How Qlik manages privacy in its products

With increasing privacy/data protection regulations, in particular the EU General Data Protection Regulation (GDPR), Qlik realizes that privacy is a significant concern for its customers and partners. Qlik takes this concern seriously and adheres to data protection laws by implementing both security-by-design and privacy-by- design methods in its development process. This Qlik Product Privacy Policy (the "Policy") addresses how data privacy is managed within the Qlik product portfolio.

1. Qlik Product Deployment Options

Qlik's products may be deployed by Customers by installing at a location of the Customer's choosing, which may be on-premises or on Customer's cloud provider of choice ("Customer-Managed Deployment") or by utilizing Qlik Cloud Services. Some Qlik products may be deployed as a Customer-Managed Deployment and on Qlik Cloud Services. The deployment options for Qlik products are listed in the table below. For confirmation of how your Qlik product is deployed, you should contact your organization's systems administrator/IT department.

2. Qlik Customer-Managed Deployment

What Data is sent to Qlik by virtue of a customer using any Customer-Managed Deployment?

1. License Activation: When a Customer-Managed Deployment is deployed, it needs to be activated using a License Enabler File (LEF). As part of the activation process, the user is required to provide information such as license key number, owner organization and owner name to Qlik via the applicable Customer-Managed Deployment for verification and forensic purposes. This information, together with other product-specific non-personal information (e.g. product version, user agent) and the IP address of the device initiating the activation request, is transmitted from the Customer-Managed Deployment to Qlik at the time of initial activation and on such future occasions where the On-Prem Product needs to download an updated LEF file (when additional purchased user licenses are activated, for example). Customers may use one of two systems to activate licenses; Signed License Key (QLS) method or the Serial/Control Number. More information regarding QLS can be found here.
2. Authentication: Authentication is a process that happens on a per-user basis, once per usage session. Once logged in, the user does not have to authenticate again until the session that tracks the user has timed out or the user chooses to actively log out. The purpose of this authentication process is to verify the identity of the user for governance purposes. Authentication differs from authorization; authentication determines whether a user can access the Qlik Customer-Managed Deployment at all, whereas authorization determines what the user, once authenticated, can see or do (as determined by the Administrator user). Authentication data (i.e. username and password) is only sent to Qlik if the user is authenticated using a Qlik Account ("Qlik ID"), such as when logging into an instance of Qlik Sense Desktop that is not connected to a Qlik Sense Enterprise server. A Qlik Account is not required for authentication purposes if user credentials are managed by the Qlik Customer-Managed Deployment directly or via integration with an Identity Access Management system; in these scenarios, neither authorization nor authentication data is sent to Qlik.
3. Usage Data: Qlik Sense Mobile and Qlik Sense Enterprise collect installation and usage data as Customer-Managed Deployments collect installation and usage data as described below. In these products, data is collected on an anonymized basis.
1. Qlik Sense Mobile: Qlik Sense Mobile is capable of collecting administrative data, statistical and demographical data, and operational information and data generated by a user (but not any personal data or personally identifiable information) so that Qlik may gain optimize, support, improve and promote the product. Users may deactivate and reactivate this collection via the Settings Menu within the product.
2. Qlik Sense Enterprise deployed as a Customer-Managed Deployment: Qlik collects system data about your installation of Qlik Sense ("Installation Data") and user metrics ("Usage Data") (collectively, "Collected Data"). More information on these is below. These installations have a tool called Qlikmetrics which uses cookies to store Collected Data. In case of internet connection loss, tracked events are saved locally and resent when the user later regains connectivity.



Type of Collected Data	Example	When sent to Qlik?
Installation Data	System data such as CPU, RAM, language setting, operating system and version, Qlik sense version, screen size and resolution.	On each install, version upgrade or repair
Usage Data	User data within Qlik Sense applications such as mouse movements, what options are clicked, actions taken by the user, visited areas in the product, view states (analysis, edit, insights), features used or not used.	In real time



