This article includes an overview of Udemy Business Pro security protocols, as well as answers to frequently asked questions we receive regarding them.
Product Description: Udemy Business Pro is a new premium add-on that enhances our Udemy Business offering by providing a deeper learning experience for professionals in Information Technology, Development and Data & Analytics. Pro helps learners achieve their learning outcomes through immersive engagement of Udemy Business (UB) courses with features such as Udemy Paths, Assessments, Workspaces and Labs that guide, challenge, reinforce and support learning.
Subprocessors: Udemy Business Pro labs and workspaces utilize subprocessors AWS and Vocareum.
- AWS is a cloud hosting provider used in the delivery of Udemy Business Pro. Udemy Business Pro workspaces leverage an AWS account that is isolated from the rest of Udemy’s services.
- Udemy Business Pro leverages Vocareum virtual computing lab environments, where users can conduct hands-on technical training through the Udemy platform. Vocareum runs on AWS.
Udemy’s Security Program and Udemy Business Pro
Udemy’s security program is governed by a controls framework consisting of consolidated requirements from data protection laws, regulatory bodies, industry best practices, business objectives, and additional standards, including:
- ISO 27001
- General Data Protection Regulation (GDPR)
- CIS CSC 20
- COSO Principles
Udemy’s Information Security and Product Engineering teams are responsible for designing and implementing Udemy’s Security framework across the Udemy infrastructure and applications and features such as Udemy Business and Udemy Pro respectively. Udemy’s Privacy team provides oversight on alignment to applicable Data Privacy laws (e.g., CCPA, GDPR) .
Udemy conducts due diligence and security assessments of all subprocessors and service providers and executes confidentiality and data processing agreements, obligating third parties to applicable data privacy and data security standards. Requirements of our service provider management program include:
- Authorized on-boarding and off-boarding of all third-party services are completed using a process designed to address privacy and security considerations thoroughly and consistently.
- Risk tracking, control evaluations, and corrective actions of all third parties are done using a governance, risk management, and compliance (GRC) solution.
- Standard requirements such as security certifications are confirmed before vendors are approved.
- Security validation checks are performed during pre and post-implementation to ensure the discovery, tracking, and resolution of security issues.
- A GDPR-compliant DPA and other agreements are executed to ensure that our service providers adhere to our high data privacy and security standards.
- Annual due diligence of all high-risk vendors is performed to ensure compliance.
- All high-risk third-party vendors must comply with our Business Impact Analysis strategies, vulnerability management guidelines, and penetration testing (annual reports).
Frequently Asked Questions (FAQs):
- Where is the data stored?
- Will users be able to upload data into these tools and who will have access to it?
- What user activity is logged in these tools?
- Do customers have access to the user activity logs?
- Does the Udemy Business Admin console provide access to Udemy Business Pro user activity insights reports?
- Was Udemy Business Pro included in the 2021 Udemy Business SOC 2 Type II audit?
- Is any personally identifiable information (PII data) shared with sub-processors hosting Udemy Business Pro?
- Is there a way to limit which specific users (or groups) will have access to Udemy Business Pro?
- What URLs and IP addresses will customers need to allowlist for Udemy Business Pro AWS and Vocareum Labs?
- What are the system requirements for customers to use Udemy Business Pro?
Where is the data stored?
Assessment answers are stored on Udemy systems.
For any code written in AWS and Data Science labs, the practice code (and data) is stored in Vocareum, which is hosted on AWS.
For any code that is written in Software labs, the practice code and data are stored in Udemy's infrastructure and are hosted in AWS
For Udemy Paths:
Udemy Paths do not include any user-related or user-inputted data.
Will users be able to upload data into these tools and who will have access to it?
Users are restricted to answering multiple-choice questions (e.g., single or multiple-choice options) and optionally provide feedback in the form of free text to provide feedback on questions. No other data can be uploaded.
For AWS labs, users may upload data to AWS, where AWS and Vocareum have access to the data.
For Data Science labs workspaces, users may upload data to R Studio or Jupyter Notebook which is run on Vocareum infrastructure, where Vocareum [and AWS] have access to it.
Software Development labs run on infrastructure that is owned by Udemy and is hosted in AWS. Udemy Business and AWS will have access to Software Development labs data.
Students/Learners can upload files in their labs environment via lab Integrated Development Environment (IDE).
Note: All lab workspaces have 3-hour sessions. Any data that is entered in the workspace is automatically erased (irreversibly) at the end of the 3 hour session.
For all labs, feedback forms will allow students to send feedback that may be forwarded to the instructor.
For Udemy Paths:
No data can be uploaded in Udemy Paths.
What user activity is logged in these tools?
In addition to the user activity tracking in Udemy Business:
Udemy logs the user/learner starts, finishes, attempts to answer a question, feedback, and whether the user correctly answers a question.
Udemy logs learner starts, finishes, button clicks, times when workspaces are active, task completion, lab completion, times when lab is active, and number of lab attempts. Vocareum and AWS log additional service-level details.
For Udemy Paths:
Udemy logs user enrollment, progress, and completion of a path.
Do customers have access to the user activity logs?
Customers do not have access to raw activity logs, but customers do have access to some usage data through Udemy Business Admin insights reporting.
Does the Udemy Business Admin console provide access to Udemy Business Pro user activity insights reports?
Yes, the Udemy Business Admin console enables Admins to export reports and selected access and usage data. Learn more about Udemy Pro Insights.
Was Udemy Business Pro included in the 2021 Udemy Business SOC 2 Type II audit?
No, Udemy Business Pro was not in scope for the 2021 SOC2 audit because the product was still in beta.
Is any personally identifiable information (PII data) shared with sub-processors hosting Udemy Business Pro?
No, Udemy Business Pro does not require the collection or processing of any PII. Users do not need to enter any credentials to access labs. Connections are authenticated using non-PII temporary lab credentials from existing Udemy Business sessions. Optional in-product surveys request an email address.
Is there a way to limit which specific users (or groups) will have access to Udemy Business Pro?
No, this function is not currently available. Our team is working on making this available in the near future.
What URLs and IP addresses will customers need to allowlist for Udemy Business Pro AWS and Vocareum Labs?
What are the system requirements for customers to use Udemy Business Pro?
Review the system requirements for Udemy Business.
Do you have more questions?
Please contact your Udemy Business Account Executive, Customer Success Manager, or Udemy Business Support with any additional questions.