UDEMY SECURITY FAQ
Enterprise-grade security to protect your data
Security is built into every aspect of how Udemy users learn and engage with Udemy’s services, while minimizing impact to usability, so that you can get the most value out of Udemy when engaging in learning initiatives via a native Web or native mobile app.
Trusted by 14K+ businesses around the world
What data does Udemy Business require?
The Udemy Business service minimally requires employee email address and name to provision system access. Additional user data can be provided, however this is optional. (e.g. employee ID or Department). Udemy does not collect or process sensitive or special category personal data.
How is my data protected?
Udemy’s security strategy is governed by a controls framework. The framework consists of consolidated requirements from regulatory bodies, critical security controls, and industry standards. Udemy’s senior leadership, Legal and Information Security teams guide alignment with industry standard security frameworks.
The baseline for Udemy’s security framework is derived from:
Udemy uses industry-standard encryption methods designed to encrypt communications between Udemy systems and user browsers (e.g., RSA Asymmetric-Key Algorithms). All data transmitted between customers and the Udemy Business service uses industry standard protocols such as TLS 1.2 (or greater) for data in transit, and 256-bit ciphers for data at rest. Access to Udemy’s production network and infrastructure is restricted from open, public networks (i.e., the Internet). Only Udemy-controlled application services are allowed access to Udemy’s production infrastructure.
The Udemy Business site (SaaS cloud hosted Web Application) is hosted in a shared infrastructure with logical separation of customer (tenant) data. Each customer, and user, can only access the data that they have entitlements to. Access to the data is logically restricted to each customer and their authorized users via authentication and authorization (see Identity Management below). Udemy data center vendors are located in the United States. Our data center vendors are industry-leading service providers, with state-of-the-art physical protection.
Securing access to your data begins with identity controls that align with your company’s policies. Udemy allows each customer to deploy federated Single Sign-On to manage access (and revocation) to your Udemy Business Web application environment. This enables you to centrally manage the authentication and authorization of users so that only authorized users and admins are granted permissions from a central identity system.
Udemy and the EU General Data Protection Regulation (GDPR)
Udemy Business is designed to comply with the European Union’s General Data Protection Regulation (GDPR). Under the GDPR framework, customers choose which employees to register for accounts, and customers serve as the controller of the employee data they provide. Udemy serves as the processor, providing services to end-users and processing personal data only as directed by the customer. To support this, we offer a template Data Processing Addendum (DPA), which is fully compliant with GDPR and tailored to the product that we provide, as well as to our internal operations and security measures. We assist customers with data subject requests, like access or deletion requests, received from employees. If you have any questions about our DPA or other GDPR efforts, please let us know.