3. Qlik uses the Collected Data for analytics purposes so we may better understand the technical environments in which our software is installed and the behavior of users in our products so that we may optimize, support and improve our products and services. Any Collected Data received is analyzed on a macro, statistical (not by individual user) basis. Collected Data is identifiable on a customer (i.e. company name) level but is anonymized on an individual (user) level. As no personal data is collected/processed, privacy laws (e.g. EU GDPR) do not apply to such collection/processing. Nonetheless, users have the ability at the time of installation/upgrade to opt out. Thereafter, users can later opt out if they so wish by changing the setting in the Qlik Management Console ("QMC"). Further, Admin Users, on behalf of their entire organization, can opt out their entire organization by changing the setting in the QMC.
4. QLS periodically sends to Qlik license usage metrics data, for more information please see here. In terms of personal data sent to Qlik as part of this process, Qlik only receives IdP names of users (which may not be personal data) which Qlik immediately anonymizes. This data is protected by Qlik as the Data Controller of this data in accordance with our data governance rules.
5. Please see the Qlik User License Agreement ("QULA") PDF for more details on what information is collected and why (www.qlik.com\legal-terms) .
4. Qlik Log Files & Support data
   
   

   What are Log Files?

   Customer-Managed Deployment collect operational data, consisting largely of non-personal statistical, demographic and usage data generated by the Qlik product, in log files ("Log Files") that can later be used for auditing, monitoring and troubleshooting. These Log Files may include user IDs (which could contain personal data).

   Are Log Files sent to Qlik?

   Typically, no. Log Files are saved locally within the customer environment. However, a customer can send Log Files and other data to Qlik to assist with troubleshooting/Support issues. Any content sent to Qlik Support is processed only to resolve the Support issue, is kept securely and is subject to our access and data retention policies. It is recommended that Log Files and any other data content sent to Qlik for troubleshooting/Support issues are treated in accordance with general IT best practices pertaining to security and access permissions.

   Customer-Managed Deployment may be configured via administrative settings to adjust what data is captured in their Log Files. For more detailed information on Log Files by product type, please see the links at the end of this Policy.

3. Qlik Cloud Services

1. What personal data is collected when a customer uses Qlik Cloud Services?

   The only personal data that Qlik receives is authentication information (e.g. Qlik Account). Qlik also processes usage/statistical data on use of the Cloud Products to (i) assist with troubleshooting issues, and (ii) on an aggregate, anonymized basis, for analytics purposes to ensure quality of service and improve the products.

2. Where are the data centers that host Qlik Cloud Services?

   Qlik has three (3) networked data centers: Dublin, Ireland; North Virginia, USA; and Sydney, Australia. Qlik uses Amazon Web Services ("AWS") architecture to host Qlik Cloud Services.

3. Can I choose to keep my Qlik Cloud Services data in my region (e.g. can EU users ensure their data does not leave the EU)?

   Yes, when you create a new tenant for use with your Cloud Product, you can select any of the above three data centers to store your "at-rest" data. Customers maintain control over who they choose to share their apps with, through permissions and access granting.

   The data will leave your region if :

   1. you share the data with a colleague outside the EEA it would be accessed outside EEA; and/or

   2. you attach personal data to a support case (it is not mandatory to provide Qlik with personal data and we advise that you anonymize the data before sending to Qlik) or if a Qlik employee needs to access a tenant (unlikely) to fix an issue, the employee may access the data from any country where Qlik Affiliates are located. Qlik has in place, internally and with relevant Subprocessors data protection agreements ensuring lawful data transfers. Qlik does not use Third parties to provide support for Cloud.

   Qlik uses Third Party Systems for support services and these may be hosted globally. You can find a list of sub-processors here.

4. Content Data Access and Use by Qlik:

   Qlik employees do not access a user's content on Qlik Cloud Services unless (a) the user actively shares it with someone at Qlik (e.g. in a Consulting Services context), or (b) Qlik is prompted by the customer to access the individual content for troubleshooting Only a specific, limited group of Qlik employees can access individual user content to troubleshoot and only under strict controls.

