AI/GenAI policy pages found during this review.

    source: trust.udemy.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found; not listed on the Trust Center page.

    source: trust.udemy.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; not listed on the Trust Center page or FedRAMP marketplace search performed for this review.

    source: trust.udemy.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primary data centers in the United States (per Udemy Business Security FAQ: 'Udemy data center vendors are located in the United States'); Trust Center separately lists Transfer Impact Assessments covering Honduras, India, Turkey, U.S., and Vietnam for international processing.

    Udemy operates an Instructor Generative AI (GenAI) Program (published policy at support.udemy.com, article 25180159300631). By default all instructors are automatically enrolled and their course content (including personal data such as likeness/voice in some cases) can be used to train Udemy's generative AI tools, unless the instructor opts out during a specific, time-limited annual window (the first window ran roughly Aug 21-Sep 12, 2024, about three weeks). Critically, per the same policy, opting out of the GenAI Program does NOT stop Udemy from continuing to apply generative or non-generative AI models to, or from developing/improving non-generative AI models on, content instructors have already submitted, where that supports 'core capabilities of certain services' -- so the opt-out is partial, not a full data-use opt-out. This is a materially different (weaker) posture than a typical enterprise 'we do not train on your data' claim and should be flagged to buyers, especially instructors and Udemy Business admins uploading proprietary course content.

    // Security controls

    Encryption in transit

    TLS 1.2 or greater for data in transit between customers and the Udemy Business service; RSA asymmetric-key algorithms used to encrypt communications between Udemy systems and user browsers.

    business.udemy.com

    Encryption at rest

    256-bit ciphers for data at rest; optional PGP encryption available for automated data exchanges (e.g., HRIS/LMS integrations) via shared SFTP.

    business.udemy.com

    Tenant isolation

    Udemy Business is hosted on shared infrastructure with logical separation of customer data; access is logically restricted via authentication and authorization so each customer/user can only access data they are entitled to.

    business.udemy.com

    Identity & access management

    Supports federated Single Sign-On (SSO) for centralized authentication/authorization and access revocation for Udemy Business customers.

    business.udemy.com

    Data minimization

    Udemy Business states it minimally requires employee email and name to provision access, treats additional user profile data as optional, and does not collect or process sensitive/special-category personal data.

    business.udemy.com

    Third-party audits / pentesting

    Trust Center publishes penetration test reports, a SIG (Standardized Information Gathering) self-assessment questionnaire, and cyber insurance documentation on request.

    trust.udemy.com

    // Products & data scope

    Udemy (consumer marketplace)Individual course marketplace

    data: Learner account/profile data, payment data (via processor), course progress; open marketplace, no enterprise SSO or admin controls.

    Public-facing evidence of SOC 2 / ISO 27001 is scoped to 'Udemy Business' in vendor announcements; not confirmed that the consumer marketplace product itself is in scope of these certifications. Treat consumer-tier compliance claims with caution.

    Udemy Business (Team / Enterprise)Corporate learning management (LMS) subscription

    data: Employee/learner accounts, SSO-federated identity, admin-managed org data, usage analytics, optional integrations (HRIS/LMS via SFTP).

    This is the product explicitly named in the SOC 2 Type 2 and ISO/IEC 27001:2022 announcements and the Security FAQ / Trust Center.

    Udemy Business ProEnterprise LMS + generative-AI authoring/coaching add-on

    data: Same as Udemy Business plus AI-tool inputs/outputs (prompts, generated content).

    Adds generative AI features; governed by separate 'Generative AI Tool Beta: Additional Terms' referenced in Udemy's legal terms index.

    Instructor GenAI ProgramContent/AI training program for course creators

    data: Instructor-submitted course content, and in some cases instructor likeness/voice, used to train Udemy's generative AI features.

    Opt-in-by-default with a narrow, time-limited annual opt-out window; opting out does not fully stop AI use of previously submitted content for 'core capabilities.' Material for any instructor/creator evaluating this vendor.

    // What to watch

    • Certifications (SOC 2 Type 2, ISO/IEC 27001:2022) are explicitly announced as scoped to the 'Udemy Business' product; no vendor statement confirms the consumer Udemy.com marketplace is within the certification boundary. Do not imply platform-wide certification.
    • HIPAA: Trust Center lists a 'HIPAA Report' document title with no accessible description of its content or a BAA offering; graded held=false pending clearer vendor confirmation. Do not list HIPAA compliance for this vendor.
    • AI training opt-out is materially limited: the Instructor GenAI Program opt-out window is short and annual, and even opting out does not stop Udemy's continued use of already-submitted content for 'core capabilities' of certain (non-generative) AI models. This is a meaningful over-claim risk if AIFOXX copy simply says 'AI training opt-out available' without the caveat.
    • Several vendor security/legal pages (support.udemy.com, business-support.udemy.com, www.udemy.com/terms/*, about.udemy.com) returned HTTP 403 to automated fetch in this session; facts from those pages were corroborated via search-engine-quoted excerpts and independent press coverage rather than a direct live re-fetch, which caps confidence at medium.

    // At a glance

    Pricing model

    Consumer: per-course one-time purchase (frequent deep discounting) plus a personal subscription plan. Udemy Business: seat-based annual/enterprise subscription (Team, Enterprise, Pro tiers) sold via sales-assisted contracts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Udemy, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.udemy.com

    > Browse all vendor trust reports