UDEMY SECURITY FAQ

Enterprise-grade security to protect your data

Security is built into every aspect of how Udemy users learn and engage with Udemy’s services, while minimizing impact to usability, so that you can get the most value out of Udemy when engaging in learning initiatives via a native Web or native mobile app.

Attestations & Compliance

What data does Udemy Business require?

The Udemy Business service minimally requires employee email address and name to provision system access.  Additional user data can be provided, however this is optional. (e.g. employee ID or Department).  Udemy does not collect or process sensitive or special category personal data.

How is my data protected?

Udemy’s security strategy is governed by a controls framework. The framework consists of consolidated requirements from regulatory bodies, critical security controls, and industry standards. Udemy’s senior leadership, Legal and Information Security teams guide alignment with industry standard security frameworks.

The baseline for Udemy’s security framework is derived from:

  • NIST Cybersecurity Framework
  • Custom Control Framework (e.g., Privacy, Financial, Security)
  • Risk Mgmt. Framework (Binary Risk/FAIR)

Data Encryption

Udemy uses industry-standard encryption methods designed to encrypt communications between Udemy systems and user browsers (e.g., RSA Asymmetric-Key Algorithms).  All data transmitted between customers and the Udemy Business service uses industry standard protocols such as TLS 1.2 (or greater) for data in transit, and 256-bit ciphers for data at rest.  Access to Udemy’s production network and infrastructure is restricted from open, public networks (i.e., the Internet).  Only Udemy-controlled application services are allowed access to Udemy’s production infrastructure.

Data Location

The Udemy Business site (SaaS cloud hosted Web Application) is hosted in a shared infrastructure with logical separation of customer (tenant) data.  Each customer, and user, can only access the data that they have entitlements to.  Access to the data is logically restricted to each customer and their authorized users via authentication and authorization (see Identity Management below).  Udemy data center vendors are located in the United States.  Our data center vendors are industry-leading service providers, with state-of-the-art physical protection.

Identity Management

Securing access to your data begins with identity controls that align with your company’s policies. Udemy allows each customer to deploy federated Single Sign-On to manage access (and revocation) to your Udemy Business Web application environment.  This enables you to centrally manage the authentication and authorization of users so that only authorized users and admins are granted permissions from a central identity system.

Identity Controls

  • SAML-based Single Sign-On (SSO)
  • Session duration
  • Multi-Factor authentication (via SAML SSO)
  • User and Group provisioning and deprovisioning via JIT/SCIM

Udemy and the EU General Data Protection Regulation (GDPR)

The Udemy Business service minimally requires employee email address and name to provision system access.  Additional user data can be provided, however this is optional. (e.g. employee ID or Department).  Udemy does not collect or process sensitive or special category personal data.

We’re your strategic learning partner to help move skills forward