5. Some features of Qlik software (e.g. Insight Advisor) make use web speech API, which are implemented as standard by some modern browsers. To use these features, the user enables voice input for the given web page in the browser. When activated, the browser will send the audio content to a web service selected by the browser provider and return the transcribed text. For example, Google Chrome sends audio files to Google servers, and Microsoft Edge sends audio files to Microsoft Azure. Customers who choose to block access from their users' browsers to these services can ensure that no audio data leaves their premises, and that Qlik features continue to work without the Web Speech capability. Speech and other search features within Qlik's products may store copies of searches to enhance user experience (e.g. for auto-completion purposes of subsequent searches).
6. Architecture & Security:
   
   1. Where is Qlik Cloud Services hosted?
      Qlik Cloud Services are hosted through Amazon Web Services ("AWS"). You can find the AWS Privacy Policy here: https://aws.amazon.com/privacy/. A full description of the Qlik Sense Cloud security features can be found here in the Qlik Sense Cloud Security Overview White Paper.
   2. Data retention of content data
      Users may at any time delete their applications and the associated content is controlled by the user. Once deleted by the user, all information hosted by Qlik in that application is deleted, with back-ups deleted after a period of time in line with our internal data retention rules. For dormant applications (i.e. applications within accounts that have been inactive for over 12 months), Qlik may delete these applications. Likewise, Qlik Sense Cloud accounts that are inactive for more than 12 months may be deactivated by Qlik.
   3. Who can access content data?
      For Qlik Sense Cloud subscriptions, all users have control over who has access to apps shared through their personal streams and group owners can control who has access to apps created and shared as part of a work group.
      
      For Qlik Sense Cloud Basic and Qlik Sense Cloud Plus, apps are not visible to other users until the app creator publishes the app to the user(s) stream. Users control who is invited to view the apps in their stream.
      
      For Qlik Sense Cloud Business, users can only see an app if they have access to the group workspace and/or if they have access to the stream to which an app is published. The group owner can control these access rules from the Qlik Cloud Hub, available within the software.

3. Attunity Products

This section focuses on the Attunity suite of products, which are all on-premise (individually and collectively, "Attunity Products").

1. License Activation: To activate an Attunity Product in development or production, a license document provided with purchase needs to be locally registered with the product. The license document identifies machine or network restrictions and the name of the licensed organization unit, among few other technical details. No information (including personal information) is transmitted to Qlik in this process.
2. Usage data: Attunity products are on-premise and do not transmit usage data back to Qlik.
3. Content data / log files:
   
   

   What are Attunity Log Files?

   Attunity Products produce log files ("Attunity Log Files") whose main role is to aid in troubleshooting scenarios. While the content of the log varies significantly with the logging configuration specified by the customers, they often include information of servers, network addresses, databases, tables and similar technical data. When the highest level of logging is enabled, it is possible for the log files to contain fragments of the data processed by the products and this may contain personal/sensitive content.

   What are Diagnostic Packages?

   In order to enhance the supportability of Attunity Replicate, the product offers an option to download a Diagnostic Package which is a zip file containing log files, definitions (including endpoint definitions), statistics and similar technical data. The diagnostic package is downloaded locally where customer can examine the diagnostics information and if needed, send it all or parts of it to Qlik support for further analysis and to help in troubleshooting. The Diagnostic Package does not include customer or personal data unless such data appears in log files (as explained above) and does not include credentials. When sending Diagnostic Packages to Qlik support, it is recommended to review the included data beforehand and remove items that are deemed sensitive or irrelevant.

   Are Attunity Log Files sent to Qlik?

   Typically, no. Attunity Log Files are saved locally within the customer environment. However, a customer can send Attunity Log Files and other data to Qlik to assist with troubleshooting/Support issues. Any content sent to our Support team is processed only to resolve the Support issue, is kept securely and is subject to our access and data retention policies. It is recommended that Attunity Log Files and any other data content sent to Qlik for troubleshooting/Support issues are treated in accordance with general IT best practices pertaining to security and access permissions.
   
   For more detailed information on Log Files by product type, please see the links at the end of this Policy.

4. Qlik as a Data Processor for customers:

The information below describes when Qlik is a Data Processor and / or Data Controller (as defined under GDPR or analogous legislation).

1. Qlik Cloud Services:

   Qlik is the Data Controller of personal data collected and processed by Qlik to administer, maintain and improve our products, for example authentication data such as usernames and password through Qlik ID, and usage data such as frequency of log-on, usage per day, and traffic/usage per country, etc. which Qlik processes to allocate resources better (e.g. server space) and to better serve Qlik customers and/or improve Qlik services. When subscriptions are purchased Qlik maintains, like all businesses, a database of customer and partner contacts for billing, marketing and other ordinary business purposes. Qlik processes this data in compliance with privacy laws and maintains adequate security protections to protect this data.

