Security at Coursera

Information Security

Coursera maintains a robust security program with clear and comprehensive policies and security requirements that govern our organization. The objective for our security program is to protect information, intellectual property, and systems of Coursera and our learners, customers, and partners, while simultaneously complying with industry best standards.

Compliance

Our security policies, procedures, and standards are based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001. In addition, we use an independent third-party service provider to periodically audit our platform with leading industry standards. Coursera's ISO 27001 certificate details are available publicly in our auditor's (Schellman LLC) directory here.

Coursera’s security program is also SOC 2 Type 2 attested, affirming that Coursera’s information security practices meet or exceed the rigorous SOC 2 security and availability standards. The scope of this report is limited to the controls supporting the Coursera platform, as well as its supporting tools, services, and core product offerings.

Data Protection

Coursera maintains policies and procedures in place to govern data classification, protection, and secure handling. Based on these policies, data is encrypted at rest and in transit using industry best standards.

Access Control

We maintain policies and procedures to control access to infrastructure and systems by following the principle of least privilege, and by conducting regular access reviews to ensure access is limited to key personnel on a need-to-know basis.

Secure Software Development

Coursera has policies and procedures to ensure that system, device, application, and infrastructure development aligns with industry standards. We employ a Software Development Life Cycle (SDLC) framework, to ensure secure design principles are built into our design and development pipelines for all of our product offerings.

Disaster Recovery and Business Continuity

Coursera maintains disaster recovery and business continuity functions to ensure critical business processes are not affected by any extraordinary events, and that learners, customers, and partners enjoy uninterrupted access to the Coursera platform. As an organization, we partake in regular disaster recovery exercises and conduct business continuity testing at least annually.

Incident Management

Through our incident management program we monitor, alert, investigate, triage, and remediate security events without undue delay. Our incident response team determines the scope and impact of security events and works with respective teams to quickly remediate any issues.

Responsible Disclosure

Security is a top priority at Coursera and we believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly. To learn more or to submit a report through our responsible disclosure program, please click here.