Credly's Data Security & Privacy Policy

Revised: July, 2020

We built Credly because people should own and control their achievements.  That mission is aligned with a larger global trend of empowering individuals with control over their own data. Our policies and procedures operationalize that commitment to protecting the security and privacy of our customers and their employees, members, learners, and users. We invest in best practices and compliance with industry standards. All Credly employees are trained in data security and privacy principles.


ISO Certifications

The ISO 27001 standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The ISO 27001 is considered the gold standard for data security compliance. 


The ISO 9001 standard specifies requirements for a quality management system when an organization: needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. Credly's ISO 9001 standard ensures that Credly operates with excellence in delivering software and services to our customers. 


The ISO 22301 standard specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. Credly's ISO 22301 helps customers rest assured in Credly's durability and resistance to disasters and disruptions. 




Credly’s physical infrastructure is hosted and managed by Amazon Web Services (AWS). AWS Amazon’s data center operations have achieved a wide variety of security certifications and serve as the backbone for many of the websites and services you use every day. Read more about AWS Security certifications and commitments.



The European Union’s General Data Privacy Regulation (GDPR) is a law that seeks to give individuals control over their personal data. It also limits what companies can do with personal information, including requiring informed consent or good reason to store personal information.  It gives individuals the right to know what information is held about them and allows a person to request information about them is irreversibly deleted.

Credly complies with the GDPR by maintaining the ongoing confidentiality, integrity, availability, and resilience of our systems that process personal data of badge earners; by ensuring we can restore data in a timely manner in the event of a physical or technical incident; and by regularly testing, assessing and evaluating the effectiveness of our technical and organizational measures.  

Credly requires its subprocessors to comply with the terms of the GDPR. You can view a list of our subprocessors at Credly complies at all times with the terms of its privacy policy.

Credly offers customers a Data Processing Addendum, which is available on request.   



Credly is certified to the US-EU privacy shield. You can validate our certification on the Privacy Shield site.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to enable companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. To join either Privacy Shield Framework, Credly self-certified to the Department of Commerce and commits to ongoing compliance with the Framework’s requirements. Credly maintains a privacy shield compliant privacy policy.  



Credly’s data protection program is aligned with the AICPA Trust Services criteria. Credly has been certified to the Service Organization Control 2 (“SOC-2”) standard which covers various organizational controls related to security, availability, processing integrity, confidentiality, and privacy.

A copy of Credly’s SOC-2 report is available to customers on request. 


Credly regularly runs penetration testing and vulnerability scans of our code base. Our development team learns of existing and potential vulnerabilities through internal and external assessments, system patch monitoring, and review of third-party mailing lists and services. Results from each assessment are reviewed, ranked according to risk, and assigned to the responsible team for remediation.

Pen test, vulnerability scan and audit results are available to customers on request.


Credly regularly performs static and active scans of its codebase for the OWASP Top 10 vulnerabilities. We also analyze for vulnerabilities during code review. Data integrity checks for both input and output are built into our software. Encrypted backups are tested periodically to ensure data can be recovered. Key employees are trained on Credly’s Disaster Recovery plan and prepared to execute it successfully. Anti-virus software is installed and executing on all workstations and servers. Workstation passwords are changed on a regular basis are required to use strong characteristics.




Credly believes in fostering a world in which people have equal access to opportunity. That belief extends to ensuring everyone can be recognized for his or her achievements, including those with limited capacities to see, hear, or exercise muscular control.

A Voluntary Product Accessibility Template, or a “VPAT” is a document containing information regarding how an information and communications technology product or service conforms with Section 508 of the U.S. Rehabilitation Act of 1973 (as amended).



“FERPA” stands for the Family Educational Rights and Privacy Act of 1974 (as amended), a law which governs United States education institutions who receive federal funding and seeks to protect the privacy of a student's educational records. FERPA gives students (or their guardians) the right to control the disclosure of their education records to others.

Credly works with many educational institutions and they all care (a lot!) about FERPA compliance. Credly offers a naturally compliant solution that, by design and by default, allows earners complete control over their use of their information. Once earned, digital badges and credentials are controlled by the student who can adjust privacy settings on individual credentials and on their Credly accounts at any time.



The Children’s Online Privacy Protection Act (COPPA)  is a federal law protecting the online privacy of children under 13 years of age. COPPA places a variety of requirements on operators of websites and applications to ensure the protection of children's personally identifiable data and the control by parents of that data. Some of COPPA’s key requirements include the need to obtain verifiable parental consent to collect and maintain children’s personal data, including the right for parents to demand that such data be deleted, ensure the confidentiality of that data, and to maintain a clear privacy policy detailing how such data is handled. You can learn more about COPPA through the Federal Trade Commission (FTC)’s overview website.  

Credly works with schools and parents to comply with COPPA by obtaining consent through our K-12 institutional customers, honoring parental requests for data deletion, and implementing appropriate data privacy and security safeguards.