   The storing / inputting of personal data content relating to identifiable individuals is not the primary function of Qlik Cloud Services and in conformance with the principle of data minimization and anonymization under GDPR, Qlik does not recommend users insert personal data content into applications in our Cloud Service. For further information please see the Qlik Cloud Services Terms of Service and the Qlik SaaS Services Agreement.

2. Qlik Customer-Managed Deployment & Attunity Products

   Qlik collects basic personal data for which it is the Data Controller (e.g. Qlik Account, Cloud usage data, etc.). As is customary, Qlik also maintains a database of customer and partner contact information for billing, marketing and other ordinary business purposes. Qlik holds this data in compliance with relevant data protection laws and ensures adequate security features are in place around these data types.

   Qlik is not typically a Data Processor for customers of Customer-Managed Deployment or Attunity Products. This is because any content a customer chooses to put into or create in the Qlik Customer-Managed Deployment or Attunity Products stays on the customer's system(s). Qlik does not have access to this content; therefore, the customer, and not Qlik, is the Data Controller and the Data Processor of this content in data protection law terms. Exceptions to this may exist if, when Qlik provides Support or Consulting services to a customer, and if the customer chooses to share content within the Customer-Managed Deployment / Attunity Products which happens to contain personal data. Such sharing is at the discretion of the customer and the personal data content should be anonymized or minimized by the customer as per privacy law data anonymization / minimization best-practice. It is therefore not typically necessary for customers to enter into a data processing agreement with Qlik. For further question on data processing agreements, please contact privacy@qlik.com.

4. Privacy compliance at Qlik

1. Privacy-By-Design and Privacy-By-Default in products

   Qlik has implemented Privacy-By-Design and Privacy-By-Default protocols that take privacy concerns into account as a native component of its R&D/Product development process. One example of this is the way QlikView and QlikSense address access rights to Qlik applications ("apps") created within the platform: unless the creator of the app or someone with administrator rights affirmatively grants access to the app to other users, by default only the creator of the app will have access to it.

2. General privacy compliance information

   Qlik uses the personal data described above to provide, maintain and improve our products, to resolve technical support issues and to comply with legal requirements. For further information relating to security, access, the sharing of any personal data as well as children's privacy, please see the Qlik Website Cookie & Privacy Policy.

5. How can your products help me to comply to the GDPR?

Qlik is aware that compliance with privacy/data protection law, in particular GDPR, is top-of-mind for customers and partners. To that end, there are some useful features in Qlik products that can help you, as the data controller and processor, to comply with EU Data Protection law requirements. Further information is available at https://www.qlik.com/us/trust/gdpr.

6. Resources & Updates

For further information, please contact your usual Qlik contact or CustomerSupport@qlik.com.
Further GDPR information related to Qlik can be found at www.qlik.com/us/gdpr.
For privacy information relating to Qlik’s website and general operations, see https://www.qlik.com/us/legal/cookies-and-privacy-policy

Full list of links used in this document:

https://help.qlik.com/

Qlik Sense Security Overview White Paper: (July 2018)
www.qlik.com/us/resource-library/qlik-sense-security-overview

Qlik Customer-Managed Deployment
www.qlik.com/legal-terms

Qlik Cloud Services

For IT Security related questions (e.g. encryption) you can find information resources on Qlik.com : https://www.qlik.com/us/products/qlik-sense/qlik-sense-cloud

Qlik Cloud’s Terms of Service: www.qlik.com/license-terms

Qlik SaaS Services Agreement: www.qlik.com/license-terms

AWS Privacy Policy: https://aws.amazon.com/privacy/

Further information regarding Log Files:

Legal Information:

Qlik’s Website Terms of Use: https://www.qlik.com/us/legal/terms-of-use

Qlik Licence Terms: https://www.qlik.com/us/legal/license-terms

Qlik Website Cookie & Privacy Policy: https://www.qlik.com/us/legal/cookies-and-privacy-policy

The information in this document is accurate as of November 2019. Qlik reserves the right to make changes from time-to-time to the privacy practices of its products and you are encouraged to check this Policy for future updates. This Policy is for information purposes only and does not form part of customer contractual terms.