This article includes an overview of Udemy Business Pro security protocols, as well as answers to frequently asked questions we receive regarding them.
Product Description
Udemy Business Pro is a premium add-on that enhances our Udemy Business offering by providing a deeper learning experience for professionals in Information Technology, Development, and Data & Analytics. Udemy Business Pro helps learners achieve their learning outcomes through immersive engagement of Udemy Business (UB) courses with features such as Udemy Paths, Assessments, Workspaces, and Labs that guide, challenge, reinforce and support learning.
Subprocessors: Udemy Business Pro Labs and Workspaces utilize subprocessors AWS, Azure, and Vocareum.
- AWS is a cloud hosting provider used in the delivery of Udemy Business Pro. Udemy Business Pro workspaces leverage an AWS account that is isolated from the rest of Udemy’s services.
- Udemy Business Pro leverages Vocareum virtual computing lab environments, where users can conduct hands-on technical training through the Udemy platform. Vocareum runs on AWS or Azure, depending on which lab environment you’re in.
Udemy’s security program and Udemy Business Pro
Udemy’s security program is governed by a controls framework consisting of consolidated requirements from data protection laws, regulatory bodies, industry best practices, business objectives, and additional standards, including:
- ISO 27001
- General Data Protection Regulation (GDPR)
- CIS CSC 20
-
COSO Principles
Udemy’s Information Security and Product Engineering teams are responsible for designing and implementing Udemy’s Security framework across the Udemy infrastructure and applications and features such as Udemy Business and Udemy Pro respectively. Udemy’s Privacy team provides oversight on alignment to applicable Data Privacy laws (e.g., CCPA, GDPR).
Udemy conducts due diligence and security assessments of all subprocessors and service providers and executes confidentiality and data processing agreements, obligating third parties to applicable data privacy and data security standards. Requirements of our service provider management program include:
- Authorized onboarding and off-boarding of all third-party services are completed using a process designed to address privacy and security considerations thoroughly and consistently.
- Risk tracking, control evaluations, and corrective actions of all third parties are done using a governance, risk management, and compliance (GRC) solution.
- Standard requirements such as security certifications are confirmed before vendors are approved.
- Security validation checks are performed during pre and post-implementation to ensure the discovery, tracking, and resolution of security issues.
- A GDPR-compliant DPA and other agreements are executed to ensure that our service providers adhere to our high data privacy and security standards.
- Annual due diligence of all high-risk vendors is performed to ensure compliance.
- All high-risk third-party vendors must comply with our Business Impact Analysis strategies, vulnerability management guidelines, and penetration testing (annual reports).
Frequently Asked Questions (FAQs):
- Where is the data stored?
- Will users be able to upload data into these tools and who will have access to it?
- What user activity is logged in these tools?
- Do customers have access to the user activity logs?
- Does the Udemy Business Admin console provide access to Udemy Business Pro user activity insights reports?
- Is any personally identifiable information (PII data) shared with sub-processors hosting Udemy Business Pro?
- Is there a way to limit which specific users (or groups) will have access to Udemy Business Pro?
- Is there a way to prevent users from uploading unwanted data into Udemy Business Pro?
- What URLs and IP addresses will customers need to allowlist for Udemy Business Pro AWS and Vocareum Labs?
- What are the system requirements for customers to use Udemy Business Pro?
Where is the data stored?
For Assessments:
Assessment answers are stored on Udemy systems.
For Labs:
For any code written in AWS, Azure, and Data Science labs, the practice code (and data) is stored in Vocareum, which is hosted on AWS or Azure.
For any code that is written in Software labs, the practice code and data are stored in Udemy's infrastructure and are hosted in AWS or Azure.
For Udemy Paths:
Udemy Paths do not include any user-related or user-inputted data.
Will users be able to upload data into these tools and who will have access to it?
For Assessments:
Users are restricted to answering multiple-choice questions (e.g., single or multiple-choice options) and optionally provide feedback in the form of free text to provide feedback on questions. No other data can be uploaded.
For Labs:
For AWS/Azure labs, users may upload data to AWS/Azure, where AWS/Azure and Vocareum have access to the data.
For Data Science labs workspaces, users may upload data to R Studio or Jupyter Notebook which is run on Vocareum infrastructure, where Vocareum [and AWS] have access to it.
Software Development labs run on infrastructure that is owned by Udemy and is hosted in AWS or Azure. Udemy Business and AWS or Azure will have access to Software Development labs data.
Students/Learners can upload files in their labs environment via lab Integrated Development Environment (IDE).
Please note: All lab workspaces have 3-hour sessions. Any data that is entered in the workspace is automatically erased (irreversibly) at the end of the 3-hour session.
For all labs, feedback forms will allow students to send feedback that may be forwarded to the instructor.
For Udemy Paths:
No data can be uploaded in Udemy Paths.
What user activity is logged in these tools?
In addition to the user activity tracking in Udemy Business:
For Assessments:
Udemy logs the user/learner starts, finishes, attempts to answer a question, feedback, and whether the user correctly answers a question.
For Labs:
Udemy logs learner starts, finishes, button clicks, times when workspaces are active, task completion, lab completion, times when lab is active, and number of lab attempts. Vocareum, AWS, and Azure log additional service-level details.
For Udemy Paths:
Udemy logs user enrollment, progress, and completion of a path.
Do customers have access to the user activity logs?
Customers do not have access to raw activity logs, but customers do have access to some usage data through Udemy Business Admin insights reporting.
Does the Udemy Business Admin console provide access to Udemy Business Pro user activity insights reports?
Yes, the Udemy Business Admin console enables Admins to export reports and selected access and usage data. Learn more about Udemy Pro Insights.
Is any personally identifiable information (PII data) shared with sub-processors hosting Udemy Business Pro?
No, Udemy Business Pro does not require the collection or processing of any PII. Users do not need to enter any company credentials other than those generated by Udemy for the Workspace. Connections are authenticated using non-PII temporary lab credentials from existing Udemy Business sessions. Optional in-product surveys request an email address.
Is there a way to limit which specific users (or groups) will have access to Udemy Business Pro?
Yes. Only users, group admins, and admins who are assigned Udemy Business Pro licenses will be able to access Udemy Business Pro features & data.
Is there a way to prevent users from uploading unwanted data into Udemy Business Pro?
We can generate in-product banners to remind your learners to not upload any proprietary information into Labs or Workspaces.
What URLs and IP addresses will customers need to allowlist for Udemy Business Pro AWS and Vocareum Labs?
Review the URLs and IP addresses Udemy Business Pro customers will need to allowlist.
What are the system requirements for customers to use Udemy Business Pro?
Review the system requirements for Udemy Business.
Do you have more questions?
Please contact your Udemy Business Account Executive, Customer Success Manager, or Udemy Business Support with any additional questions.